Description: This query looks for extensions using known extension identifiers. Replace the extension identifiers within single quotes of the query 'identifiervalue', to perform your own customized search.
What The Data Shows: This helps us to identify malicious extensions and this was created as part of hunting query based on threat feed from McAfee TA that have found five Google Chrome extensions that steal track users’ browsing activity. Reference: https://www.bleepingcomputer.com/news/security/chrome-extensions-with-14-million-installs-steal-brow...
SQL:
SELECT
u.username,
u.type,
ce.name,
ce.path,
ce.description,
ce.permissions,
ce.identifier,
ce.version,
datetime(ce.install_timestamp, 'unixepoch', 'localtime') AS Install_date
FROM users u
JOIN chrome_extensions ce USING (UID)
WHERE ce.identifier IN ('mmnbenehknklpbendgmgngeaignppnbe','flijfnhifgdcbhglkneplegafminjnhn','pojgkmkfincpdkdgjepkmdekcahmckjp','adikhbfjdbjkhelbdnffogkobkekkkej','gbnahglfafmhaehbdmjedfhdmimjcbed');
Tables referred – users, chrome_extensions;
Referenced Link for OSquery schema tables - https://osquery.io/schema/5.4.0/