T1185: Browser Session Hijacking

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

A specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet. Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.

Another example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as Sharepoint or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_lateral_movement: PT-CR-1927: Start_Browser_Pivoting: A browser was started with remote debugging enabled, which can be used to forward traffic to an attacker's machine mitre_attck_lateral_movement: PT-CR-1928: Subrule_Browser_Remote_Debugging: Attempt to start a browser with remote debugging enabled, which can be used to forward traffic to an attacker's machine

Detection

IDDS0009Data source and componentProcess: Process ModificationDescription

This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. Monitor for Process Injection against browser applications.

IDDS0009Data source and componentProcess: Process AccessDescription

This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. Monitor for Process Injection against browser applications.

IDDS0028Data source and componentLogon Session: Logon Session CreationDescription

Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior.

Mitigation

IDM1017NameUser TrainingDescription

Close all browser sessions regularly and when they are no longer needed.

IDM1018NameUser Account ManagementDescription

Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique.