Esc
Steal Web Session Cookie - T1539

(ATT&CK® Technique)
Definition

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1539["Steal Web Session Cookie"] --> |accesses| SessionCookie["Session Cookie"]; class T1539 OffensiveTechniqueNode;
        class SessionCookie ArtifactNode; click SessionCookie href "/dao/artifact/d3f:SessionCookie";
        click T1539 href "/offensive-technique/attack/T1539/"; click SessionCookie href "/dao/artifact/d3f:SessionCookie";             ReissueCredential["Reissue Credential"] -->
          | restores | SessionCookie["Session Cookie"];

          ReissueCredential["Reissue Credential"] -.->
            | may-restore | T1539["Steal Web Session Cookie"] ;
          class ReissueCredential DefensiveTechniqueNode;
          class SessionCookie ArtifactNode;
          click ReissueCredential href "/technique/d3f:ReissueCredential"; CredentialHardening["Credential Hardening"] -->
          | hardens | SessionCookie["Session Cookie"];

          CredentialHardening["Credential Hardening"] -.->
            | may-harden | T1539["Steal Web Session Cookie"] ;
          class CredentialHardening DefensiveTechniqueNode;
          class SessionCookie ArtifactNode;
          click CredentialHardening href "/technique/d3f:CredentialHardening";                           CredentialRevocation["Credential Revocation"] -->
          | deletes | SessionCookie["Session Cookie"];

          CredentialRevocation["Credential Revocation"] -.->
            | may-evict | T1539["Steal Web Session Cookie"] ;
          class CredentialRevocation DefensiveTechniqueNode;
          class SessionCookie ArtifactNode;
          click CredentialRevocation href "/technique/d3f:CredentialRevocation"; Multi-factorAuthentication["Multi-factor Authentication"] -->
          | uses | SessionCookie["Session Cookie"];

          Multi-factorAuthentication["Multi-factor Authentication"] -.->
            | may-harden | T1539["Steal Web Session Cookie"] ;
          class Multi-factorAuthentication DefensiveTechniqueNode;
          class SessionCookie ArtifactNode;
          click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; CredentialRotation["Credential Rotation"] -->
          | regenerates | SessionCookie["Session Cookie"];

          CredentialRotation["Credential Rotation"] -.->
            | may-harden | T1539["Steal Web Session Cookie"] ;
          class CredentialRotation DefensiveTechniqueNode;
          class SessionCookie ArtifactNode;
          click CredentialRotation href "/technique/d3f:CredentialRotation";                AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
          | deletes | SessionCookie["Session Cookie"];

          AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
            | may-evict | T1539["Steal Web Session Cookie"] ;
          class AuthenticationCacheInvalidation DefensiveTechniqueNode;
          class SessionCookie ArtifactNode;
          click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation";                                  CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
          | analyzes | SessionCookie["Session Cookie"];

          CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
            | may-detect | T1539["Steal Web Session Cookie"] ;
          class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
          class SessionCookie ArtifactNode;
          click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis";                DecoyUserCredential["Decoy User Credential"] -->
          | spoofs | SessionCookie["Session Cookie"];

          DecoyUserCredential["Decoy User Credential"] -.->
            | may-deceive | T1539["Steal Web Session Cookie"] ;
          class DecoyUserCredential DefensiveTechniqueNode;
          class SessionCookie ArtifactNode;
          click DecoyUserCredential href "/technique/d3f:DecoyUserCredential";                CredentialTransmissionScoping["Credential Transmission Scoping"] -->
          | isolates | SessionCookie["Session Cookie"];

          CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
            | may-isolate | T1539["Steal Web Session Cookie"] ;
          class CredentialTransmissionScoping DefensiveTechniqueNode;
          class SessionCookie ArtifactNode;
          click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping";
json