Esc
Web Session Cookie - T1550.004
(ATT&CK® Technique)
Definition
Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1550004["Web Session Cookie"] --> |adds| SessionCookie["Session Cookie"]; class T1550004 OffensiveTechniqueNode;
class SessionCookie ArtifactNode; click SessionCookie href "/dao/artifact/d3f:SessionCookie";
click T1550004 href "/offensive-technique/attack/T1550.004/"; click SessionCookie href "/dao/artifact/d3f:SessionCookie"; T1550004["Web Session Cookie"] --> |produces| WebNetworkTraffic["Web Network Traffic"]; class T1550004 OffensiveTechniqueNode;
class WebNetworkTraffic ArtifactNode; click WebNetworkTraffic href "/dao/artifact/d3f:WebNetworkTraffic";
click T1550004 href "/offensive-technique/attack/T1550.004/"; click WebNetworkTraffic href "/dao/artifact/d3f:WebNetworkTraffic"; T1550004["Web Session Cookie"] --> |accesses| AuthenticationService["Authentication Service"]; class T1550004 OffensiveTechniqueNode;
class AuthenticationService ArtifactNode; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService";
click T1550004 href "/offensive-technique/attack/T1550.004/"; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | WebNetworkTraffic["Web Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1550004["Web Session Cookie"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class WebNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | WebNetworkTraffic["Web Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1550004["Web Session Cookie"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class WebNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | WebNetworkTraffic["Web Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1550004["Web Session Cookie"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class WebNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | WebNetworkTraffic["Web Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1550004["Web Session Cookie"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class WebNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | WebNetworkTraffic["Web Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1550004["Web Session Cookie"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class WebNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | WebNetworkTraffic["Web Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1550004["Web Session Cookie"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class WebNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | SessionCookie["Session Cookie"];
CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
| may-detect | T1550004["Web Session Cookie"] ;
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class SessionCookie ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | WebNetworkTraffic["Web Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1550004["Web Session Cookie"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class WebNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | SessionCookie["Session Cookie"];
DecoyUserCredential["Decoy User Credential"] -.->
| may-deceive | T1550004["Web Session Cookie"] ;
class DecoyUserCredential DefensiveTechniqueNode;
class SessionCookie ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; CredentialRevocation["Credential Revocation"] -->
| deletes | SessionCookie["Session Cookie"];
CredentialRevocation["Credential Revocation"] -.->
| may-evict | T1550004["Web Session Cookie"] ;
class CredentialRevocation DefensiveTechniqueNode;
class SessionCookie ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | SessionCookie["Session Cookie"];
AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
| may-evict | T1550004["Web Session Cookie"] ;
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class SessionCookie ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialRotation["Credential Rotation"] -->
| regenerates | SessionCookie["Session Cookie"];
CredentialRotation["Credential Rotation"] -.->
| may-harden | T1550004["Web Session Cookie"] ;
class CredentialRotation DefensiveTechniqueNode;
class SessionCookie ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1550004["Web Session Cookie"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1550004["Web Session Cookie"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | SessionCookie["Session Cookie"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| may-harden | T1550004["Web Session Cookie"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class SessionCookie ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | SessionCookie["Session Cookie"];
CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
| may-isolate | T1550004["Web Session Cookie"] ;
class CredentialTransmissionScoping DefensiveTechniqueNode;
class SessionCookie ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; SystemCallFiltering["System Call Filtering"] -->
| isolates | AuthenticationService["Authentication Service"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1550004["Web Session Cookie"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1550004["Web Session Cookie"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; HostShutdown["Host Shutdown"] -->
| terminates | AuthenticationService["Authentication Service"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1550004["Web Session Cookie"] ;
class HostShutdown DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; ProcessTermination["Process Termination"] -->
| terminates | AuthenticationService["Authentication Service"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1550004["Web Session Cookie"] ;
class ProcessTermination DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessSuspension["Process Suspension"] -->
| suspends | AuthenticationService["Authentication Service"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1550004["Web Session Cookie"] ;
class ProcessSuspension DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | WebNetworkTraffic["Web Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1550004["Web Session Cookie"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class WebNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; ReissueCredential["Reissue Credential"] -->
| restores | SessionCookie["Session Cookie"];
ReissueCredential["Reissue Credential"] -.->
| may-restore | T1550004["Web Session Cookie"] ;
class ReissueCredential DefensiveTechniqueNode;
class SessionCookie ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential"; CredentialHardening["Credential Hardening"] -->
| hardens | SessionCookie["Session Cookie"];
CredentialHardening["Credential Hardening"] -.->
| may-harden | T1550004["Web Session Cookie"] ;
class CredentialHardening DefensiveTechniqueNode;
class SessionCookie ArtifactNode;
click CredentialHardening href "/technique/d3f:CredentialHardening"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1550004["Web Session Cookie"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
| may-isolate | T1550004["Web Session Cookie"] ;
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1550004["Web Session Cookie"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; HostReboot["Host Reboot"] -->
| terminates | AuthenticationService["Authentication Service"];
HostReboot["Host Reboot"] -.->
| may-evict | T1550004["Web Session Cookie"] ;
class HostReboot DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot"; WebSessionAccessMediation["Web Session Access Mediation"] -->
| isolates | AuthenticationService["Authentication Service"];
WebSessionAccessMediation["Web Session Access Mediation"] -.->
| may-isolate | T1550004["Web Session Cookie"] ;
class WebSessionAccessMediation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click WebSessionAccessMediation href "/technique/d3f:WebSessionAccessMediation";