Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1185: Browser Session Hijacking

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.[1]

A specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.[2][3] Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.

Another example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as Sharepoint or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.[4]

EnterpriseT1185TechniqueObject v2.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Browser Session Hijacking matters because it can let an adversary use a victim’s already-authenticated browser context to collect information or reach internal web resources without needing to separately log in. In business terms, this can weaken reliance on cookies, client certificates, and even some two-factor authentication flows if a compromised Windows endpoint or browser process is abused.

Executive priority

Prioritize this as a Windows endpoint, identity, and intranet-access risk: the key question is whether privileged browser access, browser extensions, and authenticated web sessions are monitored and constrained enough to support incident response and audit confidence. It is especially material where critical business systems, SharePoint, webmail, or other intranet resources are commonly accessed through browsers.

Technical view

ATT&CK lists this as a Windows collection technique with no official detection text, but the related detection strategy DET0507 points defenders toward privilege use, handle access, and remote-thread activity involving browser processes. SOC and IR teams should validate whether endpoint telemetry can show suspicious access to browser processes, use of high-integrity or administrator context, SeDebugPrivilege-relevant behavior, injected/proxied browser traffic patterns, and anomalous browser extension activity. Relationship context links this technique to Cobalt Strike and multiple credential or banking malware families, so detections should be tested against both post-exploitation browser pivot concepts and malware-driven browser data interception patterns without assuming any one tool is present.

Likely telemetry

  • Endpoint process and process-access events involving browsers on Windows
  • Privilege and integrity-level evidence, including administrator context and SeDebugPrivilege-relevant activity
  • Handle access or remote-thread indicators targeting browser processes
  • Browser extension inventory, installation, and change logs where available
  • Network proxy or unusual browser-originated intranet/webmail/SharePoint access patterns

Detection direction

  • Validate DET0507-style logic for browser process access, privilege use, handle access, and remote-thread activity rather than relying only on network or identity logs.
  • Tune for legitimate administrative, debugging, accessibility, security tooling, and browser-update behaviors that may also interact with browser processes.
  • Correlate endpoint events with identity and application access logs because the activity may appear as the legitimate user’s browser session.
  • Review extension-related visibility because the supplied references include malicious Chrome extension behavior and TRANSLATEXT masquerading as a Chrome translation extension.
  • Treat successful MFA as insufficient evidence of safety when local browser-session abuse is plausible, since ATT&CK notes browser pivoting may bypass security provided by 2-factor authentication.

Mitigation priorities

  • Apply least privilege and user account management controls so routine users and browser processes do not operate with unnecessary administrative rights.
  • Strengthen user training around suspicious browser extensions, social engineering, and reporting unusual browser behavior, consistent with M1017.
  • Maintain endpoint controls and monitoring around browser process injection or unauthorized process access, especially on systems used for sensitive intranet, webmail, or document access.
  • Review browser extension governance and approval practices where browser-based business access is important.
  • Use incident response playbooks that include session invalidation, credential review, and browser/extension inspection when browser session hijacking is suspected.
Analyst notes and limits

The supplied object is technique T1185, Browser Session Hijacking, in the enterprise ATT&CK domain. ATT&CK provides Windows as the platform and collection as the tactic. Relationships identify DET0507 as a detection strategy and M1017 User Training plus M1018 User Account Management as mitigations. Related software includes Cobalt Strike, TrickBot, Agent Tesla, Dridex, Ursnif, IcedID, Carberp, Melcoz, Grandoreiro, Chaes, QakBot, TRANSLATEXT, XLoader, and evilginx2; Kimsuky is the supplied related group. These relationships provide context for defensive validation, not proof of current activity in any environment.

MITRE did not provide official detection text for this technique, so detection guidance is derived from the supplied description and related DET0507 name. Local browser choice, endpoint logging, identity architecture, extension management, and application session controls will determine actual visibility and risk. The supplied platform for the technique is Windows, though one related software entry includes cloud and identity-provider platforms; this take does not generalize the technique beyond the supported ATT&CK fields.

Official MITRE ATT&CK definition

Browser Session Hijacking

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.[1]

A specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.[2][3] Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.

Another example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as Sharepoint or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.[4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Group Enterprise

G0094: Kimsuky

Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]

DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.

