Description
Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through Steal Web Session Cookie or Web Cookies, the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.
There have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019)
Platforms
Mitigations (1)
Software ConfigurationM1054
Configure browsers or tasks to regularly delete persistent cookies.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1033 | Star Blizzard | [Star Blizzard](https://attack.mitre.org/groups/G1033) has bypassed multi-factor authentication on victim email accounts by using session cookies stol... |
References
- Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019.
- Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.
Frequently Asked Questions
What is T1550.004 (Web Session Cookie)?
T1550.004 is a MITRE ATT&CK technique named 'Web Session Cookie'. It belongs to the Lateral Movement tactic(s). Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticat...
How can T1550.004 be detected?
Detection of T1550.004 (Web Session Cookie) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1550.004?
There are 1 documented mitigations for T1550.004. Key mitigations include: Software Configuration.
Which threat groups use T1550.004?
Known threat groups using T1550.004 include: Star Blizzard.