T1185 Man in the Browser Mappings

Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques. (Citation: Wikipedia Man in the Browser)

A specific example is when an adversary injects software into a browser that allows an them to inherit cookies, HTTP sessions, and SSL client certificates of a user and use the browser as a way to pivot into an authenticated intranet. (Citation: Cobalt Strike Browser Pivot) (Citation: ICEBRG Chrome Extensions)

Browser pivoting requires the SeDebugPrivilege and a high-integrity process to execute. Browser traffic is pivoted from the adversary's browser through the user's browser by setting up an HTTP proxy which will redirect any HTTP and HTTPS traffic. This does not alter the user's traffic in any way. The proxy connection is severed as soon as the browser is closed. Whichever browser process the proxy is injected into, the adversary assumes the security context of that process. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could browse to any resource on an intranet that is accessible through the browser and which the browser has sufficient permissions, such as Sharepoint or webmail. Browser pivoting also eliminates the security provided by 2-factor authentication. (Citation: cobaltstrike manual)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1185 Man in the Browser
AC-3 Access Enforcement Protects T1185 Man in the Browser
AC-5 Separation of Duties Protects T1185 Man in the Browser
AC-6 Least Privilege Protects T1185 Man in the Browser
CA-7 Continuous Monitoring Protects T1185 Man in the Browser
CM-2 Baseline Configuration Protects T1185 Man in the Browser
CM-5 Access Restrictions for Change Protects T1185 Man in the Browser
IA-2 Identification and Authentication (organizational Users) Protects T1185 Man in the Browser
SI-3 Malicious Code Protection Protects T1185 Man in the Browser
SI-4 System Monitoring Protects T1185 Man in the Browser
SI-7 Software, Firmware, and Information Integrity Protects T1185 Man in the Browser