{'xhtml:p': 'An adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts.'}
Description
Attack Execution Flow
3
1
Step 1
Explore[Identify target(s)] The adversary must first identify target software that allows for extensions/plugins and which they wish to exploit, such as a web browser or desktop application. To increase the attack space, this will often be popular software with a large user-base.
AI Translation
[Identifica il/i bersaglio/i] L'avversario deve prima identificare il software bersaglio che consente estensioni/plugin e che desidera sfruttare, come un browser web o un'applicazione desktop. Per aumentare lo spazio di attacco, si tratta spesso di software popolare con una vasta base di utenti.
2
Step 2
Experiment[Create malicious extension] Having identified a suitable target, the adversary crafts a malicious extension/plugin that can be installed by the underlying target software. This malware may be targeted to execute on specific operating systems or be operating system agnostic.
AI Translation
[Creare un'estensione dannosa] Dopo aver individuato un bersaglio adatto, l'avversario crea un'estensione/plugin dannosa che può essere installata dal software di destinazione sottostante. Questo malware può essere progettato per eseguire su sistemi operativi specifici o essere indipendente dal sistema operativo.
3
Step 3
Exploit[Install malicious extension] The malicious extension/plugin is installed by the underlying target software and executes the adversary-created malware, resulting in a variety of negative technical impacts.
Adversary-Installed: Having already compromised the target system, the adversary simply installs the malicious extension/plugin themself.
User-Installed: The adversary tricks the user into installing the malicious extension/plugin, via means such as social engineering, or may upload the malware on a reputable extension/plugin hosting site and wait for unknowing victims to install the malicious component.
AI Translation
[Installazione di estensione dannosa] L'estensione/plugin dannosa viene installata dal software target sottostante e esegue il malware creato dall'attaccante, causando una serie di impatti tecnici negativi.
Adversary-Installed: Dopo aver compromesso il sistema target, l'attaccante installa semplicemente l'estensione/plugin dannoso di propria iniziativa.
User-Installed: L'attaccante inganna l'utente inducendolo a installare l'estensione/plugin dannoso, tramite tecniche di social engineering, oppure può caricare il malware su un sito affidabile di hosting di estensioni/plugin e attendere che vittime inconsapevoli installino il componente dannoso.
Attack Techniques
-
Adversary-Installed: Having already compromised the target system, the adversary simply installs the malicious extension/plugin themself.
-
User-Installed: The adversary tricks the user into installing the malicious extension/plugin, via means such as social engineering, or may upload the malware on a reputable extension/plugin hosting site and wait for unknowing victims to install the malicious component.IT: Adversary-Installed: Dopo aver compromesso il sistema target, l'attore malevolo installa semplicemente l'estensione/plugin dannoso da solo.
Mitigations
6
Confirm Extensions/Plugins Are Legitimate And Not Malware Masquerading As A Legitimate Extension/Plugin.
If Applicable, Confirm Extensions/Plugins Are Properly Signed By The Official Developers.
For Web Browsers, Close Sessions When Finished To Prevent Malicious Extensions/Plugins From Executing The The Background.
Only Install Extensions/Plugins From Official/Verifiable Sources.
Ensure The Underlying Software Leveraging The Extension/Plugin (Including Operating Systems) Is Up-To-Date.
Implement An Extension/Plugin Allow List, Based On The Given Security Policy.
Consequences
Security Scopes Affected
Access Control
Authorization
Confidentiality
Integrity
Potential Impacts
Alter Execution Logic
Execute Unauthorized Commands
Gain Privileges
Modify Data
Read Data
Relationships
Parent CAPECs
Related ATT&CK Techniques
2
T1176
Software Extensions
Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or …
T1505.004
IIS Components
Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several …