Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)
A specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.(Citation: Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.
Another example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as Sharepoint or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.(Citation: cobaltstrike manual)
Platforms
Mitigations (2)
User TrainingM1017
Close all browser sessions regularly and when they are no longer needed.
User Account ManagementM1018
Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has the ability to use form-grabbing to extract emails and passwords from web data forms.(Citation: Z... |
Associated Software (14)
| ID | Name | Type | Context |
|---|---|---|---|
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) uses web injects and browser redirection to trick the user into providing their login credentials ... |
| S0384 | Dridex | Malware | [Dridex](https://attack.mitre.org/software/S0384) can perform browser attacks via web injects to steal information such as credentials, certificates, ... |
| S0484 | Carberp | Malware | [Carberp](https://attack.mitre.org/software/S0484) has captured credentials when a user performs login through a SSL session.(Citation: Prevx Carberp ... |
| S1201 | TRANSLATEXT | Malware | [TRANSLATEXT](https://attack.mitre.org/software/S1201) has the ability to use form-grabbing and event-listening to extract data from web data forms.(C... |
| S0530 | Melcoz | Malware | [Melcoz](https://attack.mitre.org/software/S0530) can monitor the victim's browser for online banking sessions and display an overlay window to manipu... |
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to use form-grabbing to extract data from web data forms.(Citation: Bitdefender... |
| S9003 | evilginx2 | Tool | [evilginx2](https://attack.mitre.org/software/S9003) can inject custom POST arguments into requests to silently enable "Remember Me" options during au... |
| S0531 | Grandoreiro | Malware | [Grandoreiro](https://attack.mitre.org/software/S0531) can monitor browser activity for online banking actions and display full-screen overlay images ... |
| S1207 | XLoader | Malware | [XLoader](https://attack.mitre.org/software/S1207) can conduct form grabbing, steal cookies, and extract data from HTTP sessions.(Citation: Google XLo... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can use advanced web injects to steal web banking credentials.(Citation: Cyberint Qakbot May 2021)(C... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can perform browser pivoting and inject into a user's browser to inherit cookies, authenticat... |
| S0483 | IcedID | Malware | [IcedID](https://attack.mitre.org/software/S0483) has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and ... |
| S0631 | Chaes | Malware | [Chaes](https://attack.mitre.org/software/S0631) has used the Puppeteer module to hook and monitor the Chrome web browser to collect user information ... |
| S0386 | Ursnif | Malware | [Ursnif](https://attack.mitre.org/software/S0386) has injected HTML codes into banking sites to steal sensitive online banking information (ex: userna... |
References
- De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018.
- Mudge, R. (n.d.). Browser Pivoting. Retrieved January 10, 2018.
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- Wikipedia. (2017, October 28). Man-in-the-browser. Retrieved January 10, 2018.
Frequently Asked Questions
What is T1185 (Browser Session Hijacking)?
T1185 is a MITRE ATT&CK technique named 'Browser Session Hijacking'. It belongs to the Collection tactic(s). Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser...
How can T1185 be detected?
Detection of T1185 (Browser Session Hijacking) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1185?
There are 2 documented mitigations for T1185. Key mitigations include: User Training, User Account Management.
Which threat groups use T1185?
Known threat groups using T1185 include: Kimsuky.