T1539 Steal Web Session Cookie Mappings

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)

There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: Adversary-in-the-Middle) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)

After an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-20 Use of External Systems Protects T1539 Steal Web Session Cookie
AC-3 Access Enforcement Protects T1539 Steal Web Session Cookie
AC-6 Least Privilege Protects T1539 Steal Web Session Cookie
CA-7 Continuous Monitoring Protects T1539 Steal Web Session Cookie
CM-2 Baseline Configuration Protects T1539 Steal Web Session Cookie
CM-6 Configuration Settings Protects T1539 Steal Web Session Cookie
IA-2 Identification and Authentication (organizational Users) Protects T1539 Steal Web Session Cookie
IA-5 Authenticator Management Protects T1539 Steal Web Session Cookie
SI-3 Malicious Code Protection Protects T1539 Steal Web Session Cookie
SI-4 System Monitoring Protects T1539 Steal Web Session Cookie
action.hacking.variety.Forced browsing Forced browsing or predictable resource location. Child of 'Exploit vuln'. related-to T1539 Steal Web Session Cookie
action.hacking.variety.MitM Man-in-the-middle attack. Child of 'Exploit vuln'. related-to T1539 Steal Web Session Cookie
action.hacking.variety.Session replay Session replay. Child of 'Exploit vuln'. related-to T1539 Steal Web Session Cookie
action.malware.variety.Capture app data Capture data from application or system process related-to T1539 Steal Web Session Cookie