From 164da2cfa0e94a5b47ea2500281f83f55eb63ef1 Mon Sep 17 00:00:00 2001
From: tlor89 <60741301+tlor89@users.noreply.github.com>
Date: Fri, 27 Nov 2020 14:55:37 -0600
Subject: [PATCH] T1133 (#1295)

Co-authored-by: Toua Lor <tlor@nti.local>
---
 atomics/T1133/T1133.yaml                    |  47 +++++++++
 atomics/T1133/src/list of vpn extension.txt | 110 ++++++++++++++++++++
 2 files changed, 157 insertions(+)
 create mode 100644 atomics/T1133/T1133.yaml
 create mode 100644 atomics/T1133/src/list of vpn extension.txt

diff --git a/atomics/T1133/T1133.yaml b/atomics/T1133/T1133.yaml
new file mode 100644
index 00000000..aa5b5012
--- /dev/null
+++ b/atomics/T1133/T1133.yaml
@@ -0,0 +1,47 @@
+---
+attack_technique: T1133  
+display_name: External Remote Services  
+
+atomic_tests:
+- name: Running Chrome VPN Extensions via the Registry 2 vpn extension
+  description: |
+    Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    chrome_url:
+      description: chrome installer download URL
+      type: url
+      default: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe
+    extension_id:
+      description: chrome extension id
+      type: String
+      default: | 
+        "fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme"
+
+  dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands
+  dependencies: # (optional)
+    - description: |
+        chrome must be installed
+      prereq_command: 'if (cmd /c "chrome 2>nul") {exit 0} else {exit 1}'
+      get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq
+        Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.exe #{chrome_url}
+        Start-Process $env:temp\ChromeStandaloneSetup64.exe /S
+        
+  executor:
+    name: powershell
+    elevation_required: true
+    command: | # these are the actaul attack commands, at least one command must be provided
+      $extList = #{extension_id}
+      foreach ($extension in $extList) {
+        New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force
+        New-ItemProperty -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -Name "update_url" -Value "https://clients2.google.com/service/update2/crx" -PropertyType "String" -Force}
+      Start-Process -FilePath "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
+      Start-Sleep -Seconds 30
+      Stop-Process -Name "chrome"
+    cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands
+      $extList = #{extension_id}
+      foreach ($extension in $extList) {
+      Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -ErrorAction Ignore}
\ No newline at end of file
diff --git a/atomics/T1133/src/list of vpn extension.txt b/atomics/T1133/src/list of vpn extension.txt
new file mode 100644
index 00000000..64c34497
--- /dev/null
