1. Home
  2. Techniques
  3. Enterprise
  4. Browser Session Hijacking

Browser Session Hijacking

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.[1]

A specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.[2][3] Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.

Another example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as Sharepoint or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.[4]

Angreifer können Sicherheitslücken und inhärente Funktionen in der Browsersoftware ausnutzen, um Inhalte zu ändern, das Benutzerverhalten zu modifizieren und Informationen im Rahmen verschiedener Browser-Session-Hijacking-Techniken abzufangen.(Zitat: Wikipedia Man in the Browser)

Ein konkretes Beispiel ist, wenn ein Angreifer Software in einen Browser einschleust, die es ihm ermöglicht, Cookies, HTTP-Sitzungen und SSL-Client-Zertifikate eines Benutzers zu übernehmen und dann den Browser als Möglichkeit zu nutzen, sich in ein authentifiziertes Intranet einzuschleusen.(Zitat: Cobalt Strike Browser Pivot)(Zitat: ICEBRG Chrome Extensions) Die Ausführung von browserbasierten Verhaltensweisen wie Pivoting kann bestimmte Prozessberechtigungen erfordern, wie z.B. SeDebugPrivilege und/oder High-Integrity-/Administratorrechte.

Ein weiteres Beispiel ist die Umleitung des Browser-Verkehrs vom Browser des Gegners über den Browser des Benutzers, indem ein Proxy eingerichtet wird, der den Webverkehr umleitet. Dadurch wird der Datenverkehr des Benutzers in keiner Weise verändert, und die Proxy-Verbindung kann getrennt werden, sobald der Browser geschlossen wird. Der Angreifer übernimmt den Sicherheitskontext des Browser-Prozesses, in den der Proxy eingeschleust wird. Browser erstellen in der Regel für jede geöffnete Registerkarte einen neuen Prozess und die Berechtigungen und Zertifikate sind entsprechend getrennt. Mit diesen Berechtigungen könnte ein Angreifer potenziell jede Ressource in einem Intranet, wie z.B. Sharepoint oder Webmail, aufrufen, die über den Browser zugänglich ist und für die der Browser ausreichende Berechtigungen besitzt. Browser-Pivoting kann auch die Sicherheit der 2-Faktor-Authentifizierung umgehen.(Zitat: cobaltstrike Handbuch)

Les adversaires peuvent tirer parti des vulnérabilités de sécurité et des fonctionnalités inhérentes au logiciel de navigation pour changer le contenu, modifier le comportement de l'utilisateur et intercepter des informations dans le cadre de diverses techniques de détournement de session de navigateur.(Citation : Wikipedia Man in the Browser)

Un exemple spécifique est lorsqu'un adversaire injecte un logiciel dans un navigateur qui lui permet d'hériter des cookies, des sessions HTTP et des certificats client SSL d'un utilisateur, puis d'utiliser le navigateur comme moyen de pivoter dans un intranet authentifié.(Citation : Cobalt Strike Browser Pivot)(Citation : ICEBRG Chrome Extensions) L'exécution de comportements basés sur le navigateur tels que le pivotement peut nécessiter des autorisations de processus spécifiques, telles que SeDebugPrivilege et/ou des droits d'administrateur/de haute intégrité.

Un autre exemple consiste à faire pivoter le trafic du navigateur de l'adversaire à travers le navigateur de l'utilisateur en mettant en place un proxy qui redirigera le trafic web. Cela ne modifie en rien le trafic de l'utilisateur et la connexion du proxy peut être coupée dès que le navigateur est fermé. L'adversaire adopte le contexte de sécurité du processus du navigateur dans lequel le proxy est injecté. Les navigateurs créent généralement un nouveau processus pour chaque onglet ouvert et les permissions et certificats sont séparés en conséquence. Avec ces autorisations, un adversaire peut potentiellement naviguer vers n'importe quelle ressource d'un intranet, telle que [Sharepoint] (/techniques/T1213/002) ou une messagerie Web, accessible par le navigateur et pour laquelle le navigateur dispose d'autorisations suffisantes. Le pivotement du navigateur peut également contourner la sécurité fournie par l'authentification à 2 facteurs.(Citation : manuel cobaltstrike)

Gli avversari possono approfittare delle vulnerabilità di sicurezza e della funzionalità intrinseca del software del browser per cambiare il contenuto, modificare il comportamento dell'utente e intercettare informazioni come parte di varie tecniche di dirottamento della sessione del browser.(Citazione: Wikipedia Man in the Browser)

Un esempio specifico è quando un avversario inietta un software in un browser che gli permette di ereditare cookie, sessioni HTTP e certificati client SSL di un utente per poi usare il browser come un modo per fare pivot in un'intranet autenticata.(Citazione: Cobalt Strike Browser Pivot)(Citazione: ICEBRG Chrome Extensions) L'esecuzione di comportamenti basati sul browser come il pivoting può richiedere permessi di processo specifici, come SeDebugPrivilege e/o diritti di alta integrità/amministratore.

