Skip to content

Instantly share code, notes, and snippets.

*.crowdstrikexdr.co.za,crowdstrikexdr.co.za
japan.crowdstrikebenefits.com
*.crowdstrikedataprotection.cc,crowdstrikedataprotection.cc
*.crowdstrikedataprotecton.com,crowdstrikedataprotecton.com
*.crowdstrike-cspm-reg-test.com,crowdstrike-cspm-reg-test.com
*.crowdstrikemalware.zip,crowdstrikemalware.zip
land.crowdstrikebenefits.com,us.crowdstrikebenefits.com
ww16.crowdstrike.capethemes.com
*.crowdstrike.1-27.us-east-1.k8s.dev.appian-internal.com
*.crowdstrike.1-29.us-east-1.k8s.dev.appian-internal.com
@jamesspi
jamesspi / xzvuln-macos.sql
Created March 30, 2024 21:18
OSQuery To Check for XZ and liblzma - macOS
SELECT 'Homebrew Package' AS source, name, version,
CASE
WHEN version LIKE '5.6.0%' OR version LIKE '5.6.1%' THEN 'Potentially Vulnerable'
ELSE 'Most likely not vulnerable'
END AS status
FROM homebrew_packages
WHERE name = 'xz' OR name = 'liblzma';
@jamesspi
jamesspi / xzvuln.sql
Last active April 16, 2024 15:16
OSQuery To Check for XZ and liblzma - *nix
SELECT 'DEB Package' AS source, name, version,
CASE
WHEN version LIKE '5.6.0%' OR version LIKE '5.6.1%' THEN 'Potentially Vulnerable'
ELSE 'Most likely not vulnerable'
END AS status
FROM deb_packages
WHERE name = 'xz-utils' OR name = 'liblzma' OR name LIKE 'liblzma%'
UNION
SELECT 'RPM Package' AS source, name, version,
CASE
@jamesspi
jamesspi / driverload.json
Created March 24, 2023 22:24
Driver Load Event
{
"agent": {
"id": "b5780efb-e2e8-42f2-9221-b8e93f2db369",
"type": "endpoint",
"version": "8.6.2"
},
"process": {
"Ext": {
"ancestry": [
"YjU3ODBlZmItZTJlOC00MmYyLTkyMjEtYjhlOTNmMmRiMzY5LTAtMTY3ODkzOTIxOS4yNTI4MzAw"