Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)
There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on User Execution by tricking victims into running malicious JavaScript in their browser.(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
There are also open source frameworks such as Evilginx2 and Muraena that can gather session cookies through a malicious proxy (e.g., Adversary-in-the-Middle) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)
After an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.
Platforms
Mitigations (6)
AuditM1047
Implement auditing for authentication activities and user logins to detect the use of stolen session cookies. Monitor for impossible travel scenarios and anomalous behavior that could indicate the use of compromised session tokens or cookies.
Software ConfigurationM1054
Configure browsers or tasks to regularly delete persistent cookies.
Additionally, minimize the length of time a web cookie is viable to potentially reduce the impact of stolen cookies while also increasing the needed frequency of cookie theft attempts – providing defenders with additional chances at detection.(Citation: Token tactics) For example, use non-persistent cookies to limit the duration
Restrict Web-Based ContentM1021
Restrict or block web-based content that could be used to extract session cookies or credentials stored in browsers. Use browser security settings, such as disabling third-party cookies and restricting browser extensions, to limit the attack surface.
Multi-factor AuthenticationM1032
Deploy hardware-based token (e.g., YubiKey or FIDO key), which incorporates the target login domain as part of the negotiation protocol, will prevent session cookie theft through proxy methods.
Implement Conditional Access policies to only allow logins from trusted devices, such as those enrolled in Intune or joined via Hybrid/Entra. This mitigates the risk of session cookie replay attacks by ens
Update SoftwareM1051
Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.
User TrainingM1017
Train users to identify aspects of phishing attempts where they're asked to enter credentials into a site that has the incorrect domain for the application they are logging into. Additionally, train users not to run untrusted JavaScript in their browser, such as by copying and pasting code or dragging and dropping bookmarklets.
Threat Groups (8)
| ID | Group | Context |
|---|---|---|
| G1014 | LuminousMoth | [LuminousMoth](https://attack.mitre.org/groups/G1014) has used an unnamed post-exploitation tool to steal cookies from the Chrome browser.(Citation: K... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used malware, such as [TRANSLATEXT](https://attack.mitre.org/software/S1201), to steal and exfilt... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) used information stealer malware to collect browser session cookies.(Citation: Leonard TAG 2023... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) retrieves browser cookies via Raccoon Stealer.(Citation: CISA Scattered Spider Advisory Nove... |
| G0120 | Evilnum | [Evilnum](https://attack.mitre.org/groups/G0120) can steal cookies and session information from browsers.(Citation: ESET EvilNum July 2020) |
| G1033 | Star Blizzard | [Star Blizzard](https://attack.mitre.org/groups/G1033) has used EvilGinx to steal the session cookies of victims directed to phishing domains.(Citati... |
| G0030 | Lotus Blossom | [Lotus Blossom](https://attack.mitre.org/groups/G0030) has used publicly-available tools to steal cookies from browsers such as Chrome.(Citation: Cisc... |
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has used custom malware to steal login and cookie data from common browsers.(Citation: Mandiant APT42-c... |
Associated Software (19)
| ID | Name | Type | Context |
|---|---|---|---|
| S0531 | Grandoreiro | Malware | [Grandoreiro](https://attack.mitre.org/software/S0531) can steal the victim's cookies to use for duplicating the active session from another device.(C... |
| S1207 | XLoader | Malware | [XLoader](https://attack.mitre.org/software/S1207) can capture web session cookies and session information from victim browsers.(Citation: Google XLoa... |
