1. Home
  2. Techniques
  3. Enterprise
  4. 窃取Web会话Cookie

窃取Web会话Cookie

ID Name
T1539.001 低频时序化Cookie窃取
T1539.002 浏览器扩展伪装

窃取Web会话Cookie是攻击者通过非法获取用户浏览器会话凭证,绕过身份验证实施横向移动的关键技术。传统攻击手段包括内存转储、网络嗅探等方式,防御方可采用内存保护机制(如Credential Guard)、HTTPS强制加密、浏览器沙箱隔离等措施进行防护。监控重点集中于异常进程的内存读取行为、非授权证书安装活动以及浏览器扩展的敏感API调用。

为应对日益严格的安全防护体系,攻击者发展出融合进程隐匿、协议仿冒、时序同步等多维度的新型窃密技术。通过将恶意操作嵌入浏览器合法工作流程、构建表面合规的网络服务基础设施、以及精确匹配用户交互时序,使得Cookie窃取行为在空间分布、时间特征、协议形态等层面与正常业务流量难以区分,显著降低了传统检测规则的有效性。

当前Cookie窃取匿迹技术的核心共性体现在"权限合法化"和"上下文融合"两个维度。攻击者不再依赖漏洞利用或协议缺陷,而是通过合规途径构建攻击链。具体而言,低频时序窃取创造性地将攻击节奏与用户行为绑定;扩展伪装开辟了持久化隐蔽通道。这些技术共同特点是突破传统攻击链的线性特征,将窃密动作分解为多个符合正常业务逻辑的微操作,形成"去中心化、高融合度"的新型攻击范式。

匿迹技术的发展导致传统基于特征签名、单点行为检测的防御体系面临严峻挑战。防御方需构建用户行为基线分析、扩展供应链审计、内存加密访问控制等新型防护层,同时强化HTTPS流量双向认证机制,并引入AI驱动的异常时序关联分析技术,实现对隐蔽窃密行为的立体化防御。

ID: T1539
Sub-techniques:  T1539.001, T1539.002
Tactic: 凭据获取
Platforms: Linux, Office Suite, SaaS, Windows, macOS
Contributors: Johann Rehberger; Menachem Goldstein; Microsoft Threat Intelligence Center (MSTIC)
Version: 1.4
Created: 08 October 2019
Last Modified: 14 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

行为透明

通过构建合规代理服务的方式,利用合法业务流程实施攻击,使恶意操作与正常系统行为高度融合,避免触发文件访问或进程注入的监控警报。如浏览器扩展伪装技术通过仿冒合法浏览器扩展窃取会话Cookie,整个过程符合浏览器正常内存管理规范,传统进程监控手段难以发现异常。

时空释痕

通过低频触发和时序同步策略稀释攻击特征。低频时序化窃取技术将攻击动作与用户操作绑定,使单次窃取行为间隔长达数小时,且精确嵌入用户正常交互时间窗口,传统基于固定阈值的检测模型难以有效识别。

Procedure Examples

ID Name Description
S0657 BLUELIGHT

BLUELIGHT can harvest cookies from Internet Explorer, Edge, Chrome, and Naver Whale browsers.[1]
S0631 Chaes

Chaes has used a script that extracts the web session cookie and sends it to the C2 server.[2]

S0492 CookieMiner

CookieMiner can steal Google Chrome and Apple Safari browser cookies from the victim’s machine. [3]
S0568 EVILNUM

EVILNUM can harvest cookies and upload them to the C2 server.[4]
G0120 Evilnum

Evilnum can steal cookies and session information from browsers.[5]
S0531 Grandoreiro

Grandoreiro can steal the victim's cookies to use for duplicating the active session from another device.[6]
G1014 LuminousMoth

LuminousMoth has used an unnamed post-exploitation tool to steal cookies from the Chrome browser.[7]
S1146 MgBot

MgBot includes modules that can steal cookies from Firefox, Chrome, and Edge web browsers.[8]
S0650 QakBot

QakBot has the ability to capture web session cookies.[9][10]
S1148 Raccoon Stealer

Raccoon Stealer attempts to steal cookies and related information in browser history.[11]
G0034 Sandworm Team

Sandworm Team used information stealer malware to collect browser session cookies.[12]
G1015 Scattered Spider

Scattered Spider retrieves browser cookies via Raccoon Stealer.[13]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 stole Chrome browser cookies by copying the Chrome profile directories of targeted users.[14]
S1140 Spica

