security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update broken uBlockLite URL (#2999)

Browse Source 
Co-authored-by: Hare Sudhan <code@0x6c.dev>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
AJ King
2024-12-10 16:53:20 -08:00
committed by GitHub
parent 01e281aad2
commit 6efef030bf
2 changed files with 113 additions and 156 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1176/T1176.md
+22 -65
View File
@@ -1,5 +1,7 @@
# T1176 - Browser Extensions
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1176)
<blockquote>Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)
Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.
@@ -22,123 +24,87 @@ There have also been instances of botnets using a persistent backdoor through ma
- [Atomic Test #5 - Google Chrome Load Unpacked Extension With Command Line](#atomic-test-5---google-chrome-load-unpacked-extension-with-command-line)
<br/>
## Atomic Test #1 - Chrome/Chromium (Developer Mode)
Turn on Chrome/Chromium developer mode and Load Extension found in the src directory
**Supported Platforms:** Linux, Windows, macOS
**auto_generated_guid:** 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1
#### Run it with these steps!
#### Run it with these steps!
1. Navigate to [chrome://extensions](chrome://extensions) and
tick 'Developer Mode'.
tick 'Developer Mode'.
2. Click 'Load unpacked extension...' and navigate to
[Browser_Extension](../t1176/src/)
[Browser_Extension](../t1176/src/)
3. Click 'Select'
<br/>
<br/>
## Atomic Test #2 - Chrome/Chromium (Chrome Web Store)
Install the "Minimum Viable Malicious Extension" Chrome extension
**Supported Platforms:** Linux, Windows, macOS
**auto_generated_guid:** 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
#### Run it with these steps!
#### Run it with these steps!
1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
in Chrome
in Chrome
2. Click 'Add to Chrome'
<br/>
<br/>
## Atomic Test #3 - Firefox
Create a file called test.wma, with the duration of 30 seconds
**Supported Platforms:** Linux, Windows, macOS
**auto_generated_guid:** cb790029-17e6-4c43-b96f-002ce5f10938
#### Run it with these steps!
#### Run it with these steps!
1. Navigate to [about:debugging](about:debugging) and
click "Load Temporary Add-on"
click "Load Temporary Add-on"
2. Navigate to [manifest.json](./src/manifest.json)
3. Then click 'Open'
<br/>
<br/>
## Atomic Test #4 - Edge Chromium Addon - VPN
Adversaries may use VPN extensions in an attempt to hide traffic sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store.
**Supported Platforms:** Windows, macOS
**auto_generated_guid:** 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5
#### Run it with these steps!
#### Run it with these steps!
1. Navigate to https://microsoftedge.microsoft.com/addons/detail/fjnehcbecaggobjholekjijaaekbnlgj
in Edge Chromium
in Edge Chromium
2. Click 'Get'
<br/>
<br/>
## Atomic Test #5 - Google Chrome Load Unpacked Extension With Command Line
This test loads an unpacked extension in Google Chrome with the `--load-extension` parameter. This technique was previously used by the Grandoreiro malware to load a malicious extension that would capture the browsing history, steal cookies and other user information. Other malwares also leverage this technique to hijack searches, steal passwords, inject ads, and more.
References:
@@ -147,28 +113,22 @@ https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-i
**Supported Platforms:** Windows
**auto_generated_guid:** 7a714703-9f6b-461c-b06d-e6aeac650f27
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| working_dir | Working directory where the files will be downloaded and extracted | string | $env:TEMP|
| Name | Description | Type | Default Value |
| ----------- | ------------------------------------------------------------------ | ------ | ------------- |
| working_dir | Working directory where the files will be downloaded and extracted | string | $env:TEMP |
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
# Chromium
$chromium = "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Win_x64/1153778/chrome-win.zip"
# uBlock Origin Lite to test side-loading
$extension = "https://github.com/gorhill/uBlock/releases/download/uBOLite_0.1.23.6055/uBOLite_0.1.23.6055.chromium.mv3.zip"
$extension = "https://github.com/uBlockOrigin/uBOL-home/releases/download/uBOLite_2024.11.25.1376/uBOLite_2024.11.25.1376.chromium.mv3.zip"
Set-Location "#{working_dir}"
@@ -184,6 +144,7 @@ Start-Process .\chrome-win\chrome.exe --load-extension="#{working_dir}\extension
```
#### Cleanup Commands:
```powershell
Set-Location "#{working_dir}"
Stop-Process -Name chrome -Force
@@ -191,8 +152,4 @@ Remove-Item .\chrome.zip, .\chrome-win, .\extension, .\extension.zip -Recurse -F
Set-Variable ProgressPreference Continue
```
<br/>
atomics/T1176/T1176.yaml
+91 -91
View File
@@ -1,112 +1,112 @@
attack_technique: T1176
display_name: Browser Extensions
atomic_tests:
- name: Chrome/Chromium (Developer Mode)
auto_generated_guid: 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1
description: Turn on Chrome/Chromium developer mode and Load Extension found in the src directory
supported_platforms:
- linux
- windows
- macos
executor:
steps: |
1. Navigate to [chrome://extensions](chrome://extensions) and
tick 'Developer Mode'.
- name: Chrome/Chromium (Developer Mode)
auto_generated_guid: 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1
description: Turn on Chrome/Chromium developer mode and Load Extension found in the src directory
supported_platforms:
- linux
- windows
- macos
executor:
steps: |
1. Navigate to [chrome://extensions](chrome://extensions) and
tick 'Developer Mode'.
