Skip to content

T1185 Browser Session Hijacking

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.1

A specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.23 Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.

Another example involves pivoting browser traffic from the adversary’s browser through the user’s browser by setting up a proxy which will redirect web traffic. This does not alter the user’s traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as Sharepoint or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.4

Item Value
ID T1185
Sub-techniques
Tactics TA0009
Platforms Windows
Version 2.1
Created 16 January 2018
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S0331 Agent Tesla Agent Tesla has the ability to use form-grabbing to extract data from web data forms.14
S0484 Carberp Carberp has captured credentials when a user performs login through a SSL session.1011
S0631 Chaes Chaes has used the Puppeteer module to hook and monitor the Chrome web browser to collect user information from infected hosts.23
S0154 Cobalt Strike Cobalt Strike can perform browser pivoting and inject into a user’s browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates.420
S0384 Dridex Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies.9
S0531 Grandoreiro Grandoreiro can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.131516
S0483 IcedID IcedID has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. IcedID can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser.2122
G0094 Kimsuky Kimsuky has the ability to use form-grabbing to extract emails and passwords from web data forms.12
S0530 Melcoz Melcoz can monitor the victim’s browser for online banking sessions and display an overlay window to manipulate the session in the background.13
S0650 QakBot QakBot can use advanced web injects to steal web banking credentials.1819
S1201 TRANSLATEXT TRANSLATEXT has the ability to use form-grabbing and event-listening to extract data from web data forms.12
S0266 TrickBot TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.5678
S0386 Ursnif Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords).24
S1207 XLoader XLoader can conduct form grabbing, steal cookies, and extract data from HTTP sessions.17

Mitigations

ID Mitigation Description
M1018 User Account Management Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique.
M1017 User Training Close all browser sessions regularly and when they are no longer needed.

References

  1. Wikipedia. (2017, October 28). Man-in-the-browser. Retrieved January 10, 2018. 

  2. Mudge, R. (n.d.). Browser Pivoting. Retrieved January 10, 2018. 

  3. De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018. 

  4. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. 

  5. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018. 

  6. Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations. Retrieved August 2, 2018. 

  7. Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018. 

  8. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018. 

  9. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019. 

  10. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024. 

  11. Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020. 

  12. Park, S. (2024, June 27). Kimsuky deploys TRANSLATEXT to target South Korean academia. Retrieved October 14, 2024. 

  13. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. 

  14. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020. 

  15. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. 

  16. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  17. Nart Villeneuve, Randi Eitzman, Sandor Nemes & Tyler Dean, Google Cloud. (2017, October 5). Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. Retrieved March 11, 2025. 

  18. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. 

  19. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  20. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  21. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020. 

  22. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. 

  23. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  24. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.