Adversary gains high integrity or special privileges (e.g., SeDebugPrivilege), locates a running browser process, opens it with write/inject rights, and modifies it (e.g., CreateRemoteThread / DLL load) to inherit cookies/tokens or establish a browser pivot. Optional step: create a new logon session or use explicit credentials, then drive the victim browser to intranet resources.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Metadata (DC0088) | WinEventLog:Security | EventCode=4672 |
| User Account Metadata (DC0013) | WinEventLog:Security | EventCode=4673 |
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Process Modification (DC0020) | WinEventLog:Sysmon | EventCode=8 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| BrowserList | Set of monitored browsers (chrome.exe, msedge.exe, firefox.exe, iexplore.exe). Adjust per fleet. |
| AccessMaskSet | Access rights implying injection (e.g., 0x1FFFFF, 0x1F3FF, VM_WRITE, VM_OPERATION, CREATE_THREAD). Tune by EDR mapping. |
| SignerAllowList | Allowed module signers within browser processes (e.g., Microsoft, Google). Helps flag unsigned/unknown ImageLoad into browsers. |
| InternalCIDR | Enterprise internal ranges or DNS suffixes to identify intranet pivoting via the browser. |
| TimeWindow | Correlation interval (e.g., 10–20 minutes) linking privilege gain → access → modification → network usage. |
| ParentAllowList | Legitimate tools that may automate browsers (e.g., Selenium drivers). Reduce FPs by allowlisting. |
| UserContext | Scope analytics to high-value users, admin workstations, or servers where browsers shouldn’t be automated. |