2. Click 'Load unpacked extension...' and navigate to
[Browser_Extension](../t1176/src/)
2. Click 'Load unpacked extension...' and navigate to
[Browser_Extension](../t1176/src/)
3. Click 'Select'
name: manual
- name: Chrome/Chromium (Chrome Web Store)
auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
description: Install the "Minimum Viable Malicious Extension" Chrome extension
supported_platforms:
- linux
- windows
- macos
executor:
steps: |
1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
in Chrome
3. Click 'Select'
name: manual
- name: Chrome/Chromium (Chrome Web Store)
auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
description: Install the "Minimum Viable Malicious Extension" Chrome extension
supported_platforms:
- linux
- windows
- macos
executor:
steps: |
1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
in Chrome
2. Click 'Add to Chrome'
name: manual
- name: Firefox
auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938
description: |
Create a file called test.wma, with the duration of 30 seconds
supported_platforms:
- linux
- windows
- macos
executor:
steps: |
1. Navigate to [about:debugging](about:debugging) and
click "Load Temporary Add-on"
2. Click 'Add to Chrome'
name: manual
- name: Firefox
auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938
description: |
Create a file called test.wma, with the duration of 30 seconds
supported_platforms:
- linux
- windows
- macos
executor:
steps: |
1. Navigate to [about:debugging](about:debugging) and
click "Load Temporary Add-on"
2. Navigate to [manifest.json](./src/manifest.json)
2. Navigate to [manifest.json](./src/manifest.json)
3. Then click 'Open'
name: manual
- name: Edge Chromium Addon - VPN
auto_generated_guid: 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5
description: |
Adversaries may use VPN extensions in an attempt to hide traffic sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store.
supported_platforms:
- windows
- macos
executor:
steps: |
1. Navigate to https://microsoftedge.microsoft.com/addons/detail/fjnehcbecaggobjholekjijaaekbnlgj
in Edge Chromium
3. Then click 'Open'
name: manual
- name: Edge Chromium Addon - VPN
auto_generated_guid: 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5
description: |
Adversaries may use VPN extensions in an attempt to hide traffic sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store.
supported_platforms:
- windows
- macos
executor:
steps: |
1. Navigate to https://microsoftedge.microsoft.com/addons/detail/fjnehcbecaggobjholekjijaaekbnlgj
in Edge Chromium
2. Click 'Get'
name: manual
2. Click 'Get'
name: manual
- name: Google Chrome Load Unpacked Extension With Command Line
auto_generated_guid: 7a714703-9f6b-461c-b06d-e6aeac650f27
- name: Google Chrome Load Unpacked Extension With Command Line
auto_generated_guid: 7a714703-9f6b-461c-b06d-e6aeac650f27
description: |-
This test loads an unpacked extension in Google Chrome with the `--load-extension` parameter. This technique was previously used by the Grandoreiro malware to load a malicious extension that would capture the browsing history, steal cookies and other user information. Other malwares also leverage this technique to hijack searches, steal passwords, inject ads, and more.
References:
https://attack.mitre.org/techniques/T1176/
https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/
description: |-
This test loads an unpacked extension in Google Chrome with the `--load-extension` parameter. This technique was previously used by the Grandoreiro malware to load a malicious extension that would capture the browsing history, steal cookies and other user information. Other malwares also leverage this technique to hijack searches, steal passwords, inject ads, and more.
supported_platforms:
- windows
input_arguments:
working_dir:
description: Working directory where the files will be downloaded and extracted
type: string
default: $env:TEMP
executor:
command: |-
References:
https://attack.mitre.org/techniques/T1176/
https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/
# Chromium
$chromium = "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Win_x64/1153778/chrome-win.zip"
supported_platforms:
- windows
input_arguments:
working_dir:
description: Working directory where the files will be downloaded and extracted
type: string
default: $env:TEMP
executor:
command: |-
# uBlock Origin Lite to test side-loading
$extension = "https://github.com/gorhill/uBlock/releases/download/uBOLite_0.1.23.6055/uBOLite_0.1.23.6055.chromium.mv3.zip"
# Chromium
$chromium = "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Win_x64/1153778/chrome-win.zip"
Set-Location "#{working_dir}"
# uBlock Origin Lite to test side-loading
$extension = "https://github.com/uBlockOrigin/uBOL-home/releases/download/uBOLite_2024.11.25.1376/uBOLite_2024.11.25.1376.chromium.mv3.zip"
Set-Variable ProgressPreference SilentlyContinue
Invoke-WebRequest -URI $chromium -OutFile "#{working_dir}\chrome.zip"
Invoke-WebRequest -URI $extension -OutFile "#{working_dir}\extension.zip"
Set-Location "#{working_dir}"
Set-Variable ProgressPreference SilentlyContinue
Invoke-WebRequest -URI $chromium -OutFile "#{working_dir}\chrome.zip"
Invoke-WebRequest -URI $extension -OutFile "#{working_dir}\extension.zip"
Expand-Archive chrome.zip -DestinationPath "#{working_dir}" -Force
Expand-Archive extension.zip -Force
Expand-Archive chrome.zip -DestinationPath "#{working_dir}" -Force
Expand-Archive extension.zip -Force
Start-Process .\chrome-win\chrome.exe --load-extension="#{working_dir}\extension\" -PassThru
Start-Process .\chrome-win\chrome.exe --load-extension="#{working_dir}\extension\" -PassThru
cleanup_command: |-
Set-Location "#{working_dir}"
Stop-Process -Name chrome -Force
Remove-Item .\chrome.zip, .\chrome-win, .\extension, .\extension.zip -Recurse -Force
Set-Variable ProgressPreference Continue
cleanup_command: |-
Set-Location "#{working_dir}"
Stop-Process -Name chrome -Force
Remove-Item .\chrome.zip, .\chrome-win, .\extension, .\extension.zip -Recurse -Force
Set-Variable ProgressPreference Continue
name: powershell
elevation_required: true
name: powershell
elevation_required: true