title: Browser Session Hijacking (T1185)
id: df00tech-t1185
status: experimental
description: "Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user behaviors, and intercept information as part of various browser session hijacking techniques. A specific example is when an adversary injects software into a browser process that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user, then uses the browser as a pivot into an authenticated intranet. Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights. Another technique involves redirecting browser traffic through an adversary-controlled proxy injected into the browser process, allowing session impersonation without modifying user-visible traffic. Malware families such as TrickBot, Dridex, IcedID, QakBot, and Cobalt Strike implement browser pivoting and web inject techniques to steal banking credentials, session tokens, and SSL certificates."
references:
  - https://attack.mitre.org/techniques/T1185/
  - https://df00tech.com/detections/T1185
author: df00tech
date: 2026/04/20
tags:
  - attack.t1185
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Screen reader and accessibility software (NVDA, JAWS, ZoomText) that legitimately hook into browser processes to read on-screen content"
  - "Password manager browser extensions with companion desktop agents (1Password, LastPass desktop app) that access browser process memory for autofill"
  - "Security products with browser integration features (some DLP agents, Netskope, Zscaler client) that inject helper modules into browsers"
  - "Crash reporting and debugging tools (Visual Studio debugger, Process Monitor) opening handles to browser processes during development or troubleshooting"
  - Endpoint detection products performing memory scanning may trigger OpenProcessApiCall events against browser processes during scheduled scans
level: high