+++ b/atomics/T1133/src/list of vpn extension.txt	
@@ -0,0 +1,110 @@
+ZenMate VPN - fdcgdnkidjaadafnichfpabhfomcebme
+1clickVPN - fcfhplploccackoneaefokcmbjfbkenj
+Touch VPN - bihmplhobchoageeokmgbdihknkjbknd
+Hola Free VPN - gkojfkhlekighikafcpjkiklfbnlmeio
+Astar VPN - jajilbjjinjmgcibalaakngmkilboobh
+VPN Free - gjknjjomckknofjidppipffbpoekiipm
+Earth VPN - nabbmpekekjknlbkgpodfndbodhijjem
+DotVPN - kpiecbcckbofpmkkkdibbllpinceiihk
+Hotspot Shield Free VPN - nlbejmccbhkncgokjcmghpfloaajcffj
+Browsec VPN - omghfjlpggmjjaagoclmmobgdodcjboh
+VPN-free.pro - bibjcjfmgapbfoljiojpipaooddpkpai
+VPN Unlimited Free - mpcaainmfjjigeicjnlkdfajbioopjko
+PP VPN - jljopmgdobloagejpohpldgkiellmfnc
+IP Unblock - lochiccbgeohimldjooaakjllnafhaid
+Surf VPN - nhnfcgpcbfclhfafjlooihdfghaeinfc
+iNinja VPN - ookhnhpkphagefgdiemllfajmkdkcaim
+Daily VPN - namfblliamklmeodpcelkokjbffgmeoo
+Hoxx VPN Proxy - nbcojefnccbanplpoffopkoepjmhgdgh
+Free VPN - majdfhpaihoncoakbjgbdhglocklcgno
+VPN PROXY MASTER - lnfdmdhmfbimhhpaeocncdlhiodoblbd
+Urban Free VPN - eppiocemhmnlbhjplcgkofciiegomcon
+SaferVPN Proxy - cocfojppfigjeefejbpfmedgjbpchcng
+VPN Professional - foiopecknacmiihiocgdjgbjokkpkohc
+AdGuard VPN - hhdobjgopfphlmjbmnpglhfcgppchgje
+Free VPN - jgbaghohigdbgbolncodkdlpenhcmcge
+Free One Touch VPN - inligpkjkhbpifecbdjhmdpcfhnlelja
+Unlimited VPN & Proxy by ibVPN - higioemojdadgdbhbbbkfbebbdlfjbip
+RusVPN - hipncndjamdcmphkgngojegjblibadbe
+Azino VPN - iolonopooapdagdemdoaihahlfkncfgg
+Pron VPN - nhfjkakglbnnpkpldhjmpmmfefifedcj
+Free Residential VPN - jpgljfpmoofbmlieejglhonfofmahini
+ExpressVPN - fgddmllnllkalaagkghckoinaemmogpe
+Hotspot Shield Elite VPN Proxy - ejkaocphofnobjdedneohbbiilggdlbi
+Hide My IP VPN - keodbianoliadkoelloecbhllnpiocoi
+Tunnello VPN - hoapmlpnmpaehilehggglehfdlnoegck
+HMA VPN Proxy Unblocker - poeojclicodamonabcabmapamjkkmnnk
+Free Avira Phantom VPN - dfkdflfgjdajbhocmfjolpjbebdkcjog
+Hola VPN - kcdahmgmaagjhocpipbodaokikjkampi
+Free VPN for Chrome - klnkiajpmpkkkgpgbogmcgfjhdoljacg
+Hub VPN - lneaocagcijjdpkcabeanfpdbmapcjjg
+Free Proxy VPN - pgfpignfckbloagkfnamnolkeaecfgfh
+Private Internet Access - jplnlifepflhkbkgonidnobkakhmpnmh
+Turbo VPN for PC - jliodmnojccaloajphkingdnpljdhdok
+Windscribe - hnmpcagpplmpfojmgmnngilcnanddlhb
+CyberGhost VPN - ffbkglfijbcbgblgflchnbphjdllaogb
+VPN.AC - kcndmbbelllkmioekdagahekgimemejo
+Browser VPN - jdgilggpfmjpbodmhndmhojklgfdlhob
+DEEPRISM VPN - bihhflimonbpcfagfadcnbbdngpopnjb
+My Browser Vpn - ppajinakbfocjfnijggfndbdmjggcmde
+SetupVPN - oofgbpoabipfcfjapgnbbjjaenockbdp
+Wachee VPN - bhnhkdgoefpmekcgnccpnhjfdgicfebm
+Thunder Proxy - knmmpciebaoojcpjjoeonlcjacjopcpf
+Free Proxy VPN - dhadilbmmjiooceioladdphemaliiobo
+FastestVPN Proxy - jedieiamjmoflcknjdjhpieklepfglin