Spica has the ability to steal cookies from Chrome, Firefox, Opera, and Edge browsers.[15]
G1033 Star Blizzard

Star Blizzard has used EvilGinx to steal the session cookies of victims directed to phishing domains.[16]
S0467 TajMahal

TajMahal has the ability to steal web session cookies from Internet Explorer, Netscape Navigator, FireFox and RealNetworks applications.[17]
S0658 XCSSET

XCSSET uses scp to access the ~/Library/Cookies/Cookies.binarycookies file.[18]

Mitigations

ID Mitigation Description
M1047 Audit

Implement auditing for authentication activities and user logins to detect the use of stolen session cookies. Monitor for impossible travel scenarios and anomalous behavior that could indicate the use of compromised session tokens or cookies.
M1032 Multi-factor Authentication

A physical second factor key that uses the target login domain as part of the negotiation protocol will prevent session cookie theft through proxy methods.[19]

Implement Conditional Access policies with Token Protection to bind session tokens to their originating device and user. This reduces the risk of session cookie theft by ensuring that stolen tokens cannot be reused from unauthorized locations or devices.
M1021 Restrict Web-Based Content

Restrict or block web-based content that could be used to extract session cookies or credentials stored in browsers. Use browser security settings, such as disabling third-party cookies and restricting browser extensions, to limit the attack surface.
M1054 Software Configuration

Configure browsers or tasks to regularly delete persistent cookies.

Additionally, minimize the length of time a web cookie is viable to potentially reduce the impact of stolen cookies while also increasing the needed frequency of cookie theft attempts – providing defenders with additional chances at detection.[20] For example, use non-persistent cookies to limit the duration a session ID will remain on the web client cache where an attacker could obtain it.[21]
M1051 Update Software

Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.
M1017 User Training

Train users to identify aspects of phishing attempts where they're asked to enter credentials into a site that has the incorrect domain for the application they are logging into. Additionally, train users not to run untrusted JavaScript in their browser, such as by copying and pasting code or dragging and dropping bookmarklets.

Detection

ID Data Source Data Component Detects
DS0022 File File Access

Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials to cloud service management consoles. Some cloud providers, such as AWS, provide distinct log events for login attempts to the management console.

Analytic 1 - Unexpected access to web session cookies files.

(index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="\AppData\Roaming\\Cookies\" OR ObjectName="\AppData\Local\\Cookies\") OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetObject="\AppData\Roaming\\Cookies\" OR TargetObject="\AppData\Local\\Cookies\") OR(index=os sourcetype="linux_audit" (filepath="/home//.mozilla/firefox/.default-release/cookies.sqlite" OR filepath="/home//.config/google-chrome/Default/Cookies")) OR(index=os sourcetype="macos_secure" file_path="/Users//Library/Application Support/Google/Chrome/Default/Cookies") OR(index=gsuite sourcetype="gsuite:admin" event_name="LOGIN" event_type="cookie_auth") OR(index=o365 sourcetype="o365:management:activity" Operation="UserLoginViaCookie")
DS0009 Process Process Access

Monitor for attempts by programs to inject into or dump browser process memory.

Analytic 1 - Unauthorized access or injection into browser processes.

(index=security sourcetype="WinEventLog:Security" EventCode=4688 OR EventCode=4663) OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 OR EventCode=10) OR(index=os sourcetype="linux_secure" action="execve" OR action="ptrace") OR(index=os sourcetype="macos_secure" event_type="execve" OR event_type="ptrace") OR(index=gsuite sourcetype="gsuite:admin" event_name="LOGIN" event_type="cookie_auth") OR(index=o365 sourcetype="o365:management:activity" Operation="UserLoginViaCookie")

References

  1. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  2. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  3. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  4. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.
  5. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  6. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
  7. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
  8. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  9. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
  10. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  11. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  1. Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
  2. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  3. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  4. Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.
  5. CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.
  6. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  7. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  8. Gretzky, K.. (2018, July 26). Evilginx 2 - Next Generation of Phishing 2FA Tokens. Retrieved October 14, 2019.
  9. Microsoft Incident Response. (2022, November 16). Token tactics: How to prevent, detect, and respond to cloud token theft. Retrieved December 26, 2023.
  10. OWASP CheatSheets Series Team. (n.d.). Session Management Cheat Sheet. Retrieved December 26, 2023.