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) has harvested Safari cookies stored within `/Library/Containers/com.apple.Safari/Data/Library/Coo... |
| S0492 | CookieMiner | Malware | [CookieMiner](https://attack.mitre.org/software/S0492) can steal Google Chrome and Apple Safari browser cookies from the victim’s machine. (Citation: ... |
| S9003 | evilginx2 | Tool | [evilginx2](https://attack.mitre.org/software/S9003) can collect information on each session with a victim including the session cookie.(Citation: Evi... |
| S1140 | Spica | Malware | [Spica](https://attack.mitre.org/software/S1140) has the ability to steal cookies from Chrome, Firefox, Opera, and Edge browsers.(Citation: Google TAG... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) has the ability to capture web session cookies.(Citation: Kroll Qakbot June 2020)(Citation: Kaspersk... |
| S0568 | EVILNUM | Malware | [EVILNUM](https://attack.mitre.org/software/S0568) can harvest cookies and upload them to the C2 server.(Citation: Prevailion EvilNum May 2020) |
| S1201 | TRANSLATEXT | Malware | [TRANSLATEXT](https://attack.mitre.org/software/S1201) has exfiltrated updated cookies from Google, Naver, Kakao or Daum to the C2 server.(Citation: Z... |
| S0631 | Chaes | Malware | [Chaes](https://attack.mitre.org/software/S0631) has used a script that extracts the web session cookie and sends it to the C2 server.(Citation: Cyber... |
| S0657 | BLUELIGHT | Malware | [BLUELIGHT](https://attack.mitre.org/software/S0657) can harvest cookies from Internet Explorer, Edge, Chrome, and Naver Whale browsers.(Citation: Vol... |
| S1240 | RedLine Stealer | Malware | [RedLine Stealer](https://attack.mitre.org/software/S1240) has stolen browser cookies and settings.(Citation: ESET RedLine Stealer November 2024)(Cita... |
| S1146 | MgBot | Malware | [MgBot](https://attack.mitre.org/software/S1146) includes modules that can steal cookies from Firefox, Chrome, and Edge web browsers.(Citation: ESET E... |
| S0658 | XCSSET | Malware | [XCSSET](https://attack.mitre.org/software/S0658) uses <code>scp</code> to access the <code>~/Library/Cookies/Cookies.binarycookies</code> file.(Citat... |
| S0467 | TajMahal | Malware | [TajMahal](https://attack.mitre.org/software/S0467) has the ability to steal web session cookies from Internet Explorer, Netscape Navigator, FireFox a... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) attempts to steal Opera cookies, if present, after terminating the related process.(Citation: Rapi... |
| S1148 | Raccoon Stealer | Malware | [Raccoon Stealer](https://attack.mitre.org/software/S1148) attempts to steal cookies and related information in browser history.(Citation: Sekoia Racc... |
| S1213 | Lumma Stealer | Malware | [Lumma Stealer](https://attack.mitre.org/software/S1213) has harvested cookies from various browsers.(Citation: Cybereason LumaStealer Undated)(Citati... |
| S9020 | LODEINFO | Malware | [LODEINFO](https://attack.mitre.org/software/S9020) can list the contents of `%LocalAppData%\Google\Chrome\User Data\` and `%LocalAppData%\Microsoft\E... |
References
- Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious Bookmarks. Retrieved January 2, 2024.
- Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019.
- GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
- Gretzky, Kuba. (2019, April 10). Retrieved October 8, 2019.
- Orrù, M., Trotta, G.. (2019, September 11). Muraena. Retrieved October 14, 2019.
- Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.
- Tiago Pereira. (2023, November 2). Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox”. Retrieved January 2, 2024.
Frequently Asked Questions
What is T1539 (Steal Web Session Cookie)?
T1539 is a MITRE ATT&CK technique named 'Steal Web Session Cookie'. It belongs to the Credential Access tactic(s). An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applica...
How can T1539 be detected?
Detection of T1539 (Steal Web Session Cookie) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1539?
There are 6 documented mitigations for T1539. Key mitigations include: Audit, Software Configuration, Restrict Web-Based Content, Multi-factor Authentication, Update Software.
Which threat groups use T1539?
Known threat groups using T1539 include: LuminousMoth, Kimsuky, Sandworm Team, Scattered Spider, Evilnum, Star Blizzard, Lotus Blossom, APT42.