Which SIEM platforms have a T1185 detection rule?

df00tech provides T1185 (Browser Session Hijacking) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Browser Session Hijacking (T1185)?

Detecting Browser Session Hijacking requires the following data sources: Process: Process Access, Module: Module Load, Microsoft Defender for Endpoint DeviceEvents, Microsoft Defender for Endpoint DeviceImageLoadEvents.

What severity and confidence is the T1185 detection?

The T1185 detection is rated high severity with high confidence.

What are common false positives for T1185?

Common false positives for T1185 include: Screen reader and accessibility software (NVDA, JAWS, ZoomText) that legitimately hook into browser processes to read on-screen content; Password manager browser extensions with companion desktop agents (1Password, LastPass desktop app) that access browser process memory for autofill; Security products with browser integration features (some DLP agents, Netskope, Zscaler client) that inject helper modules into browsers.

T1185 CrowdStrike LogScale · LogScale

Detect Browser Session Hijacking in CrowdStrike LogScale

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user behaviors, and intercept information as part of various browser session hijacking techniques. A specific example is when an adversary injects software into a browser process that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user, then uses the browser as a pivot into an authenticated intranet. Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights. Another technique involves redirecting browser traffic through an adversary-controlled proxy injected into the browser process, allowing session impersonation without modifying user-visible traffic. Malware families such as TrickBot, Dridex, IcedID, QakBot, and Cobalt Strike implement browser pivoting and web inject techniques to steal banking credentials, session tokens, and SSL certificates.

MITRE ATT&CK

Tactic: Collection
Technique: T1185 Browser Session Hijacking
Canonical reference: https://attack.mitre.org/techniques/T1185/

LogScale Detection Query

CrowdStrike LogScale (LogScale)

cql

// Detection 1: Suspicious process injection into browser processes
#event_simpleName = "CreateRemoteThreadV2" OR #event_simpleName = "WriteProcessMemory" OR #event_simpleName = "SetThreadContext"
| TargetImageFileName = /(?i)(chrome|msedge|firefox|iexplore|brave|opera|microsoftedge)\.exe$/
| SourceImageFileName != /(?i)(chrome|msedge|firefox|MsMpEng|WerFault|WerFaultSecure|csrss|dwm|taskmgr)\.exe$/
| eval InjectionMethod = case(
    #event_simpleName = "CreateRemoteThreadV2", "Remote thread injection",
    #event_simpleName = "WriteProcessMemory", "Memory write injection",
    #event_simpleName = "SetThreadContext", "Thread context hijacking",
    "Unknown"
)
| table _time, ComputerName, UserName, InjectionMethod, SourceImageFileName, TargetImageFileName, TargetProcessId, SourceProcessId
| sort _time desc

// Detection 2: Suspicious DLL loads inside browser processes (union)
OR

#event_simpleName = "ClassifiedModuleLoad"
| ImageFileName = /(?i)(chrome|msedge|firefox|iexplore|brave|opera)\.exe$/
| NOT ModuleFilePath = /(?i)(\\Program Files\\(Google\\Chrome|Mozilla Firefox|Microsoft\\Edge)|\\Windows\\(System32|SysWOW64|WinSxS))/
| NOT ModuleFilePath = /(?i)(d3d|opengl|vulkan|nvog|atig|ig[0-9])/
| eval InjectionMethod = "Suspicious module load in browser"
| table _time, ComputerName, UserName, InjectionMethod, ImageFileName, ModuleFilePath, ModuleImageFilePath
| sort _time desc

high severity medium confidence

Detects browser session hijacking in CrowdStrike Falcon LogScale using Falcon event types for remote thread creation, memory writes, and thread context modification targeting browser processes. Also detects suspicious DLL/module loads within browser processes from non-standard paths.

Data Sources

CrowdStrike Falcon Endpoint ProtectionCrowdStrike LogScale (formerly Humio)Falcon Data Replicator (FDR) event stream

Required Tables

Falcon event stream: CreateRemoteThreadV2Falcon event stream: WriteProcessMemoryFalcon event stream: SetThreadContextFalcon event stream: ClassifiedModuleLoad

False Positives & Tuning

CrowdStrike sensor itself may generate events when performing process inspection for threat detection
Third-party AV or EDR products that co-exist with Falcon and access browser processes
Legitimate browser helper objects or extensions that load as DLLs from custom enterprise software directories
IT operations tooling such as BigFix or Tanium that may access browser process memory for inventory
Browser-based RPA tools that instrument browser processes programmatically

Download portable Sigma rule (.yml)

Other platforms for T1185

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Browser Process Enumeration and Handle Open (ReadVM Access)
Expected signal: Sysmon EventCode=10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=<browser>.exe, GrantedAccess=0x10 (PROCESS_VM_READ), CallTrace will show the kernel32.dll and ntdll.dll call stack. MDE DeviceEvents ActionType=OpenProcessApiCall with FileName=<browser>.exe, InitiatingProcessFileName=powershell.exe.
Test 2Chrome Cookie Database Exfiltration via File Copy
Expected signal: Sysmon EventCode=11 (FileCreate): TargetFilename=%TEMP%\argus_test_cookies_*.db, Image=powershell.exe. Sysmon EventCode=1 (ProcessCreate): powershell.exe with command line referencing LOCALAPPDATA\Google\Chrome\User Data. MDE DeviceFileEvents with ActionType=FileCreated, FileName=argus_test_cookies_*.db, InitiatingProcessFileName=powershell.exe.
Test 3Browser Proxy Configuration via Registry (Browser Pivot Simulation)
Expected signal: Sysmon EventCode=13 (RegistryValueSet): TargetObject=HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer, Details=127.0.0.1:4444, Image=powershell.exe. Second EventCode=13 for ProxyEnable=1. MDE DeviceRegistryEvents with ActionType=RegistryValueSet, RegistryValueName=ProxyServer, RegistryValueData=127.0.0.1:4444.
Test 4CreateRemoteThread Simulation into Browser Process (Benign Payload)
Expected signal: Sysmon EventCode=8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=<browser>.exe, StartAddress=<kernel32!Sleep address>, StartModule=C:\Windows\System32\kernel32.dll, StartFunction=Sleep. MDE DeviceEvents ActionType=CreateRemoteThreadApiCall, FileName=<browser>.exe, InitiatingProcessFileName=powershell.exe. Security Event ID 4688 for the PowerShell process if command line auditing is enabled.

Last updated: 2026-04-20 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1185 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Browser Session Hijacking in CrowdStrike LogScale

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1185

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Collection

Popular Detections

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1185

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Collection

Popular Detections

Get new detections in your inbox