Try it using Invoke-Atomic

Browser Extensions

Description from ATT&CK

Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)

Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.

Previous to macOS 11, adversaries could silently install browser extensions via the command line using the <code>profiles</code> tool to install malicious <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles, however <code>.mobileconfig</code> files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)

Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)

There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware) https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Chrome (Developer Mode)

Turn on Chrome developer mode and Load Extension found in the src directory

Supported Platforms: linux,windows,macos

auto_generated_guid: 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1

Inputs:

None

Run it with these steps!

  1. Navigate to chrome://extensions and tick 'Developer Mode'.

  2. Click 'Load unpacked extension…' and navigate to Browser_Extension

  3. Click 'Select'

1

Atomic Test #2 - Chrome (Chrome Web Store)

Install the "Minimum Viable Malicious Extension" Chrome extension

Supported Platforms: linux,windows,macos

auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f

Inputs:

None

Run it with these steps!

  1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome

  2. Click 'Add to Chrome'

1

Atomic Test #3 - Firefox

Create a file called test.wma, with the duration of 30 seconds

Supported Platforms: linux,windows,macos

auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938

Inputs:

None

Run it with these steps!

  1. Navigate to about:debugging and click "Load Temporary Add-on"

  2. Navigate to manifest.json

  3. Then click 'Open'

1

Atomic Test #4 - Edge Chromium Addon - VPN

Adversaries may use VPN extensions in an attempt to hide traffic sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store.

Supported Platforms: windows,macos

auto_generated_guid: 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5

Inputs:

None

Run it with these steps!

  1. Navigate to https://microsoftedge.microsoft.com/addons/detail/fjnehcbecaggobjholekjijaaekbnlgj in Edge Chromium

  2. Click 'Get'

1

source