T1539 Steal Web Session Cookie

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)

There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on User Execution by tricking victims into running malicious JavaScript in their browser.(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)

There are also open source frameworks such as Evilginx2 and Muraena that can gather session cookies through a malicious proxy (e.g., Adversary-in-the-Middle) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)

After an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1539 Steal Web Session Cookie
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1539 Steal Web Session Cookie
    Comments
    This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References
      PR.AA-05.02 Privileged system access Mitigates T1539 Steal Web Session Cookie
      Comments
      This diagnostic statement protects against Steal Web Session Cookie through the use of privileged account management and the use of multi-factor authentication.
      References
        DE.CM-09.01 Software and data integrity checking Mitigates T1539 Steal Web Session Cookie
        Comments
        This diagnostic statement protects against Steal Web Session Cookie through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
        References
          PR.PS-02.01 Patch identification and application Mitigates T1539 Steal Web Session Cookie
          Comments
          This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Regularly updating web browsers, password managers, and related software to the latest versions reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or steal web session cookies.
          References
            PR.PS-01.03 Configuration deviation Mitigates T1539 Steal Web Session Cookie
            Comments
            This diagnostic statement provides protection from Steal Web Session Cookie through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Baseline security configuration including the automated deletion of cookies can help protect against adversaries attempting to compromise and modify software and its configurations.
            References
              PR.PS-01.07 Cryptographic keys and certificates Mitigates T1539 Steal Web Session Cookie
              Comments
              This diagnostic statement protects against Steal Web Session Cookie through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multifactor authentication in authentication processes for web applications using cookies, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to steal session cookies.
              References
                DE.CM-01.05 Website and service blocking Mitigates T1539 Steal Web Session Cookie
                Comments
                This diagnostic statement provides for implementing tools and measures for web-based content and browser security settings that can help prevent session cookie theft.
                References
                  PR.AA-03.01 Authentication requirements Mitigates T1539 Steal Web Session Cookie
                  Comments
                  This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
                  References
                    PR.AA-01.01 Identity and credential management Mitigates T1539 Steal Web Session Cookie
                    Comments
                    This diagnostic statement protects against Steal Web Session Cookie through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
                    References

                      NIST 800-53 Mappings

                      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                      CA-07 Continuous Monitoring mitigates T1539 Steal Web Session Cookie
                      CM-06 Configuration Settings mitigates T1539 Steal Web Session Cookie
                      IA-05 Authenticator Management mitigates T1539 Steal Web Session Cookie
                      SI-03 Malicious Code Protection mitigates T1539 Steal Web Session Cookie
                      AC-20 Use of External Systems mitigates T1539 Steal Web Session Cookie
                      CM-02 Baseline Configuration mitigates T1539 Steal Web Session Cookie
                      IA-02 Identification and Authentication (Organizational Users) mitigates T1539 Steal Web Session Cookie
                      SI-04 System Monitoring mitigates T1539 Steal Web Session Cookie
                      AC-03 Access Enforcement mitigates T1539 Steal Web Session Cookie
                      AC-06 Least Privilege mitigates T1539 Steal Web Session Cookie

                      VERIS Mappings

                      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                      action.hacking.variety.Forced browsing Forced browsing or predictable resource location. Child of 'Exploit vuln'. related-to T1539 Steal Web Session Cookie
                      action.hacking.variety.AiTM Adversary-in-the-middle attack. Child of 'Exploit vuln' related-to T1539 Steal Web Session Cookie
                      action.hacking.variety.Session replay Session replay. Child of 'Exploit vuln'. related-to T1539 Steal Web Session Cookie
                      action.malware.variety.Capture app data Capture data from application or system process related-to T1539 Steal Web Session Cookie