Detect Browser Session Hijacking in Microsoft Sentinel
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user behaviors, and intercept information as part of various browser session hijacking techniques. A specific example is when an adversary injects software into a browser process that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user, then uses the browser as a pivot into an authenticated intranet. Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights. Another technique involves redirecting browser traffic through an adversary-controlled proxy injected into the browser process, allowing session impersonation without modifying user-visible traffic. Malware families such as TrickBot, Dridex, IcedID, QakBot, and Cobalt Strike implement browser pivoting and web inject techniques to steal banking credentials, session tokens, and SSL certificates.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1185 Browser Session Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1185/
KQL Detection Query
let BrowserProcesses = dynamic(["chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "microsoftedge.exe", "brave.exe", "opera.exe", "safari.exe"]);
let KnownGoodInjectors = dynamic(["MsMpEng.exe", "csrss.exe", "werfault.exe", "WerFaultSecure.exe", "dwm.exe", "taskmgr.exe"]);
// === Detection 1: Process injection into browser processes ===
let BrowserInjection = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType in ("CreateRemoteThreadApiCall", "WriteProcessMemoryApiCall", "SetThreadContextRemoteApiCall", "QueueUserApcRemoteApiCall", "OpenProcessApiCall")
| where FileName in~ (BrowserProcesses)
| where InitiatingProcessFileName !in~ (BrowserProcesses)
| where InitiatingProcessFileName !in~ (KnownGoodInjectors)
| extend InjectionMethod = case(
ActionType == "CreateRemoteThreadApiCall", "Remote thread injection",
ActionType == "WriteProcessMemoryApiCall", "Memory write injection",
ActionType == "SetThreadContextRemoteApiCall", "Thread context hijacking",
ActionType == "QueueUserApcRemoteApiCall", "APC queue injection",
ActionType == "OpenProcessApiCall", "Suspicious process handle open",
"Unknown injection"
)
| project Timestamp, DeviceName, AccountName, DetectionSource="ProcessInjection",
InjectionMethod, TargetBrowser=FileName,
InjectorProcess=InitiatingProcessFileName,
InjectorCommandLine=InitiatingProcessCommandLine,
InjectorParent=InitiatingProcessParentFileName;
// === Detection 2: Suspicious DLL loads inside browser processes ===
let SuspiciousBrowserDllLoads = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (BrowserProcesses)
| where not(FolderPath has_any (
"\\Google\\Chrome\\", "\\Mozilla Firefox\\", "\\Microsoft\\Edge\\",
"\\Windows\\System32\\", "\\Windows\\SysWOW64\\", "\\Windows\\WinSxS\\",
"\\Program Files\\Google\\", "\\Program Files (x86)\\Mozilla\\",
"\\Program Files\\Microsoft\\", "\\Program Files (x86)\\Microsoft\\"
))
| where not(FileName has_any ("d3d", "opengl", "vulkan", "nvidia", "amd", "intel"))
| project Timestamp, DeviceName, AccountName, DetectionSource="SuspiciousDllLoad",
InjectionMethod="Reflective/manual DLL load in browser",
TargetBrowser=InitiatingProcessFileName,
InjectorProcess=FileName,
InjectorCommandLine=FolderPath,
InjectorParent=InitiatingProcessParentFileName;
// === Combine and surface ===
BrowserInjection
| union SuspiciousBrowserDllLoads
| sort by Timestamp descDetects browser session hijacking via two complementary signals in Microsoft Defender for Endpoint: (1) process injection events targeting browser processes — CreateRemoteThread, WriteProcessMemory, SetThreadContext, APC queue injection, and suspicious OpenProcess API calls against chrome.exe, msedge.exe, firefox.exe, and others from unexpected initiating processes; (2) unexpected DLL loads inside browser processes from non-standard paths, which indicate reflective injection or manual DLL mapping used by web inject malware families such as TrickBot, Dridex, IcedID, and Cobalt Strike. Legitimate browser security tools (MsMpEng.exe, WerFault.exe) and inter-browser IPC are excluded to reduce false positives.
Data Sources
Required Tables
False Positives & Tuning
- Screen reader and accessibility software (NVDA, JAWS, ZoomText) that legitimately hook into browser processes to read on-screen content
- Password manager browser extensions with companion desktop agents (1Password, LastPass desktop app) that access browser process memory for autofill
- Security products with browser integration features (some DLP agents, Netskope, Zscaler client) that inject helper modules into browsers
- Crash reporting and debugging tools (Visual Studio debugger, Process Monitor) opening handles to browser processes during development or troubleshooting
- Endpoint detection products performing memory scanning may trigger OpenProcessApiCall events against browser processes during scheduled scans
Other platforms for T1185
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Browser Process Enumeration and Handle Open (ReadVM Access)
Expected signal: Sysmon EventCode=10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=<browser>.exe, GrantedAccess=0x10 (PROCESS_VM_READ), CallTrace will show the kernel32.dll and ntdll.dll call stack. MDE DeviceEvents ActionType=OpenProcessApiCall with FileName=<browser>.exe, InitiatingProcessFileName=powershell.exe.
- Test 2Chrome Cookie Database Exfiltration via File Copy
Expected signal: Sysmon EventCode=11 (FileCreate): TargetFilename=%TEMP%\argus_test_cookies_*.db, Image=powershell.exe. Sysmon EventCode=1 (ProcessCreate): powershell.exe with command line referencing LOCALAPPDATA\Google\Chrome\User Data. MDE DeviceFileEvents with ActionType=FileCreated, FileName=argus_test_cookies_*.db, InitiatingProcessFileName=powershell.exe.
- Test 3Browser Proxy Configuration via Registry (Browser Pivot Simulation)
Expected signal: Sysmon EventCode=13 (RegistryValueSet): TargetObject=HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer, Details=127.0.0.1:4444, Image=powershell.exe. Second EventCode=13 for ProxyEnable=1. MDE DeviceRegistryEvents with ActionType=RegistryValueSet, RegistryValueName=ProxyServer, RegistryValueData=127.0.0.1:4444.
- Test 4CreateRemoteThread Simulation into Browser Process (Benign Payload)
Expected signal: Sysmon EventCode=8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=<browser>.exe, StartAddress=<kernel32!Sleep address>, StartModule=C:\Windows\System32\kernel32.dll, StartFunction=Sleep. MDE DeviceEvents ActionType=CreateRemoteThreadApiCall, FileName=<browser>.exe, InitiatingProcessFileName=powershell.exe. Security Event ID 4688 for the PowerShell process if command line auditing is enabled.
References (10)
- https://attack.mitre.org/techniques/T1185/
- https://en.wikipedia.org/wiki/Man-in-the-browser
- https://www.cobaltstrike.com/help-browser-pivoting
- https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf
- https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses
- https://www.fidelissecurity.com/threatgeek/threat-intelligence/trickbot-we-missed-you-dyre/
- https://securityintelligence.com/trickbot-new-banking-trojan-delivers-credential-stealing-attacks/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceevents-table
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1185/T1185.md
Unlock Pro Content
Get the full detection package for T1185 including response playbook, investigation guide, and atomic red team tests.