T1185 - Browser Session Hijacking

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)

A specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.(Citation: Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.

Another example involves pivoting browser traffic from the adversary’s browser through the user’s browser by setting up a proxy which will redirect web traffic. This does not alter the user’s traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as Sharepoint or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.(Citation: cobaltstrike manual)

Atomic Tests:

Currently, no tests are available for this technique.

Detection

This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. New processes may not be created and no additional software dropped to disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. Monitor for Process Injection against browser applications.

Shield Active Defense

Burn-In

Exercise a target system in a manner where it will generate desirable system artifacts.

Exercising the system to create desirable system artifacts including web browsing, filesystem usage, running user applications like office suites, etc. The burn-in process can be specific to a user or system, depending on your needs.

Opportunity

In an adversary engagement scenario, there is an opportunity to prepare a user’s browser data (sessions, cookies, etc.) so it looks authentic and fully populated.

Use Case

A defender can perform web browsing tasks on a decoy system over time to give the adversary a robust set of browser data that looks realistic and could potentially be used during adversary engagement.

Procedures

Configure a decoy system and allow it to be used in an manner such that it collects activity logs and appears to be to be a legitimate system. Configure a system to generate internet browser traffic for a decoy user profile, creating artifacts such as cookies, history, temp files, etc.