T1185 Browser Session Hijacking Mappings

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)

A specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.(Citation: Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based behaviors such as pivoting may require specific process permissions, such as <code>SeDebugPrivilege</code> and/or high-integrity/administrator rights.

Another example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as Sharepoint or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.(Citation: cobaltstrike manual)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-10 Concurrent Session Control Protects T1185 Browser Session Hijacking
AC-12 Session Termination Protects T1185 Browser Session Hijacking
AC-2 Account Management Protects T1185 Browser Session Hijacking
AC-3 Access Enforcement Protects T1185 Browser Session Hijacking
AC-5 Separation of Duties Protects T1185 Browser Session Hijacking
AC-6 Least Privilege Protects T1185 Browser Session Hijacking
CA-7 Continuous Monitoring Protects T1185 Browser Session Hijacking
CM-2 Baseline Configuration Protects T1185 Browser Session Hijacking
CM-5 Access Restrictions for Change Protects T1185 Browser Session Hijacking
IA-2 Identification and Authentication (organizational Users) Protects T1185 Browser Session Hijacking
SC-23 Session Authenticity Protects T1185 Browser Session Hijacking
SI-3 Malicious Code Protection Protects T1185 Browser Session Hijacking
SI-4 System Monitoring Protects T1185 Browser Session Hijacking
SI-7 Software, Firmware, and Information Integrity Protects T1185 Browser Session Hijacking
action.hacking.variety.HTTP request smuggling HTTP request smuggling. Child of 'Exploit vuln'. related-to T1185 Browser Session Hijacking
action.hacking.variety.HTTP request splitting HTTP request splitting. Child of 'Exploit vuln'. related-to T1185 Browser Session Hijacking
action.hacking.variety.HTTP response smuggling HTTP response smuggling. Child of 'Exploit vuln'. related-to T1185 Browser Session Hijacking
action.hacking.variety.HTTP response splitting HTTP response splitting. Child of 'Exploit vuln'. related-to T1185 Browser Session Hijacking
action.hacking.variety.Hijack To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) related-to T1185 Browser Session Hijacking
action.hacking.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1185 Browser Session Hijacking
action.hacking.variety.Session fixation Session fixation. Child of 'Exploit vuln'. related-to T1185 Browser Session Hijacking
action.malware.variety.Capture app data Capture data from application or system process related-to T1185 Browser Session Hijacking