DET0509 Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts

Item	Value
ID	DET0509
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1539 (Steal Web Session Cookie)

Analytics

Windows

AN1402

Detects suspicious access to browser session cookie storage (e.g., Chrome’s Cookies SQLite DB) or memory reads of browser processes. Anomalous injection or memory dump utilities targeting browser processes such as chrome.exe, firefox.exe, or msedge.exe.

Log Sources

Data Component	Name	Channel
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
File Modification (DC0061)	WinEventLog:Sysmon	EventCode=2
Process Creation (DC0032)	WinEventLog:Security	EventCode=4688

Mutable Elements

Field	Description
TargetProcessList	Monitored browsers (e.g., chrome.exe, firefox.exe)
AccessToolList	Suspicious tools used for injection or memory access (e.g., mimikatz, procdump)
TargetCookiePaths	Locations of cookie stores like `AppData\Local\Google\Chrome\User Data\Default\Cookies`

Linux

AN1403

Detects access to known browser cookie files (e.g., ~/.mozilla/firefox/*.default/cookies.sqlite, ~/.config/google-chrome/) and suspicious reads of browser memory via /proc/[pid]/mem or ptrace.

Log Sources

Data Component	Name	Channel
File Access (DC0055)	auditd:SYSCALL	open or read to browser cookie storage
Process Access (DC0035)	auditd:SYSCALL	ptrace syscall or access to /proc/*/mem

Mutable Elements

Field	Description
CookieFilePatterns	Regex paths to known browser cookie locations
TimeWindow	Correlated time range between cookie read and web upload or process injection
BrowserProcPatterns	Expected names for browser processes being accessed

macOS

AN1404

Detects unauthorized access to browser cookie paths (e.g., ~/Library/Application Support/Google/Chrome/Default/Cookies) or task_for_pid/vm_read calls to Safari/Chrome memory space.

Log Sources

Data Component	Name	Channel
Process Access (DC0035)	macos:unifiedlog	vm_read, task_for_pid, or file open to cookie databases
File Access (DC0055)	fs:fsusage	file open for known browser cookie paths

Mutable Elements

Field	Description
TargetBrowserList	List of processes considered web browsers on macOS
BrowserCookiePathList	Cookie database paths specific to each browser

Office Suite

AN1405

Detects automation macros or VBA scripts in documents that access browser file paths, read cookie data, or attempt to exfiltrate browser session tokens over HTTP.

Log Sources

Data Component	Name	Channel
Application Log Content (DC0038)	m365:unified	RunMacro
File Modification (DC0061)	WinEventLog:Sysmon	EventCode=2

Mutable Elements

Field	Description
MacroTargetPath	Files or directories macros are attempting to access
HTTPDestinationIPList	List of IPs or domains that are uncommon for macro-based HTTP POSTs

SaaS

AN1406

Detects use of session cookies or authentication tokens from unusual user agents or locations. Identifies token reuse without reauthentication or attempts to bypass MFA using previously stolen cookies.

Log Sources

Data Component	Name	Channel
User Account Authentication (DC0002)	saas:googleworkspace	login with reused session token and mismatched user agent or IP
Logon Session Creation (DC0067)	saas:okta	session.token.reuse

Mutable Elements

Field	Description
TokenReuseTimeWindow	Max allowed delta between token issuance and second use
UserAgentAnomalyScore	Deviation score from normal browser/device fingerprint
GeoLocationAnomalyScore	Deviation in IP region or ASN per user profile