DET0507 Detect browser session hijacking via privilege, handle access, and remote thread into browsers

Item	Value
ID	DET0507
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1185 (Browser Session Hijacking)

Analytics

Windows

AN1398

Adversary gains high integrity or special privileges (e.g., SeDebugPrivilege), locates a running browser process, opens it with write/inject rights, and modifies it (e.g., CreateRemoteThread / DLL load) to inherit cookies/tokens or establish a browser pivot. Optional step: create a new logon session or use explicit credentials, then drive the victim browser to intranet resources.

Log Sources

Data Component	Name	Channel
Logon Session Metadata (DC0088)	WinEventLog:Security	EventCode=4672
User Account Metadata (DC0013)	WinEventLog:Security	EventCode=4673
Logon Session Creation (DC0067)	WinEventLog:Security	EventCode=4624, 4648
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
Process Modification (DC0020)	WinEventLog:Sysmon	EventCode=8
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22

Mutable Elements

Field	Description
BrowserList	Set of monitored browsers (chrome.exe, msedge.exe, firefox.exe, iexplore.exe). Adjust per fleet.
AccessMaskSet	Access rights implying injection (e.g., 0x1FFFFF, 0x1F3FF, VM_WRITE, VM_OPERATION, CREATE_THREAD). Tune by EDR mapping.
SignerAllowList	Allowed module signers within browser processes (e.g., Microsoft, Google). Helps flag unsigned/unknown ImageLoad into browsers.
InternalCIDR	Enterprise internal ranges or DNS suffixes to identify intranet pivoting via the browser.
TimeWindow	Correlation interval (e.g., 10–20 minutes) linking privilege gain → access → modification → network usage.
ParentAllowList	Legitimate tools that may automate browsers (e.g., Selenium drivers). Reduce FPs by allowlisting.
UserContext	Scope analytics to high-value users, admin workstations, or servers where browsers shouldn’t be automated.