Built off the open source project Osquery
Description: This query looks for extensions using known extension identifiers. Replace the extension identifiers within single quotes of the query 'identifiervalue', to perform your own customized search.
What The Data Shows: This helps us to identify malicious extensions and this was created as part of hunting query based on threat feed from McAfee TA that have found five Google Chrome extensions that steal track users’ browsing activity. Reference: https://www.bleepingcomputer.com/news/security/chrome-extensions-with-14-million-installs-steal-brow...
datetime(ce.install_timestamp, 'unixepoch', 'localtime') AS Install_date
FROM users u
JOIN chrome_extensions ce USING (UID)
WHERE ce.identifier IN ('mmnbenehknklpbendgmgngeaignppnbe','flijfnhifgdcbhglkneplegafminjnhn','pojgkmkfincpdkdgjepkmdekcahmckjp','adikhbfjdbjkhelbdnffogkobkekkkej','gbnahglfafmhaehbdmjedfhdmimjcbed');
Tables referred – users, chrome_extensions;
Referenced Link for OSquery schema tables - https://osquery.io/schema/5.4.0/
@jnelson I tried both the ways w/, w/o JOIN function and the results were same as expected. Updated query with JOIN function has been replaced now in the original post. Let me know, in case of any comments or changes. Thanks!
I was interested in your reasoning as I always like learning new things. In my very limited testing it seems like the JOIN version is slightly more efficient, but not so much as to dictate the choice of one over the other.
Thanks for your contribution!