CircleCI Atomic Red Team doc generator
80 lines
3.4 KiB
Markdown
80 lines
3.4 KiB
Markdown
# T1176 - Browser Extensions
|
|
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1176)
|
|
<blockquote>Browser extensions or plugins are small programs that can add functionality and customize aspects of internet browsers. They can be installed directly or through a browser's app store. Extensions generally have access and permissions to everything that the browser can access. (Citation: Wikipedia Browser Extension) (Citation: Chrome Extensions Definition)
|
|
|
|
Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so may not be difficult for malicious extensions to defeat automated scanners and be uploaded. (Citation: Malicious Chrome Extension Numbers) Once the extension is installed, it can browse to websites in the background, (Citation: Chrome Extension Crypto Miner) (Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser, to include credentials, (Citation: Banker Google Chrome Extension Steals Creds) (Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence. There have been instances of botnets using a persistent backdoor through malicious Chrome extensions. (Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control (Citation: Chrome Extension C2 Malware).
|
|
|
|
Detection: Inventory and monitor browser extension installations that deviate from normal, expected, and benign extensions. Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates.
|
|
|
|
Monitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.
|
|
|
|
Platforms: Linux, macOS, Windows
|
|
|
|
Data Sources: Network protocol analysis, Packet capture, System calls, Process use of network, Process monitoring, Browser extensions
|
|
|
|
Permissions Required: User
|
|
|
|
Contributors: Justin Warner, ICEBRG</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Chrome (Developer Mode)](#atomic-test-1---chrome-developer-mode)
|
|
|
|
- [Atomic Test #2 - Chrome (Chrome Web Store)](#atomic-test-2---chrome-chrome-web-store)
|
|
|
|
- [Atomic Test #3 - Firefox](#atomic-test-3---firefox)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Chrome (Developer Mode)
|
|
xxx
|
|
|
|
**Supported Platforms:** Linux, Windows, macOS
|
|
|
|
|
|
#### Run it with these steps!
|
|
1. Navigate to [chrome://extensions](chrome://extensions) and
|
|
tick 'Developer Mode'.
|
|
|
|
2. Click 'Load unpacked extension...' and navigate to
|
|
[Browser_Extension](../t1176/)
|
|
|
|
3. Click 'Select'
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - Chrome (Chrome Web Store)
|
|
xxx
|
|
|
|
**Supported Platforms:** Linux, Windows, macOS
|
|
|
|
|
|
#### Run it with these steps!
|
|
1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
|
|
in Chrome
|
|
|
|
2. Click 'Add to Chrome'
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #3 - Firefox
|
|
Create a file called test.wma, with the duration of 30 seconds
|
|
|
|
**Supported Platforms:** Linux, Windows, macOS
|
|
|
|
|
|
#### Run it with these steps!
|
|
1. Navigate to [about:debugging](about:debugging) and
|
|
click "Load Temporary Add-on"
|
|
|
|
2. Navigate to [manifest.json](./manifest.json)
|
|
|
|
3. Then click 'Open'
|
|
|
|
<br/>
|