From e52c8a8980a52326e914249109da05cba2d8ec70 Mon Sep 17 00:00:00 2001
From: Dan Bourke <dbourke@atlassian.com>
Date: Mon, 26 Feb 2018 13:08:47 +1100
Subject: [PATCH] finishing mac bits

---
 Mac/Persistence/Browser_Extensions.md | 12 ++++++++++++
 Mac/README.md                         |  4 ++--
 2 files changed, 14 insertions(+), 2 deletions(-)
 create mode 100644 Mac/Persistence/Browser_Extensions.md

diff --git a/Mac/Persistence/Browser_Extensions.md b/Mac/Persistence/Browser_Extensions.md
new file mode 100644
index 00000000..f38f59f4
--- /dev/null
+++ b/Mac/Persistence/Browser_Extensions.md
@@ -0,0 +1,12 @@
+## Browser Extensions
+
+MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
+
+
+### Chrome
+
+Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
+
+Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
+
+Then click 'Select'
\ No newline at end of file
diff --git a/Mac/README.md b/Mac/README.md
index 2b7c6cad..457ba910 100644
--- a/Mac/README.md
+++ b/Mac/README.md
@@ -3,8 +3,8 @@
 | Persistence                  | Privilege Escalation          | Defense Evasion                 | Credential Access                      | Discovery                              | Lateral Movement                | Execution                | Collection                     | Exfiltration                                  | Command and Control                     |
 |------------------------------|-------------------------------|---------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
 | [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md)    | Dylib Hijacking               | Binary Padding                  | [Bash History](Credential_Access/Bash_History.md)                           | [Account Discovery](Discovery/Account_Discovery.md)                      | [AppleScript](Execution/AppleScript.md)                     | [AppleScript](Execution/AppleScript.md)              | Audio Capture                  | Automated Exfiltration                        | Commonly Used Port                      |
-| Browser Extensions           | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md)           | Brute Force                            | Application Window Discovery           | Application Deployment Software | Command-Line Interface   | Automated Collection           | Data Compressed                               | Communication Through Removable Media   |
-| [Create Account](Persistence/Create_Account.md)               | Launch Daemon                 | Code Signing                    | Credentials in Files                   | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md)           | Exploitation of Vulnerability   | Graphical User Interface | Browser Extensions             | Data Encrypted                                | Connection Proxy                        |
+| [Browser Extensions](Persistence/Browser_Extensions.md)           | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md)           | Brute Force                            | Application Window Discovery           | Application Deployment Software | Command-Line Interface   | Automated Collection           | Data Compressed                               | Communication Through Removable Media   |
+| [Create Account](Persistence/Create_Account.md)               | Launch Daemon                 | Code Signing                    | Credentials in Files                   | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md)           | Exploitation of Vulnerability   | Graphical User Interface | [Browser Extensions](Collection/Browser_Extensions.md)             | Data Encrypted                                | Connection Proxy                        |
 | Dylib Hijacking              | Plist Modification            | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md)        | Exploitation of Vulnerability          | [Network Service Scanning](Discovery/Network_Service_Scanning.md)               | [Logon Scripts](Persistence/Logon_Scripts.md)                | Launchctl                | Clipboard Data                 | Data Transfer Size Limits                     | Custom Command and Control Protocol     |
 | Hidden Files and Directories | Process Injection             | Exploitation of Vulnerability   | Input Capture                          | [Network Share Discovery](Discovery/Network_Share_Discovery.md)                | Remote File Copy                | Local Job Scheduling     | Data Staged                    | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md)        | Custom Cryptographic Protocol           |
 | LC_LOAD_DYLIB Addition       | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md)             | File Deletion                   | [Input Prompt](Credential_Access/Input_Prompt.md)                           | [Permission Groups Discovery](Discovery/Permissions_Groups_Discovery.md)            | Remote Services                 | Scripting                | Data from Local System         | Exfiltration Over Command and Control Channel | Data Encoding                           |