Browser Session Hijacking

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.[1]

A specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.[2][3] Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.

Another example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as Sharepoint or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.[4]

ID: T1185
Sub-techniques:  No sub-techniques
Tactic: Collection
Platforms: Windows
Permissions Required: Administrator, SYSTEM
Contributors: Justin Warner, ICEBRG
Version: 2.0
Created: 16 January 2018
Last Modified: 25 February 2022

Procedure Examples

ID Name Description
S0331 Agent Tesla

Agent Tesla has the ability to use form-grabbing to extract data from web data forms.[5]

S0484 Carberp

Carberp has captured credentials when a user performs login through a SSL session.[6][7]

S0631 Chaes

Chaes has used the Puppeteer module to hook and monitor the Chrome web browser to collect user information from infected hosts.[8]

S0154 Cobalt Strike

Cobalt Strike can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates.[4][9]

S0384 Dridex

Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies.[10]

S0531 Grandoreiro

Grandoreiro can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.[11][12][13]

S0483 IcedID

IcedID has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. IcedID can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser.[14][15]

S0530 Melcoz

Melcoz can monitor the victim's browser for online banking sessions and display an overlay window to manipulate the session in the background.[11]

S0650 QakBot

QakBot can use advanced web injects to steal web banking credentials.[16][17]

S0266 TrickBot

TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.[18][19][20][21]

S0386 Ursnif

Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords).[22]

Mitigations

ID Mitigation Description
M1018 User Account Management

Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique.

M1017 User Training

Close all browser sessions regularly and when they are no longer needed.

Detection

ID Data Source Data Component Detects
DS0028 Logon Session Logon Session Creation

Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior.

DS0009 Process Process Access

This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. Monitor for Process Injection against browser applications.

Process Modification

This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. Monitor for Process Injection against browser applications.

References