1. Home
  2. Techniques
  3. Enterprise
  4. Use Alternate Authentication Material
  5. Web Session Cookie

Use Alternate Authentication Material: Web Session Cookie

ID Name
T1550.001 Application Access Token
T1550.002 Pass the Hash
T1550.003 Pass the Ticket
T1550.004 Web Session Cookie

Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.[1]

Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through Steal Web Session Cookie or Web Cookies, the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.

There have been examples of malware targeting session cookies to bypass multi-factor authentication systems.[2]

ID: T1550.004
Sub-technique of:  T1550
Platforms: IaaS, Office Suite, SaaS
Contributors: Jack Burns, HubSpot; Johann Rehberger
Version: 1.5
Created: 30 January 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 used stolen cookies to access cloud resources and a forged duo-sid cookie to bypass MFA set on an email account.[3][4]
G1033 Star Blizzard

Star Blizzard has bypassed multi-factor authentication on victim email accounts by using session cookies stolen using EvilGinx.[5]

Mitigations

ID Mitigation Description
M1054 Software Configuration

Configure browsers or tasks to regularly delete persistent cookies.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0074 Detect Use of Stolen Web Session Cookies Across Platforms AN0201

Anomalous access to cloud web applications using session tokens without corresponding MFA/credential validation, often from unusual locations or device fingerprints.
AN0202

Session cookie reuse on unmanaged browsers, devices, or client types deviating from user baseline (e.g., switching from Chrome to curl).
AN0203

Web session tokens reused in native Office apps (e.g., Outlook, Teams) without associated token refresh or login behavior on the endpoint.

References

  1. Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.
  2. Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019.
  3. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  1. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  2. CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.