An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)
There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on User Execution by tricking victims into running malicious JavaScript in their browser.(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
There are also open source frameworks such as Evilginx2 and Muraena that can gather session cookies through a malicious proxy (e.g., Adversary-in-the-Middle) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)
After an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement protects against Steal Web Session Cookie through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement protects against Steal Web Session Cookie through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Regularly updating web browsers, password managers, and related software to the latest versions reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or steal web session cookies.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement provides protection from Steal Web Session Cookie through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Baseline security configuration including the automated deletion of cookies can help protect against adversaries attempting to compromise and modify software and its configurations.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement protects against Steal Web Session Cookie through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multifactor authentication in authentication processes for web applications using cookies, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to steal session cookies.
References
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement provides for implementing tools and measures for web-based content and browser security settings that can help prevent session cookie theft.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement protects against Steal Web Session Cookie through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1539 | Steal Web Session Cookie | |
| CM-06 | Configuration Settings | mitigates | T1539 | Steal Web Session Cookie | |
| IA-05 | Authenticator Management | mitigates | T1539 | Steal Web Session Cookie | |
| SI-03 | Malicious Code Protection | mitigates | T1539 | Steal Web Session Cookie | |
| AC-20 | Use of External Systems | mitigates | T1539 | Steal Web Session Cookie | |
| CM-02 | Baseline Configuration | mitigates | T1539 | Steal Web Session Cookie | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1539 | Steal Web Session Cookie | |
| SI-04 | System Monitoring | mitigates | T1539 | Steal Web Session Cookie | |
| AC-03 | Access Enforcement | mitigates | T1539 | Steal Web Session Cookie | |
| AC-06 | Least Privilege | mitigates | T1539 | Steal Web Session Cookie |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Forced browsing | Forced browsing or predictable resource location. Child of 'Exploit vuln'. | related-to | T1539 | Steal Web Session Cookie | |
| action.hacking.variety.AiTM | Adversary-in-the-middle attack. Child of 'Exploit vuln' | related-to | T1539 | Steal Web Session Cookie | |
| action.hacking.variety.Session replay | Session replay. Child of 'Exploit vuln'. | related-to | T1539 | Steal Web Session Cookie | |
| action.malware.variety.Capture app data | Capture data from application or system process | related-to | T1539 | Steal Web Session Cookie |