T1539: Steal Web Session Cookie

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.

There are several examples of malware targeting cookies from web browsers on the local system. Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on User Execution by tricking victims into running malicious JavaScript in their browser.

There are also open source frameworks such as Evilginx2 and Muraena that can gather session cookies through a malicious proxy (e.g., Adversary-in-the-Middle) that can be set up by an adversary and used in phishing campaigns.

After an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_cred_access: PT-CR-2467: Access_To_Web_Browsers_Process: Signs of programs accessing the process memory of the Google Chrome, Microsoft Edge, or Microsoft Edge WebView2 browsers. This may indicate an attempt to dump cookies from the process memory using a utility like CookieKatz. mitre_attck_lateral_movement: PT-CR-1927: Start_Browser_Pivoting: A browser was started with remote debugging enabled, which can be used to forward traffic to an attacker's machine mitre_attck_lateral_movement: PT-CR-1928: Subrule_Browser_Remote_Debugging: Attempt to start a browser with remote debugging enabled, which can be used to forward traffic to an attacker's machine

Detection

IDDS0009Data source and componentProcess: Process AccessDescription

Monitor for attempts by programs to inject into or dump browser process memory.

IDDS0022Data source and componentFile: File AccessDescription

Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials to cloud service management consoles. Some cloud providers, such as AWS, provide distinct log events for login attempts to the management console.

Mitigation

IDM1054NameSoftware ConfigurationDescription

Configure browsers or tasks to regularly delete persistent cookies.

Additionally, minimize the length of time a web cookie is viable to potentially reduce the impact of stolen cookies while also increasing the needed frequency of cookie theft attempts – providing defenders with additional chances at detection. For example, use non-persistent cookies to limit the duration a session ID will remain on the web client cache where an attacker could obtain it.

IDM1032NameMulti-factor AuthenticationDescription

A physical second factor key that uses the target login domain as part of the negotiation protocol will prevent session cookie theft through proxy methods.

IDM1017NameUser TrainingDescription

Train users to identify aspects of phishing attempts where they're asked to enter credentials into a site that has the incorrect domain for the application they are logging into. Additionally, train users not to run untrusted JavaScript in their browser, such as by copying and pasting code or dragging and dropping bookmarklets.