# T1176 Browser Extensions

-----------------------------------------------------------------------

## Technique Description

Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)

Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.

Previous to macOS 11, adversaries could silently install browser extensions via the command line using the <code>profiles</code> tool to install malicious <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles, however <code>.mobileconfig</code> files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)

Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)

There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)

## Technique Detection

Inventory and monitor browser extension installations that deviate from normal, expected, and benign extensions. Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates.

Monitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.

On macOS, monitor the command line for usage of the profiles tool, such as <code>profiles install -type=configuration</code>. Additionally, all installed extensions maintain a <code>plist</code> file in the <code>/Library/Managed Preferences/username/</code> directory. Ensure all listed files are in alignment with approved extensions.(Citation: xorrior chrome extensions macOS)

-----------------------------------------------------------------------

### Tactics:

  *   Persistence

### Platforms:

  * Linux

  * macOS

  * Windows

### Data Sources:

  * **Process:** Process Creation

  * **Command:** Command Execution

  * **Network Traffic:** Network Connection Creation

  * **File:** File Creation

  * **Windows Registry:** Windows Registry Key Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.(Citation: Zdnet Kimsuky Dec 2018)(Citation: Netscout Stolen Pencil Dec 2018)| 
| Stolen Pencil | [Stolen Pencil](https://attack.mitre.org/groups/G0086) victims are prompted to install malicious Google Chrome extensions which gave the threat actor the ability to read data from any website accessed. (Citation: Netscout Stolen Pencil Dec 2018)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1176)

  * [Chrome Extension Crypto Miner](https://www.ghacks.net/2017/09/19/first-chrome-extension-with-javascript-crypto-miner-detected/), Brinkmann, M. (2017, September 19). First Chrome extension with JavaScript Crypto Miner detected. Retrieved November 16, 2017.

  * [Xorrior Chrome Extensions Macos](https://www.xorrior.com/No-Place-Like-Chrome/), Chris Ross. (2019, February 8). No Place Like Chrome. Retrieved April 27, 2021.

  * [Chrome Extensions Definition](https://developer.chrome.com/extensions), Chrome. (n.d.). What are Extensions?. Retrieved November 16, 2017.

  * [Icebrg Chrome Extensions](https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses), De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018.

  * [Malicious Chrome Extension Numbers](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf), Jagpal, N., et al. (2015, August). Trends and Lessons from Three Years Fighting Malicious Extensions. Retrieved November 17, 2017.

  * [Chrome Extension C2 Malware](https://kjaer.io/extension-malware/), Kjaer, M. (2016, July 18). Malware in the browser: how you might get hacked by a Chrome extension. Retrieved November 22, 2017.

  * [Catch All Chrome Extension](https://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/)), Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension Steals All Posted Data. Retrieved November 16, 2017.

  * [Banker Google Chrome Extension Steals Creds](https://isc.sans.edu/forums/diary/BankerGoogleChromeExtensiontargetingBrazil/22722/), Marinho, R. (n.d.). (Banker(GoogleChromeExtension)).targeting. Retrieved November 18, 2017.

  * [Stantinko Botnet](https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/), Vachon, F., Faou, M. (2017, July 20). Stantinko: A massive adware campaign operating covertly since 2012. Retrieved November 16, 2017.

  * [Wikipedia Browser Extension](https://en.wikipedia.org/wiki/Browser_extension), Wikipedia. (2017, October 8). Browser Extension. Retrieved January 11, 2018.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will abuse Internet browser extensions to establish persistence access to victim systems.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Information Here

## Analytical References

  * [Atomic Red Team T1176 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md)
  * [Research (googleusercontent)](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Inventory and monitor browser extension installations that deviate from normal, expected, and benign extensions.
- Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates.
- Monitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.
- Google Chrome Extensions are stored in C:\Users\<User_Name>\AppData\Local\Google\Chrome\User Data\Default\Extensions.

#### Analytic 1

  * **Information:** Detect potential installation of browser extensions by file creation

  * **Source:** Windows Audits, Sysmon

  * **Tool:**  Kibana

  * **Notes:** 

  * **Query:** ```event.code : 11 and filepath contains C:\Users\<User_Name>\AppData\Local\Google\Chrome\User Data\Default\Extensions```


-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

