atomic-red-team-gs/atomics/T1176/T1176.yaml

attack_technique: T1176
display_name: Browser Extensions
atomic_tests:
  - name: Chrome/Chromium (Developer Mode)
    auto_generated_guid: 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1
    description: Turn on Chrome/Chromium developer mode and Load Extension found in the src directory
    supported_platforms:
      - linux
      - windows
      - macos
    executor:
      steps: |
        1. Navigate to [chrome://extensions](chrome://extensions) and
        tick 'Developer Mode'.

        2. Click 'Load unpacked extension...' and navigate to
        [Browser_Extension](../t1176/src/)

        3. Click 'Select'
      name: manual

  - name: Firefox
    auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938
    description: |
      Create a file called test.wma, with the duration of 30 seconds
    supported_platforms:
      - linux
      - windows
      - macos
    executor:
      steps: |
        1. Navigate to [about:debugging](about:debugging) and
        click "Load Temporary Add-on"

        2. Navigate to [manifest.json](./src/manifest.json)

        3. Then click 'Open'
      name: manual
  - name: Edge Chromium Addon - VPN
    auto_generated_guid: 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5
    description: |
      Adversaries may use VPN extensions in an attempt to hide traffic sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store.
    supported_platforms:
      - windows
      - macos
    executor:
      steps: |
        1. Navigate to https://microsoftedge.microsoft.com/addons/detail/fjnehcbecaggobjholekjijaaekbnlgj
        in Edge Chromium

        2. Click 'Get'
      name: manual

  - name: Google Chrome Load Unpacked Extension With Command Line
    auto_generated_guid: 7a714703-9f6b-461c-b06d-e6aeac650f27

    description: |-
      This test loads an unpacked extension in Google Chrome with the `--load-extension` parameter. This technique was previously used by the Grandoreiro malware to load a malicious extension that would capture the browsing history, steal cookies and other user information. Other malwares also leverage this technique to hijack searches, steal passwords, inject ads, and more.

      References:
      https://attack.mitre.org/techniques/T1176/
      https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/

    supported_platforms:
      - windows
    input_arguments:
      working_dir:
        description: Working directory where the files will be downloaded and extracted
        type: string
        default: $env:TEMP
    executor:
      command: |-

        # Chromium
        $chromium =  "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Win_x64/1153778/chrome-win.zip"

        # uBlock Origin Lite to test side-loading
        $extension = "https://github.com/uBlockOrigin/uBOL-home/releases/download/uBOLite_2024.11.25.1376/uBOLite_2024.11.25.1376.chromium.mv3.zip"

        Set-Location "#{working_dir}"

        Set-Variable ProgressPreference SilentlyContinue
        Invoke-WebRequest -URI $chromium -OutFile "#{working_dir}\chrome.zip"
        Invoke-WebRequest -URI $extension -OutFile "#{working_dir}\extension.zip"


        Expand-Archive chrome.zip -DestinationPath "#{working_dir}" -Force
        Expand-Archive extension.zip -Force

        Start-Process .\chrome-win\chrome.exe --load-extension="#{working_dir}\extension\" -PassThru

      cleanup_command: |-
        Set-Location "#{working_dir}"
        Stop-Process -Name chrome -Force
        Remove-Item .\chrome.zip, .\chrome-win, .\extension, .\extension.zip -Recurse -Force
        Set-Variable ProgressPreference Continue

      name: powershell
      elevation_required: true