Taggart: ~# Mar 2, 2023

@kevinmirsky I don't have any specific resources other than some of my own writing, but imagine the following:

A malicious browser extension is catching your browser logins. And you have Active Directory-joined Okta. Now that browser extension has your AD creds—maybe even your privileged, tiered AD creds—without so much as a nod toward LSASS.

Show threadrkvlMar 2, 2023
@mttaggart @kevinmirsky SSO doesn't really matter in this case. SSO or not, the extension can still collect X credentials/auth tokens/cookies/etc. Curious to see actual use cases of malicious extensions installed through an official store, as I know the Chrome web store is already a PITA to submit legit stuff to.
And if the attack scenario is "compromised host through which the extension is installed", well it doesn't really matter then.
Show threadTaggart: ~# 
@rkervell @kevinmirsky Check out the Chromeloader TTPs. That's the attack vector to be concerned about here. And I contend that the ability to access AD credentials via a browser rather than tangling with LSASS is distinct and significant.
Mar 2, 2023 at 5:22pmWeb