Skip to content

DET0171 Detection Strategy for Forged Web Cookies

Item Value
ID DET0171
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1606.001 (Web Cookies)

Analytics

IaaS

AN0483

Forged cookies in IaaS environments may appear as authentication attempts that bypass MFA, leveraging AssumeRole or session APIs with cookies that were never legitimately issued. Defenders should correlate cloud logs for cookie-based sessions without prior valid authentication, often followed by resource access from unfamiliar IP addresses.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) AWS:CloudTrail Web console logins using session cookies without corresponding MFA event
Web Credential Usage (DC0007) AWS:CloudTrail GetSessionToken, AssumeRoleWithWebIdentity
Mutable Elements
Field Description
GeoVelocityThreshold Flag logins from geographically distant locations in a short timeframe.
AuthorizedCookieIssuers Expected systems and services that may legitimately mint session cookies.

Windows

AN0484

Forged web cookies on Windows endpoints can be detected by monitoring unusual modifications of browser cookie stores (e.g., Chrome SQLite DB, Edge cache) by processes outside of browsers, followed by authentication events to SaaS or IaaS services. Defenders may observe processes writing directly to cookie storage paths or injecting tokens into browser sessions.

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Logon Session Creation (DC0067) WinEventLog:Security EventCode=4624, 4648
Mutable Elements
Field Description
BrowserCookiePaths List of monitored cookie file paths on Windows systems.
ProcessWhitelist Approved processes allowed to write to browser cookie stores.

Linux

AN0485

On Linux, defenders may observe forged cookie activity as unauthorized modifications to browser cookie databases (e.g., ~/.mozilla/firefox/*/cookies.sqlite, ~/.config/chromium/Default/Cookies) or scripted injection of session tokens. Suspicious usage includes curl/wget commands embedding forged cookies in headers, correlated with abnormal session activity in SaaS or IaaS logs.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL Unusual processes accessing or modifying cookie databases
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Mutable Elements
Field Description
CredentialFilePaths Paths to cookie/session storage files to monitor.

macOS

AN0486

Forged cookies on macOS may show up as abnormal access to Safari/Chrome cookie databases in ~/Library/Cookies, combined with unexpected logon sessions authenticated by those cookies. Unified Logs may show cookie injection events or abnormal access patterns to Keychain when linked to browser authentication flows.

Log Sources
Data Component Name Channel
File Access (DC0055) macos:unifiedlog Abnormal process access to Safari or Chrome cookie storage
Web Credential Usage (DC0007) macos:unifiedlog New session initiated using cookies without normal MFA or password validation
Mutable Elements
Field Description
AuthorizedKeychainApps Applications permitted to use Keychain to generate cookies or tokens.

SaaS

AN0487

Forged cookies in SaaS environments manifest as valid web sessions without matching login activity, MFA enforcement bypass, or cookies reused across multiple devices/IPs. Defenders should look for cookie replay, concurrent sessions from multiple geographies, or session tokens generated by unrecognized apps.

Log Sources
Data Component Name Channel
Web Credential Usage (DC0007) m365:unified Session activity without correlated login event
Logon Session Creation (DC0067) saas:access Multiple concurrent logins using same cookie from different locations
Mutable Elements
Field Description
TokenReplayThreshold Number of concurrent uses of a cookie that should trigger an alert.
GeoLocationAlerts Unusual SaaS logins from geographically distant locations in short timeframes.