Forge Web Credentials: Web Cookies

ID Name
T1606.001 Web Cookies
T1606.002 SAML Tokens

Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.

Adversaries may generate these cookies in order to gain access to web resources. This differs from Steal Web Session Cookie and other similar behaviors in that the cookies are new and forged by the adversary, rather than stolen or intercepted from legitimate users. Most common web applications have standardized and documented cookie values that can be generated using provided tools or interfaces.[1] The generation of web cookies often requires secret values, such as passwords, Private Keys, or other cryptographic seed values.

Once forged, adversaries may use these web cookies to access resources (Web Session Cookie), which may bypass multi-factor and other authentication protection mechanisms.[2][1][3]

ID: T1606.001
Sub-technique of:  T1606
Platforms: IaaS, Linux, SaaS, Windows, macOS
Contributors: Jack Burns, HubSpot
Version: 1.1
Created: 17 December 2020
Last Modified: 19 September 2023

Procedure Examples

ID Name Description
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.[2]

Mitigations

ID Mitigation Description
M1047 Audit

Administrators should perform an audit of all access lists and the permissions they have been granted to access web applications and services. This should be done extensively on all resources in order to establish a baseline, followed up on with periodic audits of new or updated resources. Suspicious accounts/credentials should be investigated and removed.

M1054 Software Configuration

Configure browsers/applications to regularly delete persistent web cookies.

Detection

ID Data Source Data Component Detects
DS0028 Logon Session Logon Session Creation

Monitor for anomalous authentication activity, such as logons or other user session activity associated with unknown accounts. Monitor for unexpected and abnormal access to resources, including access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.

DS0006 Web Credential Web Credential Usage

Monitor for the usage of unexpected or unusual cookies to access resources and services. Forged web cookies may be associated with unknown accounts and could be the result of compromised secrets such as passwords or Private Keys.

References