T1176 - Browser Extensions
Description from ATT&CK (opens in a new tab)
Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms.(Citation: Chrome Extension C2 Malware)(Citation: Abramovsky VSCode Security) Extensions are typically installed via official marketplaces, app stores, or manually loaded by users, and they often inherit the permissions and access levels of the host application.
Malicious extensions can be introduced through various methods, including social engineering, compromised marketplaces, or direct installation by users or by adversaries who have already gained access to a system. Malicious extensions can be named similarly or identically to benign extensions in marketplaces. Security mechanisms in extension marketplaces may be insufficient to detect malicious components, allowing adversaries to bypass automated scanners or exploit trust established during the installation process. Adversaries may also abuse benign extensions to achieve their objectives, such as using legitimate functionality to tunnel data or bypass security controls.
The modular nature of extensions and their integration with host applications make them an attractive target for adversaries seeking to exploit trusted software ecosystems. Detection can be challenging due to the inherent trust placed in extensions during installation and their ability to blend into normal application workflows.
Atomic Tests
Atomic Test #1 - Chrome/Chromium (Developer Mode)
Turn on Chrome/Chromium developer mode and Load Extension found in the src directory
Supported Platforms: Linux, Windows, macOS
auto_generated_guid: 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1
Run it with these steps!
-
Navigate to chrome://extensions and tick 'Developer Mode'.
-
Click 'Load unpacked extension...' and navigate to Browser_Extension
-
Click 'Select'
Atomic Test #2 - Chrome/Chromium (Chrome Web Store)
Install the "Minimum Viable Malicious Extension" Chrome extension
Supported Platforms: Linux, Windows, macOS
auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
Run it with these steps!
-
Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend (opens in a new tab) in Chrome
-
Click 'Add to Chrome'
Atomic Test #3 - Firefox
Create a file called test.wma, with the duration of 30 seconds
Supported Platforms: Linux, Windows, macOS
auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938
Run it with these steps!
-
Navigate to about:debugging and click "Load Temporary Add-on"
-
Navigate to manifest.json
-
Then click 'Open'
Atomic Test #4 - Edge Chromium Addon - VPN
Adversaries may use VPN extensions in an attempt to hide traffic sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store.
Supported Platforms: Windows, macOS
auto_generated_guid: 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5
Run it with these steps!
-
Navigate to https://microsoftedge.microsoft.com/addons/detail/fjnehcbecaggobjholekjijaaekbnlgj (opens in a new tab) in Edge Chromium
-
Click 'Get'
Atomic Test #5 - Google Chrome Load Unpacked Extension With Command Line
This test loads an unpacked extension in Google Chrome with the --load-extension parameter. This technique was previously used by the Grandoreiro malware to load a malicious extension that would capture the browsing history, steal cookies and other user information. Other malwares also leverage this technique to hijack searches, steal passwords, inject ads, and more.
References: https://attack.mitre.org/techniques/T1176/ (opens in a new tab) https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/ (opens in a new tab)
Supported Platforms: Windows
auto_generated_guid: 7a714703-9f6b-461c-b06d-e6aeac650f27
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| working_dir | Working directory where the files will be downloaded and extracted | string | $env:TEMP |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
# Chromium
$chromium = "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Win_x64/1153778/chrome-win.zip"
# uBlock Origin Lite to test side-loading
$extension = "https://github.com/uBlockOrigin/uBOL-home/releases/download/uBOLite_2024.11.25.1376/uBOLite_2024.11.25.1376.chromium.mv3.zip"
Set-Location "#{working_dir}"
Set-Variable ProgressPreference SilentlyContinue
Invoke-WebRequest -URI $chromium -OutFile "#{working_dir}\chrome.zip"
Invoke-WebRequest -URI $extension -OutFile "#{working_dir}\extension.zip"
Expand-Archive chrome.zip -DestinationPath "#{working_dir}" -Force
Expand-Archive extension.zip -Force
Start-Process .\chrome-win\chrome.exe --load-extension="#{working_dir}\extension\" -PassThruCleanup Commands:
Set-Location "#{working_dir}"
Stop-Process -Name chrome -Force
Remove-Item .\chrome.zip, .\chrome-win, .\extension, .\extension.zip -Recurse -Force
Set-Variable ProgressPreference Continue