EXPLORE

← Back to Explore

T1539

Steal Web Session Cookie

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in n...

LinuxOffice SuiteSaaSWindowsmacOS

12

Detections

3

Sources

8

Threat Actors

BY SOURCE

9elastic2sigma1splunk_escu

PROCEDURES (9)

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Bypass2 detections

Auto-extracted: 2 detections for bypass

Token2 detections

Auto-extracted: 2 detections for token

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (8)

APT42 Evilnum Kimsuky Lotus Blossom LuminousMoth Sandworm Team Scattered Spider Star Blizzard

DETECTIONS (12)

Browser Process Spawned from an Unusual Parent

First Time Python Accessed Sensitive Credential Files

Manual Loading of a Suspicious Chromium Extension

Multiple Device Token Hashes for Single Okta Session

Okta AiTM Session Cookie Replay

Okta Multiple OS Names Detected for a Single DT Hash

Okta Suspicious Use of a Session Cookie

Potential Cookies Theft via Browser Debugging

SQLite Chromium Profile Data DB Access

SQLite Firefox Profile Data DB Access

Suspicious Web Browser Sensitive File Access

WebProxy Settings Modification