Home/ATT&CK Technique/Web Session Cookie
ATT&CK Technique

Web Session Cookie

T1550.004 · lateral-movement

Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated. Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently.

Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through Steal Web Session Cookie or Web Cookies, the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.

There have been examples of malware targeting session cookies to bypass multi-factor authentication systems.

IaaSOffice SuiteSaaS

Actors Using This

7
russiaAPT29
iranOilRig
israel_commercial_cyber_mercenaryCandiru / Sourgum
north_koreaJade Sleet / TraderTraitor / UNC4899 / Pressure Chollima
predominantly_english_speaking_youth_organized_crimeLAPSUS$
chinaSilk Typhoon
chinaStorm-0558

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
persistence earlier
T1136.003 · Cloud Account ×34.00T1556.007 · Hybrid Identity ×20.40T1098.005 · Device Registration ×14.17
credential-access earlier
T1606.002 · SAML Tokens ×27.20T1606.001 · Web Cookies ×20.40T1606 · Forge Web Credentials ×17.00T1528 · Steal Application Access Token ×14.57
discovery earlier
T1526 · Cloud Service Discovery ×34.00T1580 · Cloud Infrastructure Discovery ×34.00T1087.004 · Cloud Account ×27.20T1087.003 · Email Account ×17.00
lateral-movement same
T1021.007 · Cloud Services ×34.00T1550.001 · Application Access Token ×13.60
collection later
T1074.002 · Remote Data Staging ×12.75T1114.003 · Email Forwarding Rule ×12.36

Mitigations

1
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1054Software Configuration

Software configuration refers to making security-focused adjustments to the settings of applications, middleware, databases, or other software to mitigate potential threats. These changes help reduce the attack surface, enforce best practices, and protect sensitive data.

Conduct a Security Review of Application Settings
  • Review the software documentation to identify recommended security configurations.
  • Compare default settings against organizational policies and compliance requirements.
Implement Access Controls and Permissions
  • Restrict access to sensitive features or data within the software.
  • Enforce least privilege principles for all roles and accounts interacting with the software.
Enable Logging and Monitoring
  • Configure detailed logging for key application events such as authentication failures, configuration changes, or unusual activity.
  • Integrate logs with a centralized monitoring solution, such as a SIEM.
Update and Patch Software Regularly
  • Ensure the software is kept up-to-date with the latest security patches to address known vulnerabilities.
  • Use automated patch management tools to streamline the update process.
Disable Unnecessary Features or Services
  • Turn off unused functionality or components that could introduce vulnerabilities, such as debugging interfaces or deprecated APIs.
Test Configuration Changes
  • Perform configuration changes in a staging environment before applying them in production.
  • Conduct regular audits to ensure that settings remain aligned with security policies.
Tools for Implementation Configuration Management Tools
  • Ansible: Automates configuration changes across multiple applications and environments.
  • Chef: Ensures consistent application settings through code-based configuration management.
  • Puppet: Automates software configurations and audits changes for compliance.
Security Benchmarking Tools
  • CIS-CAT: Provides benchmarks and audits for secure software configurations.
  • Aqua Security Trivy: Scans containerized applications for configuration issues.
Vulnerability Management Solutions
  • Nessus: Identifies misconfigurations and suggests corrective actions.
Logging and Monitoring Tools
  • Splunk: Aggregates and analyzes application logs to detect suspicious activity.

Detection Coverage

0/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) none
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53SC-08, SC-23, SI-07
D3FEND12 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin