maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update ai-agent-mode-phishing-abusing-hosted-agent-browsers.md

Browse Source
This commit is contained in:
SirBroccoli 2025-09-29 23:36:25 +02:00 committed by GitHub
parent 8e8919b4fd
commit 8852b057a3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 0 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
src/generic-methodologies-and-resources/phishing-methodology/ai-agent-mode-phishing-abusing-hosted-agent-browsers.md
View File

@ -37,67 +37,6 @@ Notes:
- Host the domain on your infrastructure with valid TLS to avoid basic heuristics.
- The agent will typically present the login inside a virtualized browser pane and request user handoff for credentials.
## Infrastructure & Fingerprints
- Egress: Requests from the hosted browser originate from the AI providers infrastructure or its CDN (commonly Cloudflare IP space observed in testing).
- Browser fingerprint: Stable user-agent and device characteristics across sessions are common. Example user-agent observed during testing:
- Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
- Implication: Endpoint and network tools on the users device may have no visibility of the credential entry event, because all interaction happens in the cloud session.
## Detection & Hunting
Identity-layer (IDP) signals:
- New or unusual egress ASN/ISP for a principal immediately after an AI agent interaction.
- Consistent hosted-browser UA/device string across multiple users or sessions that does not match the victims endpoint baseline.
- Session establishment on the app/IDP with no corresponding endpoint/browser telemetry for the same user.
Practical ideas:
- Maintain a watchlist of known/observed agent egress providers (e.g., Cloudflare, vendor-owned ranges) and stable hosted-browser UAs for correlation.
- Retain atomic indicators from cases: cloud egress IP/ASN, UA string, destination phishing host(s), and timestamps relative to assistant interactions.
Example KQL (Entra ID sign-ins adjust as platform evolves):
```kql
SigninLogs
| where AppDisplayName in~ ("Office 365", "Microsoft Entra ID", "OAuth2")
| where UserAgent has "Chrome/138.0.0.0" and UserAgent has "Mac OS X 10_15_7"
| extend ISP = tostring(parse_json(NetworkLocationDetails)[0].isp)
| where ISP has_any ("Cloudflare", "OpenAI", "Akamai", "Fastly")
| project TimeGenerated, UserPrincipalName, IPAddress, ISP, UserAgent, AppDisplayName, Location
```
Example Splunk (Okta System Log):
```spl
index=okta sourcetype=okta:im2 eventType=system.login.success
| search userAgent.os="Mac OS X 10.15.7" userAgent.browser="CHROME" userAgent.rawUserAgent="*Chrome/138.0.0.0*"
| stats values(client.ipAddress) as ips, values(client.geographicalContext.city) as cities by actor.alternateId
```
Web/App telemetry (if available):
- Detect credential POSTs and session cookies issued to a UA/device tuple that doesnt align with the users workstation fingerprint.
- Flag identity success events where the client IP ASN/geo deviates from baseline and immediately follows an AI agent interaction.
## Mitigations
- Restrict/disable agent mode on managed devices (desktop apps and web UI) if not needed.
- Enforce identity-centric controls at the IDP:
- Require verified devices / managed browsers for SSO.
- Block sign-ins from unknown egress locations or untrusted networks.
- Step-up auth for risky sign-ins from cloud egress ASNs unless explicitly sanctioned.
- Governance/visibility for AI tooling:
- Inventory which users can invoke agentic browsing and where hosted sessions are permitted.
- Monitor for browsing sessions launched by AI agents (vendor logs if exposed; CASB/SSPM where applicable).
- Detection engineering:
- Continuously update detections as agent platforms evolve (egress IPs, UA strings, TLS fingerprints).
- Correlate user-reported assistant flows with identity anomalies in the same timeframe.
## Operator Tips
- Use domains with legit branding and TLS; avoid obviously suspicious names.
- Ensure the page renders well inside the hosted browser (no blocked iframes, minimal CSP friction).
- Keep the shared prompt short and authoritative; instruct the agent to explain to the user that auth is required and to proceed.
## Related Techniques
- General MFA phishing via reverse proxies (Evilginx, etc.) is still effective but requires inline MitM. Agent-mode abuse shifts the flow to a trusted assistant UI and a remote browser that many controls ignore.