Skip to content

Instantly share code, notes, and snippets.

@arubdesu

arubdesu/BrowserWhitelist_Table.ext

Created August 17, 2016 18:29
Show Gist options
  • Save arubdesu/17c177edbcdf508c49c899e2f119fa33 to your computer and use it in GitHub Desktop.
Save arubdesu/17c177edbcdf508c49c899e2f119fa33 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
browser_whitelist.py
#!/usr/bin/python
"""Data file for extension whitelist lookup"""
def main():
"""Gimme some main"""
safari_list = [
('com.agilebits.onepassword4-safari', 'a558f819b861863f435589282f636442d26f4ee5'),
('AdBlock.safariextz', ''),
('AdBlock-2.safariextz', ''),
('BugMeNot.safariextz', ''),
('Clip to DEVONthink.safariextz', ''),
('Clip to DEVONthink-2.safariextz', ''),
('Evernote Web Clipper-2.safariextz', ''),
('Evernote Web Clipper.safariextz', ''),
('com.betteradvertising.ghostery', ''),
('com.instapaper.extension', 'bf648412be0acf0d913c7f92a42ee7b86af095ea'),
('KasperskyURLAdvisor.safariextz', ''),
('KasperskyVirtualKeyboard.safariextz', ''),
('com.lukehagan.openinchrome', ''),
('com.sobolev.stylish', '18e50b05823f72f9cf3afc3740d45ec6bdd494e2'),
('TabLinks.safariextz', '')
]
firefox_list = [
'[email protected]',# web sharing for firefox!?
'{972ce4c6-7e08-4474-a285-3208198ce6fd}',# default theme
'[email protected]',
'{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi',
'[email protected]',
'[email protected]',
'jid1-YcMV6ngYmQRA2w@jetpack'#unofficial pinterest...
]
chrome_list = [
"pkehgijcmpdhfbdbbnkijodmdjhbjlgp",#privacy badger
"aomjjhallfgjeglblehebfpbcfeobpgk",# 1Password
"lbfehkoinhhcknnbdgnnmjhiladcgbol",# Evernote 'Web'
"pioclpoplcdbaefihamjohnefbikjilc",# Evernote Web Clipper
"cfhdojbkjhnklbpkdaibdccddilifddb",# AdBlockPlus
"gighmmpiobklfepjocnamgkkbiglidom",#adblockRegular...
"iooicodkiihhpojmmeghjclgihfjdjhj",# Clearly
"jlhmfgmfgeifomenelglieieghnjghma",# WebEx,
"bfogiafebfohielmmehodmfbbebbbpei",# Keeper password mgr
"gcgikpombjkodabhbdalkcdhmllafipp",# GoToMeetingProSomethingOrOther
"lneaknkopdijkpnocmklfnjbeapigfbh",# Google Maps
"mgndgikekgjfcpckkfioiadnlibdjbkf",# "Chrome",
"dliochdbjfkdbacpmhlcpmleaejidimm",# chromecast beta
"noondiphcddnnabmjcihcjfbhfklnnep",# Google phishing/password checker
"lccekmodgklaepjeofjdjpbminllajkg",# Chrome Hotword for 'Ok, Google'
"nmmhkkegccagdldgiimedpiccmgmieda",# "Google Wallet",
"ahfgeienlihckogmohjhadlkjgocpleb",# "Google Store",
"aapocclcgogkmnckokdopfmhonfmgoek",# "Google Slides"
"boadgeojelhgndaghljhdicfkmllpafd",# "Google Cast"
"felcaaldnbdncclmgdcncolpebgiejap",# "Google Sheets"
"gfdkimpbcpahaombhbimeihdjnejgicl",# "Chrome FeedBack",
"pjkljhegncpnkpknbcohdijeoejaedia",# "Gmail",
"nkeimhogjdpnpccoofpliimaahmaaome",# "Google Hangouts",
"nckgahadagoaajjgafhacjanaoiihapd",# "
"coobgpohoikkiipiblmjeljniedjpjpf",# "Google Search",
