From aa3e4cea3e32daa62d5a68d93d34702485baf9ba Mon Sep 17 00:00:00 2001 From: traceflow Date: Tue, 6 Jun 2023 17:48:05 +0000 Subject: [PATCH 1/5] adding new test in T1176 - Load unpacked extension with command line --- atomics/T1176/T1176.yaml | 41 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/atomics/T1176/T1176.yaml b/atomics/T1176/T1176.yaml index b459218b..b70a0883 100644 --- a/atomics/T1176/T1176.yaml +++ b/atomics/T1176/T1176.yaml @@ -64,3 +64,44 @@ atomic_tests: 2. Click 'Get' name: manual +- name: Google Chrome Load Unpacked Extension With Command Line + auto_generated_guid: + + description: |- + This test loads an unpacked extension in Google Chrome with the `--load-extension` parameter. This technique was previously used by the Grandoreiro malware to load a malicious extension that would capture the browsing history, steal cookies and other user information. Other malwares also leverage this technique to hijack searches, steal passwords, inject ads, and more. + + References: + https://attack.mitre.org/techniques/T1176/ + https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/ + + supported_platforms: + - windows + input_arguments: + dependency_executor_name: + dependencies: + executor: + command: |- + + # Chromium + $chromium = "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Win_x64/1153778/chrome-win.zip" + + # uBlock Origin Lite to test side-loading + $extension = "https://github.com/gorhill/uBlock/releases/download/uBOLite_0.1.23.6055/uBOLite_0.1.23.6055.chromium.mv3.zip" + + Set-Location $env:TEMP + + Invoke-WebRequest -URI $chromium -OutFile $env:TEMP\chrome.zip + Invoke-WebRequest -URI $extension -OutFile $env:TEMP\extension.zip + + + Expand-Archive chrome.zip -DestinationPath $env:TEMP -Force + Expand-Archive extension.zip -Force + + $chrome = Start-Process .\chrome-win\chrome.exe --load-extension="$env:TEMP\extension\" -PassThru + + cleanup_command: |- + Stop-Process -Id $chrome.Id + Remove-Item .\chrome.zip, .\chrome-win, .\extension, .\extension.zip -Recurse -Force + + name: powershell + elevation_required: true \ No newline at end of file From cee7f2ab5eb9d2a63d01a800523e0d759bd8b6bb Mon Sep 17 00:00:00 2001 From: traceflow Date: Tue, 6 Jun 2023 18:51:22 +0000 Subject: [PATCH 2/5] adding new test in T1176 - Load unpacked extension with command line --- atomics/T1176/T1176.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/atomics/T1176/T1176.yaml b/atomics/T1176/T1176.yaml index b70a0883..2feac9ba 100644 --- a/atomics/T1176/T1176.yaml +++ b/atomics/T1176/T1176.yaml @@ -65,7 +65,6 @@ atomic_tests: name: manual - name: Google Chrome Load Unpacked Extension With Command Line - auto_generated_guid: description: |- This test loads an unpacked extension in Google Chrome with the `--load-extension` parameter. This technique was previously used by the Grandoreiro malware to load a malicious extension that would capture the browsing history, steal cookies and other user information. Other malwares also leverage this technique to hijack searches, steal passwords, inject ads, and more. From 5428e3bf1eda9285c3bf7777e6d7d68d3a973369 Mon Sep 17 00:00:00 2001 From: traceflow Date: Tue, 6 Jun 2023 18:55:08 +0000 Subject: [PATCH 3/5] adding new test in T1176 - Load unpacked extension with command line --- atomics/T1176/T1176.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/atomics/T1176/T1176.yaml b/atomics/T1176/T1176.yaml index 2feac9ba..91a3bc5f 100644 --- a/atomics/T1176/T1176.yaml +++ b/atomics/T1176/T1176.yaml @@ -75,9 +75,6 @@ atomic_tests: supported_platforms: - windows - input_arguments: - dependency_executor_name: - dependencies: executor: command: |- From dab845d335a8432f58717975c59e565d72dfb0cd Mon Sep 17 00:00:00 2001 From: traceflow Date: Thu, 8 Jun 2023 19:37:24 +0000 Subject: [PATCH 4/5] adding new test in T1176 - Load unpacked extension with command line --- atomics/T1176/T1176.yaml | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/atomics/T1176/T1176.yaml b/atomics/T1176/T1176.yaml index 91a3bc5f..47891326 100644 --- a/atomics/T1176/T1176.yaml +++ b/atomics/T1176/T1176.yaml @@ -75,6 +75,11 @@ atomic_tests: supported_platforms: - windows + input_arguments: + working_dir: + description: Working directory where the files will be downloaded and extracted + type: string + default: $env:TEMP executor: command: |- @@ -84,20 +89,23 @@ atomic_tests: # uBlock Origin Lite to test side-loading $extension = "https://github.com/gorhill/uBlock/releases/download/uBOLite_0.1.23.6055/uBOLite_0.1.23.6055.chromium.mv3.zip" - Set-Location $env:TEMP + Set-Location "#{working_dir}" - Invoke-WebRequest -URI $chromium -OutFile $env:TEMP\chrome.zip - Invoke-WebRequest -URI $extension -OutFile $env:TEMP\extension.zip + Set-Variable ProgressPreference SilentlyContinue + Invoke-WebRequest -URI $chromium -OutFile "#{working_dir}\chrome.zip" + Invoke-WebRequest -URI $extension -OutFile "#{working_dir}\extension.zip" - Expand-Archive chrome.zip -DestinationPath $env:TEMP -Force + Expand-Archive chrome.zip -DestinationPath "#{working_dir}" -Force Expand-Archive extension.zip -Force - $chrome = Start-Process .\chrome-win\chrome.exe --load-extension="$env:TEMP\extension\" -PassThru + Start-Process .\chrome-win\chrome.exe --load-extension="#{working_dir}\extension\" -PassThru cleanup_command: |- - Stop-Process -Id $chrome.Id + Set-Location "#{working_dir}" + Stop-Process -Name chrome -Force Remove-Item .\chrome.zip, .\chrome-win, .\extension, .\extension.zip -Recurse -Force + Set-Variable ProgressPreference Continue name: powershell elevation_required: true \ No newline at end of file From d8580af70839352c43ad05a495ecd8897dee693e Mon Sep 17 00:00:00 2001 From: Hare Sudhan Date: Fri, 9 Jun 2023 01:15:22 -0400 Subject: [PATCH 5/5] Fix indentation --- atomics/T1176/T1176.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/atomics/T1176/T1176.yaml b/atomics/T1176/T1176.yaml index 47891326..668906ad 100644 --- a/atomics/T1176/T1176.yaml +++ b/atomics/T1176/T1176.yaml @@ -75,11 +75,11 @@ atomic_tests: supported_platforms: - windows - input_arguments: - working_dir: - description: Working directory where the files will be downloaded and extracted - type: string - default: $env:TEMP + input_arguments: + working_dir: + description: Working directory where the files will be downloaded and extracted + type: string + default: $env:TEMP executor: command: |- @@ -108,4 +108,4 @@ atomic_tests: Set-Variable ProgressPreference Continue name: powershell - elevation_required: true \ No newline at end of file + elevation_required: true