security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc495c1192fda69bd1ed33a13d7590ef055eee09
atomic-red-team/atomics/T1176/T1176.md
T
CircleCI Atomic Red Team doc generator 65fd85dd3c Generate docs from job=validate_atomics_generate_docs branch=uppercase-everything
2018-05-23 23:09:31 +00:00

3.4 KiB
Raw Blame History

T1176 - Browser Extensions

Description from ATT&CK

Browser extensions or plugins are small programs that can add functionality and customize aspects of internet browsers. They can be installed directly or through a browser's app store. Extensions generally have access and permissions to everything that the browser can access. (Citation: Wikipedia Browser Extension) (Citation: Chrome Extensions Definition)

Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so may not be difficult for malicious extensions to defeat automated scanners and be uploaded. (Citation: Malicious Chrome Extension Numbers) Once the extension is installed, it can browse to websites in the background, (Citation: Chrome Extension Crypto Miner) (Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser, to include credentials, (Citation: Banker Google Chrome Extension Steals Creds) (Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence. There have been instances of botnets using a persistent backdoor through malicious Chrome extensions. (Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control (Citation: Chrome Extension C2 Malware).

Detection: Inventory and monitor browser extension installations that deviate from normal, expected, and benign extensions. Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates.

Monitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.

Platforms: Linux, macOS, Windows

Data Sources: Network protocol analysis, Packet capture, System calls, Process use of network, Process monitoring, Browser extensions

Permissions Required: User

Contributors: Justin Warner, ICEBRG

Atomic Tests


Atomic Test #1 - Chrome (Developer Mode)

xxx

Supported Platforms: Linux, Windows, macOS

Run it with these steps!

  1. Navigate to chrome://extensions and tick 'Developer Mode'.

  2. Click 'Load unpacked extension...' and navigate to Browser_Extension

  3. Click 'Select'



Atomic Test #2 - Chrome (Chrome Web Store)

xxx

Supported Platforms: Linux, Windows, macOS

Run it with these steps!

  1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome

  2. Click 'Add to Chrome'



Atomic Test #3 - Firefox

Create a file called test.wma, with the duration of 30 seconds

Supported Platforms: Linux, Windows, macOS

Run it with these steps!

  1. Navigate to about:debugging and click "Load Temporary Add-on"

  2. Navigate to manifest.json

  3. Then click 'Open'


Reference in New Issue View Git Blame Copy Permalink