+WorkingVPN - mhngpdlhojliikfknhfaglpnddniijfh
+TunnelBear VPN - omdakjcmkglenbhjadbccaookpfjihpa
+BelkaVPN - npgimkapccfidfkfoklhpkgmhgfejhbj
+VPN Master - akeehkgglkmpapdnanoochpfmeghfdln
+Unblock Websites - gbmdmipapolaohpinhblmcnpmmlgfgje
+Lethean Proxy VPN - aigmfoeogfnljhnofglledbhhfegannp
+Whoer VPN - cgojmfochfikphincbhokimmmjenhhgk
+Best VPN USA - ficajfeojakddincjafebjmfiefcmanc
+FREE VPN DEWELOPMENT - ifnaibldjfdmaipaddffmgcmekjhiloa
+apkfold free vpn - jbnmpdkcfkochpanomnkhnafobppmccn
+Soul VPN - apcfdffemoinopelidncddjbhkiblecc
+DotVPN - mjolnodfokkkaichkcjipfgblbfgojpa
+rderzh VPN Proxy - oifjbnnafapeiknapihcmpeodaeblbkn
+Red Panda VPN - plpmggfglncceinmilojdkiijhmajkjh
+Ultrareach VPN - mjnbclmflcpookeapghfhapeffmpodij
+FastStunnel VPN - bblcccknbdbplgmdjnnikffefhdlobhp
+VirtualShield VPN - aojlhgbkmkahabcmcpifbolnoichfeep
+Adblock Office VPN Proxy Server - lcmammnjlbmlbcaniggmlejfjpjagiia
+Guru VPN & Proxy - knajdeaocbpmfghhmijicidfcmdgbdpm
+Malus VPN - bdlcnpceagnkjnjlbbbcepohejbheilk
+Muscle VPN - edknjdjielmpdlnllkdmaghlbpnmjmgb
+Push VPN - eidnihaadmmancegllknfbliaijfmkgo
+Gom VPN - ckiahbcmlmkpfiijecbpflfahoimklke
+Free Fast VPN - macdlemfnignjhclfcfichcdhiomgjjb
+BullVPN - chioafkonnhbpajpengbalkececleldf
+HideAll VPN - amnoibeflfphhplmckdbiajkjaoomgnj
+ProxyFlow - llbhddikeonkpbhpncnhialfbpnilcnc
+Cloud VPN - pcienlhnoficegnepejpfiklggkioccm
+sVPN - iocnglnmfkgfedpcemdflhkchokkfeii
+Social VPN - igahhbkcppaollcjeaaoapkijbnphfhb
+Trellonet Trellonet - njpmifchgidinihmijhcfpbdmglecdlb
+WindmillVPN - ggackgngljinccllcmbgnpgpllcjepgc
+IPBurger Proxy & VPN - kchocjcihdgkoplngjemhpplmmloanja 
+Veee - bnijmipndnicefcdbhgcjoognndbgkep
+Anonymous Proxy Vpn Browser - lklekjodgannjcccdlbicoamibgbdnmi
+Hideman VPN - dbdbnchagbkhknegmhgikkleoogjcfge
+Fornex VPN - egblhcjfjmbjajhjhpmnlekffgaemgfh
+WeVPN - ehbhfpfdkmhcpaehaooegfdflljcnfec
+VPNMatic - bkkgdjpomdnfemhhkalfkogckjdkcjkg
+Urban Shield - almalgbpmcfpdaopimbdchdliminoign
+Prime VPN - akkbkhnikoeojlhiiomohpdnkhbkhieh
+westwind - gbfgfbopcfokdpkdigfmoeaajfmpkbnh
+Upnet - bniikohfmajhdcffljgfeiklcbgffppl
+uVPN - lejgfmmlngaigdmmikblappdafcmkndb
+Nucleus VPN - ffhhkmlgedgcliajaedapkdfigdobcif
+Touch VPN - bihmplhobchoageeokmgbdihknkjbknd
+FoxyProxy Standard - gcknhkkoolaabfmlnjonogaaifnjlfnp
+GeoProxy - pooljnboifbodgifngpppfklhifechoe
+NordVPN - fjoaledfpmneenckfbpdfhkmimnjocfa
+ProxFlow - aakchaleigkohafkfjfjbblobjifikek
+Proxy SwitchySharp - dpplabbmogkhghncfbfdeeokoefdjegm
+Proxy SwitchyOmega - padekgcemlokbadohgkifijomclgjgif
+PureVPN - bfidboloedlamgdmenmlbipfnccokknp
+RusVPN - hipncndjamdcmphkgngojegjblibadbe
+SaferVPN - cocfojppfigjeefejbpfmedgjbpchcng
+TunnelBear VPN - omdakjcmkglenbhjadbccaookpfjihpa
\ No newline at end of file