The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

WebDeveloper Malicious Chrome Extensions

Description: Finds WebDeveloper Malicious Chrome Extension.

What The Data Shows: Known bad chrome extension.

SQL: 

SELECT * 
FROM users
JOIN chrome_extensions
USING (uid)
WHERE identifier='bfbameneiokkgbdmiekhjnmfkcnldhhm';

 

 

7 Comments
Query_Admin
Community Manager
Community Manager
Status changed to: Approved
 
KingSec
New Contributor

Hello,

Can this query be run on CarbonBlack Response?

Thanks

esullivan
Community Manager
Community Manager
Status changed to: Under Review

Hopefully someone smarter than me will weigh in, but I'm pretty sure you can't run these in Response.

esullivan
Community Manager
Community Manager
Status changed to: Approved
 
bhansen
New Contributor III

@KingSec  Based on some reading I looked for the below string and think this may get a similar result.

regmod:software\google\chrome\preferencemacs\default\extensions.settings\bfbameneiokkgbdmiekhjnmfkcnldhhm

OR Just

regmod:extensions.settings\bfbameneiokkgbdmiekhjnmfkcnldhhm

 

jnelson
Carbon Black Employee
Status changed to: Under Review

All the queries in the Query Exchange are only for CB LiveOps.

esullivan
Community Manager
Community Manager
Status changed to: Approved