T1185 Splunk · SPL

Detect Browser Session Hijacking in Splunk

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user behaviors, and intercept information as part of various browser session hijacking techniques. A specific example is when an adversary injects software into a browser process that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user, then uses the browser as a pivot into an authenticated intranet. Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights. Another technique involves redirecting browser traffic through an adversary-controlled proxy injected into the browser process, allowing session impersonation without modifying user-visible traffic. Malware families such as TrickBot, Dridex, IcedID, QakBot, and Cobalt Strike implement browser pivoting and web inject techniques to steal banking credentials, session tokens, and SSL certificates.

MITRE ATT&CK

Tactic
Collection
Technique
T1185 Browser Session Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1185/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(EventCode=8 OR EventCode=10 OR EventCode=7)
(
  TargetImage="*\\chrome.exe" OR TargetImage="*\\msedge.exe" OR
  TargetImage="*\\firefox.exe" OR TargetImage="*\\iexplore.exe" OR
  TargetImage="*\\brave.exe" OR TargetImage="*\\opera.exe" OR
  TargetImage="*\\microsoftedge.exe"
)
NOT (
  SourceImage="*\\chrome.exe" OR SourceImage="*\\msedge.exe" OR
  SourceImage="*\\firefox.exe" OR SourceImage="*\\MsMpEng.exe" OR
  SourceImage="*\\WerFault.exe" OR SourceImage="*\\csrss.exe" OR
  SourceImage="*\\dwm.exe"
)
| eval InjectionType=case(
    EventCode=8, "CreateRemoteThread in browser",
    EventCode=10 AND match(GrantedAccess, "0x1[Ff][0-9A-Fa-f]+"), "Full-access process handle to browser",
    EventCode=10 AND match(GrantedAccess, "0x[0-9A-Fa-f]*3[89AB][0-9A-Fa-f]*"), "VM Read/Write handle to browser",
    EventCode=10, "ProcessAccess to browser",
    EventCode=7, "DLL injection candidate",
    true(), "Unknown"
)
| eval IsHighRisk=if(EventCode=8 OR (EventCode=10 AND match(GrantedAccess, "0x1[Ff][0-9A-Fa-f]+")), 1, 0)
| eval SourceProcess=coalesce(SourceImage, Image)
| eval TargetProcess=coalesce(TargetImage, "n/a")
| table _time, host, User, EventCode, InjectionType, IsHighRisk,
        SourceProcess, TargetProcess, GrantedAccess, CallTrace, StartFunction
| sort - IsHighRisk, - _time
high severity high confidence

Detects browser session hijacking attempts using Sysmon operational logs across three event types: EventCode=8 (CreateRemoteThread) where a non-browser process creates a remote thread inside a browser process — the hallmark of Cobalt Strike browser pivoting and web inject loaders; EventCode=10 (ProcessAccess) where unexpected processes open handles to browsers with full-access (0x1F0FFF) or VM read/write rights required for memory manipulation; EventCode=7 (ImageLoad) for DLL loads in browser context from suspicious paths. GrantedAccess matching on high-privilege access masks surfaces the most critical injection attempts. Results are sorted by risk level then recency to prioritize analyst triage.

Data Sources

Process: Process AccessProcess: Process CreationModule: Module LoadSysmon Event ID 8 (CreateRemoteThread)Sysmon Event ID 10 (ProcessAccess)Sysmon Event ID 7 (ImageLoad)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Screen reader and accessibility software (NVDA, JAWS) that legitimately hook browser processes for content reading
  • Password manager desktop agents opening read handles to browsers for autofill synchronization
  • Security products with browser protection modules (DLP agents, SSO clients) that load helper DLLs into browser context
  • Developer debugging sessions using Visual Studio or WinDbg attaching to browser processes for front-end debugging
  • Electron-based applications that embed Chromium may show similar EventCode=10 patterns when managing their embedded browser engine
Download portable Sigma rule (.yml)

Other platforms for T1185

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Browser Process Enumeration and Handle Open (ReadVM Access)

    Expected signal: Sysmon EventCode=10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=<browser>.exe, GrantedAccess=0x10 (PROCESS_VM_READ), CallTrace will show the kernel32.dll and ntdll.dll call stack. MDE DeviceEvents ActionType=OpenProcessApiCall with FileName=<browser>.exe, InitiatingProcessFileName=powershell.exe.

  2. Test 2Chrome Cookie Database Exfiltration via File Copy

    Expected signal: Sysmon EventCode=11 (FileCreate): TargetFilename=%TEMP%\argus_test_cookies_*.db, Image=powershell.exe. Sysmon EventCode=1 (ProcessCreate): powershell.exe with command line referencing LOCALAPPDATA\Google\Chrome\User Data. MDE DeviceFileEvents with ActionType=FileCreated, FileName=argus_test_cookies_*.db, InitiatingProcessFileName=powershell.exe.

  3. Test 3Browser Proxy Configuration via Registry (Browser Pivot Simulation)

    Expected signal: Sysmon EventCode=13 (RegistryValueSet): TargetObject=HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer, Details=127.0.0.1:4444, Image=powershell.exe. Second EventCode=13 for ProxyEnable=1. MDE DeviceRegistryEvents with ActionType=RegistryValueSet, RegistryValueName=ProxyServer, RegistryValueData=127.0.0.1:4444.

  4. Test 4CreateRemoteThread Simulation into Browser Process (Benign Payload)

    Expected signal: Sysmon EventCode=8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=<browser>.exe, StartAddress=<kernel32!Sleep address>, StartModule=C:\Windows\System32\kernel32.dll, StartFunction=Sleep. MDE DeviceEvents ActionType=CreateRemoteThreadApiCall, FileName=<browser>.exe, InitiatingProcessFileName=powershell.exe. Security Event ID 4688 for the PowerShell process if command line auditing is enabled.

Last updated: 2026-04-20 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1185 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1055Process InjectionT1055.001Dynamic-link Library InjectionT1055.012Process HollowingT1539Steal Web Session CookieT1528Steal Application Access TokenT1557Adversary-in-the-MiddleT1056.001KeyloggingT1213.002SharepointT1090ProxyT1134.001Token Impersonation/Theft

Same Tactic: Collection

Popular Detections