Malware Enterprise

S0266: TrickBot

TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.[1][2][3][4]

Windows
Malware Enterprise

S0384: Dridex

Dridex is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated Dridex had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. Dridex was created from the source code of the Bugat banking Trojan (also known as Cridex).[1][2][3]

Windows
Malware Enterprise

S0484: Carberp

Carberp is a credential and information stealing malware that has been active since at least 2009. Carberp's source code was leaked online in 2013, and subsequently used as the foundation for the Carbanak backdoor.[1][2][3]

Windows
Malware Enterprise

S1201: TRANSLATEXT

TRANSLATEXT is malware that is believed to be used by Kimsuky.[1] TRANSLATEXT masqueraded as a Google Translate extension for Google Chrome, but is actually a collection of four malicious Javascript files that perform defense evasion, information collection and exfiltration.[1]

Windows
Malware Enterprise

S0530: Melcoz

Melcoz is a banking trojan family built from the open source tool Remote Access PC. Melcoz was first observed in attacks in Brazil and since 2018 has spread to Chile, Mexico, Spain, and Portugal.[1]

Windows
Tool Enterprise

S9003: evilginx2

evilginx2 is an open-source adversary-in-the-middle (AiTM) attack framework based on the open-source nginx web server. evilginx2 can be used as a reverse proxy between victims and legitimate web services to intercept and capture credentials, authentication tokens, and session cookies.[1][2][3]

IaaSIdentity ProviderOffice Suite
Malware Enterprise

S0531: Grandoreiro

Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. Grandoreiro has confirmed victims in Brazil, Mexico, Portugal, and Spain.[1][2]

Windows
Malware Enterprise

S1207: XLoader

XLoader is an infostealer malware in use since at least 2016. Previously known and sometimes still referred to as Formbook, XLoader is a Malware as a Service (MaaS) known for stealing data from web browsers, email clients and File Transfer Protocol (FTP) applications.[1][2][3][4][5]

Windows
Malware Enterprise

S0650: QakBot

QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.[1][2][3][4]

Windows
Malware Enterprise

S0154: Cobalt Strike

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]

LinuxmacOSWindows
Malware Enterprise

S0483: IcedID

IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. IcedID has been downloaded by Emotet in multiple campaigns.[1][2]

Windows
Relationship explorer

All related ATT&CK context

uses · Malware S0266: TrickBot Enterprise uses · Malware S0384: Dridex Enterprise uses · Malware S0484: Carberp Enterprise uses · Malware S1201: TRANSLATEXT Enterprise uses · Malware S0530: Melcoz Enterprise uses · Malware S0331: Agent Tesla Enterprise uses · Tool S9003: evilginx2 Enterprise uses · Malware S0531: Grandoreiro Enterprise detects · Detection Strategy DET0507: Detect browser session hijacking via privilege, handle access, and remote thread into browsers Enterprise mitigates · Mitigation M1017: User Training Enterprise uses · Group G0094: Kimsuky Enterprise uses · Malware S1207: XLoader Enterprise uses · Malware S0650: QakBot Enterprise mitigates · Mitigation M1018: User Account Management Enterprise uses · Malware S0154: Cobalt Strike Enterprise uses · Malware S0483: IcedID Enterprise uses · Malware S0631: Chaes Enterprise uses · Malware S0386: Ursnif Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1017: User Training

User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures:

Create Comprehensive Training Programs:

- Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting. - Provide role-specific training for high-risk employees, such as helpdesk staff or executives.

Use Simulated Exercises:

- Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training. - Run social engineering drills to evaluate employee responses and reinforce protocols.

Leverage Gamification and Engagement:

- Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.

Incorporate Security Policies into Onboarding:

- Include cybersecurity training as part of the onboarding process for new employees. - Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.

Regular Refresher Courses:

- Update training materials to include emerging threats and techniques used by adversaries. - Ensure all employees complete periodic refresher courses to stay informed.

Emphasize Real-World Scenarios:

- Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering. - Discuss how specific employee actions can prevent or mitigate such attacks.

Mitigation Enterprise

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.1
Created
Modified
Raw hash
3843927349435cb4...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.1 Current bundle 384392734943…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Wikipedia Man in the Browser

    Wikipedia. (2017, October 28). Man-in-the-browser. Retrieved January 10, 2018.

    Open source URL
  2. [2]
    Cobalt Strike Browser Pivot

    Mudge, R. (n.d.). Browser Pivoting. Retrieved January 10, 2018.

    Open source URL
  3. [3]
    ICEBRG Chrome Extensions

    De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018.

    Open source URL
  4. [4]
    cobaltstrike manual

    Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.

    Open source URL
  5. [5]
    mitre-attack T1185
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use