# T1539 Steal Web Session Cookie

-----------------------------------------------------------------------

## Technique Description

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)

There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)

After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.

## Technique Detection

Monitor for attempts to access files and repositories on a local system that are used to store browser session cookies. Monitor for attempts by programs to inject into or dump browser process memory.

-----------------------------------------------------------------------

### Tactics:

  *   Credential-Access

### Platforms:

  * Linux

  * macOS

  * Windows

  * Office 365

  * SaaS

  * Google Workspace

### Adversary Required Permissions:

  * User

### Data Sources:

  * **File:** File Access

  * **Process:** Process Access

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Evilnum | [Evilnum](https://attack.mitre.org/groups/G0120) can steal cookies and session information from browsers.(Citation: ESET EvilNum July 2020)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has stolen Chrome browser cookies by copying the Chrome profile directories of targeted users.(Citation: CrowdStrike StellarParticle January 2022)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1539)

  * [Pass The Cookie](https://wunderwuzzi23.github.io/blog/passthecookie.html), Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.

  * [Kaspersky Tajmahal April 2019](https://securelist.com/project-tajmahal/90240/), GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.

  * [Unit 42 Mac Crypto Cookies January 2019](https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/), Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019.

  * [Github Evilginx2](https://github.com/kgretzky/evilginx2), Gretzky, Kuba. (2019, April 10). Retrieved October 8, 2019.

  * [Github Mauraena](https://github.com/muraenateam/muraena), Orrù, M., Trotta, G.. (2019, September 11). Muraena. Retrieved October 14, 2019.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Information Here

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Information Here

## Analytical References

  * https://embracethered.com/blog/posts/passthecookie/

* https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
* https://securelist.com/project-tajmahal/90240/
* https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/
* https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
* https://github.com/defaultnamehere/cookie_crimes

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Chrome Cookie Extraction (Microsoft Edge also works this way)'

  * **Source:** 'Windows Audits, Sysmon'

  * **Tool:** 'Kibana'

  * **Notes:** 'To perform this, the adversary to start a headless-chrome in "debugging" mode with a command line containing:

"–headless"
"--user-data-dir="
"--remote-debugging-port="'

  * **Query:** ```event_id: 1 and process_name: (chrome.exe | msedge.exe) and command_line: --remote-debugging-port ```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------


