T1176 - Browser Extensions
Author: Stefan Waldvogel
LimaCharlie vs. Browser Extensions
Overview:
Description from ATT&CK
Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)
Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.
Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)
Once the extension is installed, it can browse to websites in the background,(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence.
There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1176 -ShowDetailsBrief
Invoke-AtomicTest T1176 -CheckPrereqs
Invoke-AtomicTest T1176 -GetPrereqs
Invoke-AtomicTest T1176 -TestNumbers 1
Invoke-AtomicTest T1176 -Cleanup
Changes:
Installed Chrome
Limitations:
Results:
This section has 4 subtests, all of them are manual, commands do not work, follow the github tasks.
Invoke-AtomicTest T1176 -TestNumbers 1 not detected
Invoke-AtomicTest T1176 -TestNumbers 2 not detected
Invoke-AtomicTest T1176 -TestNumbers 3 not detected
Invoke-AtomicTest T1176 -TestNumbers 4 not detected
Test 1 is a manual exploit.
Description from ATT&CK
Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)
Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.
Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)
Once the extension is installed, it can browse to websites in the background,(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence.
There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1176 -ShowDetailsBrief
Invoke-AtomicTest T1176 -CheckPrereqs
Invoke-AtomicTest T1176 -GetPrereqs
Invoke-AtomicTest T1176 -TestNumbers 1
Invoke-AtomicTest T1176 -Cleanup
Changes:
Installed Chrome
Limitations:
Results:
This section has 4 subtests, all of them are manual, commands do not work, follow the github tasks.
Invoke-AtomicTest T1176 -TestNumbers 1 not detected
Invoke-AtomicTest T1176 -TestNumbers 2 not detected
Invoke-AtomicTest T1176 -TestNumbers 3 not detected
Invoke-AtomicTest T1176 -TestNumbers 4 not detected
Test 1 is a manual exploit.
Test 2 is load this bad cat
Test 3
Test 4
© 2021. This work is licensed under a CC BY-SA 4.0 license