DET0074 Detect Use of Stolen Web Session Cookies Across Platforms

Item	Value
ID	DET0074
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1550.004 (Web Session Cookie)

Analytics

IaaS

AN0201

Anomalous access to cloud web applications using session tokens without corresponding MFA/credential validation, often from unusual locations or device fingerprints.

Log Sources

Data Component	Name	Channel
Web Credential Usage (DC0007)	AWS:CloudTrail	SessionToken used without preceding MFA or login event
Logon Session Creation (DC0067)	AWS:CloudTrail	ConsoleLogin

Mutable Elements

Field	Description
TimeWindow	How far back to check for legitimate MFA or login events before token usage
IPGeolocationDistance	Threshold for flagging geographically impossible logins

SaaS

AN0202

Session cookie reuse on unmanaged browsers, devices, or client types deviating from user baseline (e.g., switching from Chrome to curl).

Log Sources

Data Component	Name	Channel
Web Credential Usage (DC0007)	m365:unified	SessionId reused from different device/browser fingerprint
User Account Authentication (DC0002)	saas:okta	session.impersonation.start

Mutable Elements

Field	Description
BrowserFingerprintMatch	Tolerance for accepting small differences in user-agent headers
SessionReuseTimeout	Time gap threshold between valid session creation and reuse

Office Suite

AN0203

Web session tokens reused in native Office apps (e.g., Outlook, Teams) without associated token refresh or login behavior on the endpoint.

Log Sources

Data Component	Name	Channel
Logon Session Creation (DC0067)	m365:unified	UserLoggedIn

Mutable Elements

Field	Description
EndpointTokenSyncGap	Allowed delta between endpoint login and cloud token reuse