HEX

File: //opt/osquery/share/osquery/packs/unwanted-chrome-extensions.conf
{
  "platform": "windows,darwin",
  "queries": {
    "BetternetVPN": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='gjknjjomckknofjidppipffbpoekiipm';",
      "interval": 3600,
      "description": "(https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/)"
    },
    "Chrometana": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='kaicbfmipfpfpjmlbpejaoaflfdnabnc';",
      "interval": 3600,
      "description": "(https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/)"
    },
    "CopyFish": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='eenjdnjldapjajjofmldgmkjaienebbj';",
      "interval": 3600,
      "description": "(https://www.bleepingcomputer.com/news/security/copyfish-chrome-extension-hijacked-to-show-adware/)"
    },
    "HolaVPN": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='gkojfkhlekighikafcpjkiklfbnlmeio';",
      "interval": 3600,
      "description": "(http://adios-hola.org)"
    },
    "InfinityNewTab": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='dbfmnekepjoapopniengjbcpnbljalfg';",
      "interval": 3600,
      "description": "(https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/)"
    },
    "SocialFixer": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='ifmhoabcaeehkljcfclfiieohkohdgbb';",
      "interval": 3600,
      "description": "(https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/)"
    },
    "TouchVPN": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='bihmplhobchoageeokmgbdihknkjbknd';",
      "interval": 3600,
      "description": "(https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/)"
    },
    "WebDeveloper": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='bfbameneiokkgbdmiekhjnmfkcnldhhm';",
      "interval": 3600,
      "description": "(https://www.bleepingcomputer.com/news/security/chrome-extension-with-over-one-million-users-hijacked-to-serve-adware/)"
    },
    "WebPaint": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='emeokgokialpjadjaoeiplmnkjoaegng';",
      "interval": 3600,
      "description": "(https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/)"
    },
    "MacOSInstallCore": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='hinehnlkkmckjblijjpbpamhljokoohh';",
      "interval": 3600,
      "description": "(https://www.virustotal.com/#/file/5cab0821f597100dc1170bfef704d8cebaf67743e9d509e83b0b208eb630d992/detection)"
    },
    "User-Agent Switcher": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='clddifkhlkcojbojppdojfeeikdkgiae';",
      "interval": 3600,
      "description": "(https://chris.partridge.tech/2020/extensions-the-next-generation-of-malware/help-for-users/)"
    },
    "Nano Adblocker": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='gabbbocakeomblphkmmnoamkioajlkfo';",
      "interval": 3600,
      "description": "(https://chris.partridge.tech/2020/extensions-the-next-generation-of-malware/help-for-users/)"
    },
    "Nano Defender ": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='ggolfgbegefeeoocgjbmkembbncoadlb';",
      "interval": 3600,
      "description": "(https://chris.partridge.tech/2020/extensions-the-next-generation-of-malware/help-for-users/)"
    },
    "Forcepoint Endpoint Chrome Extension": {
      "query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid) WHERE identifier='fmfjhicbjecfchfmpelfnifijeigelme';",
      "interval": 3600,
      "description": "(https://www.bleepingcomputer.com/news/security/malicious-extension-abuses-chrome-sync-to-steal-users-data/)"
    }
  }
}