1. Home
  2. Techniques
  3. Enterprise
  4. 浏览器会话劫持

浏览器会话劫持

ID Name
T1185.001 浏览器扩展隐身劫持
T1185.002 进程注入型无痕会话重定向
T1185.003 SSL中间人证书伪装劫持

浏览器会话劫持指攻击者通过技术手段非法获取并操纵用户的浏览器会话状态,进而实施未授权访问或数据窃取。传统攻击方式包括Cookie窃取、SSL剥离、代理注入等,防御方通常通过HTTPS强制实施、证书钉扎、进程行为监控等手段进行防护。由于该技术直接利用浏览器自身功能实现攻击,检测需依赖细粒度的网络流量分析、证书链验证及扩展行为审计。

为规避传统检测机制,攻击者发展出深度结合浏览器运行机理的隐蔽劫持技术,通过功能寄生、内存驻留和信任链伪造等策略,将恶意操作融入浏览器正常业务流程,实现"无痕化"的会话控制与数据窃取。

现有浏览器会话劫持匿迹技术的核心演进方向集中在运行环境融合与信任体系突破两个维度。浏览器扩展隐身劫持通过合法扩展生态的信任背书,将恶意功能深度嵌套在用户授权的业务逻辑中,使检测系统难以区分正常扩展行为与攻击行为;进程注入型劫持利用浏览器进程的合法网络栈和认证状态,实现流量重定向的透明化,规避基于网络层特征或进程完整性的检测;SSL中间人伪装则通过系统级信任链污染构建密码学层面的合法中间人通道,使得传统证书验证机制失效。三类技术的共性在于突破传统安全机制的信任边界,通过滥用浏览器组件间的合法交互通道,将攻击行为转化为系统认可的正常操作流程,从而实现攻击链的深度隐匿。

匿迹技术的发展导致传统基于特征匹配的防御体系面临严峻挑战,防御方需构建浏览器扩展供应链安全验证、内存完整性保护、证书透明度实时监控等新型防御能力,同时结合用户行为分析与SSL/TLS元数据异常检测,建立多维度的会话安全防护体系。

ID: T1185
Sub-techniques:  T1185.001, T1185.002, T1185.003
Tactic: 信息收集
Platforms: Windows
Permissions Required: Administrator, SYSTEM
Contributors: Justin Warner, ICEBRG
Version: 2.0
Created: 16 January 2018
Last Modified: 25 February 2022

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过SSL证书伪造、浏览器扩展功能模仿等手段,使恶意流量具备合法协议特征。例如伪造可信证书使HTTPS劫持流量显示为加密可信连接,或使恶意扩展行为与合法扩展的网络请求模式完全一致,导致防御方无法通过流量特征识别异常。

行为透明

通过进程注入技术直接利用浏览器原生网络栈进行通信,劫持操作不产生新的网络连接或进程创建事件。攻击行为完全继承浏览器的合法认证状态和网络特征,使得传统基于进程行为或连接特征的检测机制失效。

数据遮蔽

在SSL中间人攻击中采用符合标准的TLS加密传输被篡改内容,使得网络层检测无法直接获取明文数据。同时利用WebRTC等加密协议进行数据外传,进一步隐藏窃取信息的传输过程。

Procedure Examples

ID Name Description
S0331 Agent Tesla

Agent Tesla has the ability to use form-grabbing to extract data from web data forms.[1]
S0484 Carberp

Carberp has captured credentials when a user performs login through a SSL session.[2][3]
S0631 Chaes

Chaes has used the Puppeteer module to hook and monitor the Chrome web browser to collect user information from infected hosts.[4]
S0154 Cobalt Strike

Cobalt Strike can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates.[5][6]
S0384 Dridex

Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies.[7]
S0531 Grandoreiro

Grandoreiro can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.[8][9][10]
S0483 IcedID

IcedID has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. IcedID can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser.[11][12]
S0530 Melcoz

Melcoz can monitor the victim's browser for online banking sessions and display an overlay window to manipulate the session in the background.[8]
S0650 QakBot

QakBot can use advanced web injects to steal web banking credentials.[13][14]
S0266 TrickBot

TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.[15][16][17][18]
S0386 Ursnif

Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords).[19]

Mitigations

ID Mitigation Description
M1018 User Account Management

Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique.
M1017 User Training

Close all browser sessions regularly and when they are no longer needed.

Detection

ID Data Source Data Component Detects
DS0028 Logon Session Logon Session Creation

Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior.
DS0009 Process Process Access

This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. Monitor for Process Injection against browser applications.
Process Modification

This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. Monitor for Process Injection against browser applications.

References

  1. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
  2. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024.
  3. Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.
  4. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  5. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  6. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  7. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019.
  8. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  9. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
  10. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  1. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
  2. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  3. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
  4. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  5. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
  6. Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations. Retrieved August 2, 2018.
  7. Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.
  8. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  9. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.