Skip to content

T1550.004 Web Session Cookie

Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.1

Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through Steal Web Session Cookie or Web Cookies, the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.

There have been examples of malware targeting session cookies to bypass multi-factor authentication systems.2

Item Value
ID T1550.004
Sub-techniques T1550.001, T1550.002, T1550.003, T1550.004
Tactics TA0005, TA0008
Platforms Google Workspace, IaaS, Office 365, SaaS
Version 1.3
Created 30 January 2020
Last Modified 30 March 2023

Procedure Examples

ID Name Description
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 used stolen cookies to access cloud resources and a forged duo-sid cookie to bypass MFA set on an email account.34

Mitigations

ID Mitigation Description
M1054 Software Configuration Configure browsers or tasks to regularly delete persistent cookies.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0006 Web Credential Web Credential Usage

References