security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1176/T1176.yaml
T
AJ King 6efef030bf Update broken uBlockLite URL (#2999) 
Co-authored-by: Hare Sudhan <code@0x6c.dev>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2024-12-10 17:53:20 -07:00

113 lines
4.1 KiB
YAML
Raw Permalink Blame History

attack_technique: T1176
display_name: Browser Extensions
atomic_tests:
- name: Chrome/Chromium (Developer Mode)
auto_generated_guid: 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1
description: Turn on Chrome/Chromium developer mode and Load Extension found in the src directory
supported_platforms:
- linux
- windows
- macos
executor:
steps: |
1. Navigate to [chrome://extensions](chrome://extensions) and
tick 'Developer Mode'.
2. Click 'Load unpacked extension...' and navigate to
[Browser_Extension](../t1176/src/)
3. Click 'Select'
name: manual
- name: Chrome/Chromium (Chrome Web Store)
auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
description: Install the "Minimum Viable Malicious Extension" Chrome extension
supported_platforms:
- linux
- windows
- macos
executor:
steps: |
1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
in Chrome
2. Click 'Add to Chrome'
name: manual
- name: Firefox
auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938
description: |
Create a file called test.wma, with the duration of 30 seconds
supported_platforms:
- linux
- windows
- macos
executor:
steps: |
1. Navigate to [about:debugging](about:debugging) and
click "Load Temporary Add-on"
2. Navigate to [manifest.json](./src/manifest.json)
3. Then click 'Open'
name: manual
- name: Edge Chromium Addon - VPN
auto_generated_guid: 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5
description: |
Adversaries may use VPN extensions in an attempt to hide traffic sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store.
supported_platforms:
- windows
- macos
executor:
steps: |
1. Navigate to https://microsoftedge.microsoft.com/addons/detail/fjnehcbecaggobjholekjijaaekbnlgj
in Edge Chromium
2. Click 'Get'
name: manual
- name: Google Chrome Load Unpacked Extension With Command Line
auto_generated_guid: 7a714703-9f6b-461c-b06d-e6aeac650f27
description: |-
This test loads an unpacked extension in Google Chrome with the `--load-extension` parameter. This technique was previously used by the Grandoreiro malware to load a malicious extension that would capture the browsing history, steal cookies and other user information. Other malwares also leverage this technique to hijack searches, steal passwords, inject ads, and more.
References:
https://attack.mitre.org/techniques/T1176/
https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/
supported_platforms:
- windows
input_arguments:
working_dir:
description: Working directory where the files will be downloaded and extracted
type: string
default: $env:TEMP
executor:
command: |-
# Chromium
$chromium = "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Win_x64/1153778/chrome-win.zip"
# uBlock Origin Lite to test side-loading
$extension = "https://github.com/uBlockOrigin/uBOL-home/releases/download/uBOLite_2024.11.25.1376/uBOLite_2024.11.25.1376.chromium.mv3.zip"
Set-Location "#{working_dir}"
Set-Variable ProgressPreference SilentlyContinue
Invoke-WebRequest -URI $chromium -OutFile "#{working_dir}\chrome.zip"
Invoke-WebRequest -URI $extension -OutFile "#{working_dir}\extension.zip"
Expand-Archive chrome.zip -DestinationPath "#{working_dir}" -Force
Expand-Archive extension.zip -Force
Start-Process .\chrome-win\chrome.exe --load-extension="#{working_dir}\extension\" -PassThru
cleanup_command: |-
Set-Location "#{working_dir}"
Stop-Process -Name chrome -Force
Remove-Item .\chrome.zip, .\chrome-win, .\extension, .\extension.zip -Recurse -Force
Set-Variable ProgressPreference Continue
name: powershell
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink