From e5166f0e6672bb9cd57734580dd018b155c73daa Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 11 May 2020 15:16:44 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/macos-index.csv   |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/macos-index.md   |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 20 +++++++++++++++
 atomics/T1176/T1176.md                        | 25 +++++++++++++++++++
 8 files changed, 51 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 15aa8804..edd6b721 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -13,6 +13,7 @@ persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute"
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode)
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store)
 persistence,T1176,Browser Extensions,3,Firefox
+persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN
 persistence,T1042,Change Default File Association,1,Change Default File Association
 persistence,T1122,Component Object Model Hijacking,1,COM Hijack Leveraging user scope COR_PROFILER
 persistence,T1122,Component Object Model Hijacking,2,COM Hijack Leveraging System Scope COR_PROFILER
diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv
index db698cce..8f5572c6 100644
--- a/atomics/Indexes/Indexes-CSV/macos-index.csv
+++ b/atomics/Indexes/Indexes-CSV/macos-index.csv
@@ -4,6 +4,7 @@ persistence,T1156,.bash_profile and .bashrc,2,Add command to .bashrc
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode)
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store)
 persistence,T1176,Browser Extensions,3,Firefox
+persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN
 persistence,T1136,Create Account,2,Create a user account on a MacOS system
 persistence,T1519,Emond,1,Persistance with Event Monitor - emond
 persistence,T1158,Hidden Files and Directories,1,Create a hidden file in a hidden directory
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 55498cb1..a3a9bcbd 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -170,6 +170,7 @@ persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute"
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode)
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store)
 persistence,T1176,Browser Extensions,3,Firefox
+persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN
 persistence,T1042,Change Default File Association,1,Change Default File Association
 persistence,T1122,Component Object Model Hijacking,1,COM Hijack Leveraging user scope COR_PROFILER
 persistence,T1122,Component Object Model Hijacking,2,COM Hijack Leveraging System Scope COR_PROFILER
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index c54906b6..904ddb0f 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -24,6 +24,7 @@
   - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
   - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
   - Atomic Test #3: Firefox [linux, windows, macos]
+  - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
 - [T1042 Change Default File Association](../../T1042/T1042.md)
   - Atomic Test #1: Change Default File Association [windows]
 - T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md
index c015b6ec..30fca16d 100644
--- a/atomics/Indexes/Indexes-Markdown/macos-index.md
+++ b/atomics/Indexes/Indexes-Markdown/macos-index.md
@@ -7,6 +7,7 @@
   - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
   - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
   - Atomic Test #3: Firefox [linux, windows, macos]
+  - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
 - [T1136 Create Account](../../T1136/T1136.md)
   - Atomic Test #2: Create a user account on a MacOS system [macos]
 - T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 45f41ede..595eae94 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -267,6 +267,7 @@
   - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
   - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
   - Atomic Test #3: Firefox [linux, windows, macos]
+  - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
 - [T1042 Change Default File Association](../../T1042/T1042.md)
   - Atomic Test #1: Change Default File Association [windows]
 - T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 5bff2d9a..37def328 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -1005,6 +1005,26 @@ persistence:
           2. Navigate to [manifest.json](./src/manifest.json)
 
           3. Then click 'Open'
+    - name: Edge Chromium Addon - VPN
+      description: 'Adversaries may use VPN extensions in an attempt to hide traffic
+        sent from a compromised host. This will install one (of many) available VPNS
+        in the Edge add-on store.
+
+'
+      supported_platforms:
+      - windows
+      - macos
+      executor:
+        name: manual
+        steps: |
+          1. Navigate to https://microsoftedge.microsoft.com/addons/detail/fjnehcbecaggobjholekjijaaekbnlgj
+          in Edge Chromium
+
+          2. Click 'Get'
+        cleanup: |-
+          1. Navigate to "..." menu in top right of browser and select.
+          2. In drop down, click on "Extensions".
+          3. Remove the Extension.
   T1042:
     technique:
       x_mitre_data_sources:
diff --git a/atomics/T1176/T1176.md b/atomics/T1176/T1176.md
index dbc5e53a..80266793 100644
--- a/atomics/T1176/T1176.md
+++ b/atomics/T1176/T1176.md
@@ -12,6 +12,8 @@ Malicious extensions can be installed into a browser through malicious app store
 
 - [Atomic Test #3 - Firefox](#atomic-test-3---firefox)
 
+- [Atomic Test #4 - Edge Chromium Addon - VPN](#atomic-test-4---edge-chromium-addon---vpn)
+
 
 <br/>
 
@@ -84,4 +86,27 @@ click "Load Temporary Add-on"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Edge Chromium Addon - VPN
+Adversaries may use VPN extensions in an attempt to hide traffic sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store.
+
+**Supported Platforms:** Windows, macOS
+
+
+
+
+#### Run it with these steps! 
+1. Navigate to https://microsoftedge.microsoft.com/addons/detail/fjnehcbecaggobjholekjijaaekbnlgj
+in Edge Chromium
+
+2. Click 'Get'
+
+
+
+
+
+
+
 <br/>