"neajdppkdcdipfabeoofebfddakdcjhd",# "Google Network Speech",
"kmendfapggjehodndflmmgagdbamhnfd",# "Chrome Crypto Token Extension",
"apdfllckaahabafndbhieahigkjlhalf",# "Google Drive",
"lmjegmlicamnimmfhcmpkclmigmmcbeh",# Google Drive file open in native apps
"dnhpdliibojhegemfjheidglijccjfmc",# "Google Hotword Helper",
"bepbmhgboaologfdajaanbcjmnhjmhfn",# "Google Voice Search Hotword",
"blpcfgokakmgnkcojhhkbfbldkacnbeo",# "Google YouTube",
"aohghmighlieiainnegkcijnfilokake",# "Google Docs",
"eemcgdkfndhakfknompkggombfjjjeno",# "Chrome Bookmark Manager",
"gmlllbghnfkpflemihljekbapjopfjik",# ditto
"mfehgcgbbipciphmccgaenjidiccnmng",# "Chrome Cloud Print",
"ennkphjdgehloodpbhlhldgbnhmacadg",# "Chrome Settings",
"pafkbggdmjlpgkdkcbjmhmfcdpncadgh",# "Google Now",
"kcnhkahnjcbndmmehfkdnkjomaanaooo",# GoogleVoice
"gpdjojdkbbmdfjfahjcgigfpmkopogic",# Pinterest...
"mfffpogegjflfpflabcdkioaeobkgjik",# "GAIA Component Extension"
#"gkojfkhlekighikafcpjkiklfbnlmeio", unless you like customers using free VPN services like 'hola internet'
"aknpkdffaafgjchaibgeefbgmgeghloj",# misc junk, not reported diseased yet
"ejjicmeblgpmajnghnpcppodonldlgfn",
"knipolnnllmklapflnccelgolnpehhpl",
"mcemheplgccbimaplmppfdofjghnpmmn",
"aciahcmjmecflokailenpkdchphgkefd",
"bfjgbcjfpbbfepcccpaffkjofcmglifg",
"bhmicilclplefnflapjmnngmkkkkpfad",
"hnkkehjnlfplmdnallbjjdnokolhblgb",
"mcbkbpnkkkipelfledbfocopglifcfmi",
"ajpgkpeckebdhofmmjfgcjjiiejpodla",
"aofbadhekfmdddiihifojhjjpkaoojkn",
"dhaphijmoldalicdpbnpgjeeheglbppo",
"elicpjhcidhpjomhibiffojpinpmmpil",
"hdgenjhkjihnmigcommchefpajjhdmba",
"idknbmbdnapjicclomlijcgfpikmndhd",
"ifhgjbjejfocglfphkdecifccicemfll",
"ghbmnnjooekpmoecnnnilnnbdlolhkhi"
]
whitelist = []
for each in safari_list:
row = {}
row['browser'] = 'safari'
row['filename'] = each[0]
row['hash'] = each[1]
whitelist.append(row)
for each in firefox_list:
row = {}
row['browser'] = 'firefox'
row['filename'] = each
row['hash'] = ''
whitelist.append(row)
for each in chrome_list:
row = {}
row['browser'] = 'chrome'
row['filename'] = each
row['hash'] = ''
whitelist.append(row)
return whitelist
if __name__ == '__main__':
main()
Raw
BrowserWhitelist_Table.ext
#!/usr/bin/python
import osquery
import browser_whitelist
@osquery.register_plugin
class BrowserWhitelist(osquery.TablePlugin):
def name(self):
return "BrowserWhitelist"
def columns(self):
return [
osquery.TableColumn(name="browser", type=osquery.STRING),
osquery.TableColumn(name="filename", type=osquery.STRING),
osquery.TableColumn(name="hash", type=osquery.STRING)
]
def generate(self, context):
query_data = browser_whitelist.main()
return query_data
if __name__ == "__main__":
osquery.start_extension(name="browser_extension_whitelist",
version="1.0.0",)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment