From aa3e4cea3e32daa62d5a68d93d34702485baf9ba Mon Sep 17 00:00:00 2001
From: traceflow <traceflow@0x8d.cc>
Date: Tue, 6 Jun 2023 17:48:05 +0000
Subject: [PATCH] adding new test in T1176 - Load unpacked extension with
 command line

---
 atomics/T1176/T1176.yaml | 41 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/atomics/T1176/T1176.yaml b/atomics/T1176/T1176.yaml
index b459218b..b70a0883 100644
--- a/atomics/T1176/T1176.yaml
+++ b/atomics/T1176/T1176.yaml
@@ -64,3 +64,44 @@ atomic_tests:
       2. Click 'Get'
     name: manual
 
+- name: Google Chrome Load Unpacked Extension With Command Line
+  auto_generated_guid: 
+
+  description: |-
+    This test loads an unpacked extension in Google Chrome with the `--load-extension` parameter. This technique was previously used by the Grandoreiro malware to load a malicious extension that would capture the browsing history, steal cookies and other user information. Other malwares also leverage this technique to hijack searches, steal passwords, inject ads, and more.
+    
+    References:
+    https://attack.mitre.org/techniques/T1176/
+    https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/
+
+  supported_platforms:
+  - windows
+  input_arguments: 
+  dependency_executor_name: 
+  dependencies: 
+  executor:
+    command: |-
+
+      # Chromium
+      $chromium =  "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Win_x64/1153778/chrome-win.zip"
+
+      # uBlock Origin Lite to test side-loading
+      $extension = "https://github.com/gorhill/uBlock/releases/download/uBOLite_0.1.23.6055/uBOLite_0.1.23.6055.chromium.mv3.zip"
+
+      Set-Location $env:TEMP
+
+      Invoke-WebRequest -URI $chromium -OutFile $env:TEMP\chrome.zip
+      Invoke-WebRequest -URI $extension -OutFile $env:TEMP\extension.zip
+
+
+      Expand-Archive chrome.zip -DestinationPath $env:TEMP -Force
+      Expand-Archive extension.zip -Force
+
+      $chrome = Start-Process .\chrome-win\chrome.exe --load-extension="$env:TEMP\extension\" -PassThru
+
+    cleanup_command: |-
+      Stop-Process -Id $chrome.Id
+      Remove-Item .\chrome.zip, .\chrome-win, .\extension, .\extension.zip -Recurse -Force
+
+    name: powershell
+    elevation_required: true
\ No newline at end of file