Built off the open source project Osquery
Description: Finds WebDeveloper Malicious Chrome Extension.
What The Data Shows: Known bad chrome extension.
SQL:
SELECT * FROM users JOIN chrome_extensions USING (uid) WHERE identifier='bfbameneiokkgbdmiekhjnmfkcnldhhm';
never-displayed
Hello,
Can this query be run on CarbonBlack Response?
Thanks
Hopefully someone smarter than me will weigh in, but I'm pretty sure you can't run these in Response.
@KingSec Based on some reading I looked for the below string and think this may get a similar result.
regmod:software\google\chrome\preferencemacs\default\extensions.settings\bfbameneiokkgbdmiekhjnmfkcnldhhm
OR Just
regmod:extensions.settings\bfbameneiokkgbdmiekhjnmfkcnldhhm
All the queries in the Query Exchange are only for CB LiveOps.