Un altro esempio consiste nel far ruotare il traffico del browser dell'avversario attraverso il browser dell'utente impostando un proxy che reindirizzi il traffico web. Questo non altera in alcun modo il traffico dell'utente e la connessione proxy può essere interrotta non appena il browser viene chiuso. L'avversario assume il contesto di sicurezza di qualsiasi processo del browser in cui viene iniettato il proxy. I browser di solito creano un nuovo processo per ogni scheda che viene aperta e i permessi e i certificati sono separati di conseguenza. Con questi permessi, un avversario potrebbe potenzialmente navigare verso qualsiasi risorsa su una intranet, come Sharepoint o webmail, che sia accessibile attraverso il browser e che il browser abbia sufficienti permessi. Il pivot del browser può anche bypassare la sicurezza fornita dall'autenticazione a 2 fattori.(Citazione: manuale cobaltstrike)

Login
ID: T1185
Sub-techniques:  No sub-techniques
Tactic: Collection
Platforms: Windows
Permissions Required: Administrator, SYSTEM
Contributors: Justin Warner, ICEBRG
Version: 2.0
Created: 16 January 2018
Last Modified: 18 October 2021
Translations:  DE FR IT EN
Provided by LAYER 8

Procedure Examples

ID Name Description
S0331 Agent Tesla

Agent Tesla has the ability to use form-grabbing to extract data from web data forms.[5]
S0484 Carberp

Carberp has captured credentials when a user performs login through a SSL session.[6][7]
S0631 Chaes

Chaes has used the Puppeteer module to hook and monitor the Chrome web browser to collect user information from infected hosts.[8]
S0154 Cobalt Strike

Cobalt Strike can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates.[4][9]
S0384 Dridex

Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies.[10]
S0531 Grandoreiro

Grandoreiro can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.[11][12][13]
S0483 IcedID

IcedID has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. IcedID can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser.[14][15]
S0530 Melcoz

Melcoz can monitor the victim's browser for online banking sessions and display an overlay window to manipulate the session in the background.[11]
S0650 QakBot

QakBot can use advanced web injects to steal web banking credentials.[16][17]
S0266 TrickBot

TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.[18][19][20][21]
S0386 Ursnif

Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords).[22]

Mitigations

ID Mitigation Description
M1018 User Account Management

Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique.
M1017 User Training

Close all browser sessions regularly and when they are no longer needed.

Detection

ID Data Source Data Component
DS0028 Logon Session Logon Session Creation
DS0009 Process Process Access
Process Modification

This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. New processes may not be created and no additional software dropped to disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. Monitor for Process Injection against browser applications.

Diese Technik ist unter Umständen schwer zu erkennen, da der Datenverkehr des Angreifers durch den normalen Benutzerverkehr maskiert werden kann. Es werden möglicherweise keine neuen Prozesse erstellt und keine zusätzliche Software auf der Festplatte abgelegt. Authentifizierungsprotokolle können verwendet werden, um Anmeldungen bei bestimmten Webanwendungen zu überprüfen, aber es kann schwierig sein, bösartige Anmeldungen von harmlosen Anmeldungen zu unterscheiden, wenn die Aktivitäten dem typischen Benutzerverhalten entsprechen. Überwachen Sie Browser-Anwendungen auf Process Injection.

Cette technique peut être difficile à détecter car le trafic de l'adversaire peut être masqué par le trafic normal de l'utilisateur. Il se peut que de nouveaux processus ne soient pas créés et qu'aucun logiciel supplémentaire ne soit déposé sur le disque. Les journaux d'authentification peuvent être utilisés pour auditer les connexions à des applications Web spécifiques, mais il peut être difficile de distinguer les connexions malveillantes des connexions bénignes si l'activité correspond au comportement habituel de l'utilisateur. Surveillez l'injection de processus (/techniques/T1055) dans les applications de navigateur.

Questa può essere una tecnica difficile da rilevare perché il traffico avversario può essere mascherato dal normale traffico utente. Potrebbero non essere creati nuovi processi e nessun software aggiuntivo scaricato su disco. I log di autenticazione possono essere usati per controllare i login a specifiche applicazioni web, ma determinare i login malevoli rispetto a quelli benigni può essere difficile se l'attività corrisponde al tipico comportamento dell'utente. Monitorare per Process Injection contro le applicazioni del browser.

References

  1. Wikipedia. (2017, October 28). Man-in-the-browser. Retrieved January 10, 2018.
  2. Mudge, R. (n.d.). Browser Pivoting. Retrieved January 10, 2018.
  3. De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018.
  4. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  5. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
  6. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.
  7. Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.
  8. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  9. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  10. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019.
  11. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  1. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
  2. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  3. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
  4. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  5. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
  6. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  7. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
  8. Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations. Retrieved August 2, 2018.
  9. Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.
  10. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  11. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.