EXPLORE
Sign In
← Back to Explore
T1539

Steal Web Session Cookie

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in n...

LinuxmacOSOffice SuiteSaaSWindows
15
Detections
3
Sources
8
Threat Actors

BY SOURCE

12elastic2sigma1splunk_escu

PROCEDURES (12)

Office2 detections

Auto-extracted: 2 detections for office

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

Phish1 detections

Auto-extracted: 1 detections for phish

Credential1 detections

Auto-extracted: 1 detections for credential

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Token1 detections

Auto-extracted: 1 detections for token

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Token1 detections

Auto-extracted: 1 detections for token

Credential1 detections

Auto-extracted: 1 detections for credential

Service1 detections

Auto-extracted: 1 detections for service

THREAT ACTORS (8)

APT42EvilnumKimsukyLotus BlossomLuminousMothSandworm TeamScattered SpiderStar Blizzard

DETECTIONS (15)

Browser Process Spawned from an Unusual Parent
elastichigh
Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent
elastichigh
Entra ID Potential AiTM Sign-In via OfficeHome (Tycoon2FA)
elastichigh
First Time Python Accessed Sensitive Credential Files
elasticmedium
M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA)
elastichigh
Manual Loading of a Suspicious Chromium Extension
elastichigh
Multiple Device Token Hashes for Single Okta Session
elasticmedium
Okta AiTM Session Cookie Replay
elastichigh
Okta Multiple OS Names Detected for a Single DT Hash
elastichigh
Okta Suspicious Use of a Session Cookie
splunk_escu
Potential Cookies Theft via Browser Debugging
elasticmedium
SQLite Chromium Profile Data DB Access
sigmahigh
SQLite Firefox Profile Data DB Access
sigmahigh
Suspicious Web Browser Sensitive File Access
elastichigh
WebProxy Settings Modification
elasticmedium