T1539

Steal Web Session Cookie

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. Cookies are often valid for an extended period of time, even if the web application is not actively used. Session cookies can be found on disk in browser profile directories (SQLite databases), in the process memory of the browser, and in network traffic to remote systems. Tools such as Evilginx2 and Muraena act as adversary-in-the-middle proxies to capture session cookies from victims directed to phishing domains without the victim's endpoint ever being directly compromised. Malware families including Raccoon Stealer, QakBot, Spica, CookieMiner, Grandoreiro, and EVILNUM specifically target browser cookie stores for theft. Stolen session cookies can bypass multi-factor authentication by reusing authenticated sessions, enabling account takeover without requiring credentials.

Microsoft Sentinel / Defender

kusto

let LegitBrowserProcesses = dynamic([
    "chrome.exe", "msedge.exe", "firefox.exe", "brave.exe",
    "opera.exe", "vivaldi.exe", "chromium.exe", "msedgewebview2.exe",
    "whale.exe", "iexplore.exe"
]);
let SystemAllowList = dynamic([
    "SearchIndexer.exe", "MsMpEng.exe", "SgrmBroker.exe",
    "backgroundTaskHost.exe", "WerFault.exe", "svchost.exe",
    "TiWorker.exe", "TrustedInstaller.exe"
]);
// Primary: Non-browser process accessing browser cookie stores on disk
DeviceFileEvents
| where Timestamp > ago(24h)
| where (
    FolderPath contains "Chrome\User Data"
    or FolderPath contains "Edge\User Data"
    or FolderPath contains "Firefox\Profiles"
    or FolderPath contains "BraveSoftware\Brave-Browser"
    or FolderPath contains "Opera Software\Opera Stable"
    or FolderPath contains "Vivaldi\User Data"
)
| where FileName =~ "Cookies"
    or FileName =~ "cookies.sqlite"
    or FileName =~ "cookies.sqlite-wal"
    or (FileName =~ "Local State" and FolderPath contains "User Data")
    or FileName =~ "Login Data"
| where not (InitiatingProcessFileName in~ (LegitBrowserProcesses))
| where not (InitiatingProcessFileName in~ (SystemAllowList))
| extend AccountName = coalesce(RequestAccountName, InitiatingProcessAccountName)
| extend SuspicionReason = case(
    FileName =~ "Local State",
        "Chrome/Edge master encryption key (DPAPI-wrapped AES) accessed by non-browser process",
    FileName =~ "Login Data",
        "Browser saved credentials database accessed alongside cookie store — bulk stealer pattern",
    FileName =~ "cookies.sqlite" or FileName =~ "cookies.sqlite-wal",
        "Firefox cookie SQLite database accessed by non-browser process",
    "Browser Cookies file accessed by non-browser process"
)
| extend IsScriptHost = InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| extend IsCommonStealer = InitiatingProcessFileName in~ ("python.exe", "python3.exe", "node.exe", "ruby.exe", "perl.exe", "sqlite3.exe")
| project Timestamp, DeviceName, AccountName,
          FileName, FolderPath, ActionType,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, SuspicionReason,
          IsScriptHost, IsCommonStealer
| sort by Timestamp desc

high severity high confidence

Data Sources

File: File Access Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents

False Positives

Enterprise backup agents (Acronis, Commvault, Veeam) reading browser profile directories as part of user data backup — typically run under service accounts from known backup process names
IT asset management or software inventory agents (SCCM, Tanium) enumerating browser profile directories to report installed browser versions
Endpoint DLP solutions that monitor file access patterns for sensitive data leaving the browser profile directory
Browser profile migration or sync utilities (e.g., migration tools used during workstation refresh) that legitimately copy cookie stores between profiles
Anti-malware scanners performing scheduled or on-demand scans of browser profile directories for known malware signatures
Developer tooling performing automated browser testing (Selenium WebDriver, Playwright) that may read or write browser profile data

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(EventCode=11 OR EventCode=10)
| eval isCookieFileAccess=if(
    EventCode="11" AND
    (match(TargetFilename, "(?i)(Chrome.User.Data|Edge.User.Data|Firefox.Profiles|BraveSoftware.Brave-Browser|Opera.Software)")) AND
    (match(TargetFilename, "(?i)(^|[\\/])Cookies$") OR match(TargetFilename, "(?i)cookies\.sqlite") OR match(TargetFilename, "(?i)Local State$") OR match(TargetFilename, "(?i)Login Data$")) AND
    NOT match(Image, "(?i)(\\\\chrome\.exe|\\\\msedge\.exe|\\\\firefox\.exe|\\\\brave\.exe|\\\\opera\.exe|\\\\vivaldi\.exe|\\\\chromium\.exe|\\\\msedgewebview2\.exe|\\\\MsMpEng\.exe|\\\\SearchIndexer\.exe|\\\\svchost\.exe)"),
    1, 0)
| eval isBrowserProcessInjection=if(
    EventCode="10" AND
    match(TargetImage, "(?i)(\\\\chrome\.exe|\\\\msedge\.exe|\\\\firefox\.exe|\\\\brave\.exe)") AND
    NOT match(SourceImage, "(?i)(\\\\chrome\.exe|\\\\msedge\.exe|\\\\firefox\.exe|\\\\brave\.exe|\\\\MsMpEng\.exe|\\\\SgrmBroker\.exe|\\\\vmtoolsd\.exe|\\\\csrss\.exe)"),
    1, 0)
| where isCookieFileAccess=1 OR isBrowserProcessInjection=1
| eval DetectionType=case(
    isCookieFileAccess=1 AND isBrowserProcessInjection=1, "CookieFileAccess+BrowserInjection",
    isCookieFileAccess=1, "BrowserCookieFileAccess",
    isBrowserProcessInjection=1, "BrowserProcessInjection",
    "Unknown")
| eval SuspicionScore=isCookieFileAccess + isBrowserProcessInjection
| eval SuspiciousProcess=coalesce(Image, SourceImage)
| eval TargetDetail=coalesce(TargetFilename, TargetImage)
| eval IsScriptHost=if(match(SuspiciousProcess, "(?i)(powershell|pwsh|cmd\.exe|wscript|cscript|mshta|python|node\.exe)"), 1, 0)
| table _time, host, User, DetectionType, SuspiciousProcess, TargetDetail, CommandLine, IsScriptHost, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

File: File Access Process: Process Access Sysmon Event ID 10 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Enterprise backup agents performing scheduled user data backups that include browser profile directories — build allowlist by SourceImage/Image for known backup process paths
Anti-malware and EDR agents performing in-memory process scanning that generate Event ID 10 against browser processes — exclude known vendor process paths
IT management agents (SCCM, Tanium, CrowdStrike Sensor) that may open browser process handles during inventory or telemetry collection
Browser profile migration tools used during device refresh or onboarding that copy cookie databases between profiles
Security awareness testing platforms running authorized simulated phishing exercises that may trigger the detection

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  devicehostname AS Hostname,
  username AS AccountName,
  "filename" AS AccessedFile,
  "filepath" AS FilePath,
  "processname" AS InitiatingProcess,
  "processcommandline" AS CommandLine,
  CATEGORYNAME(category) AS Category,
  QIDNAME(qid) AS EventName,
  logsourcename(logsourceid) AS LogSource
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 79)
  AND starttime > NOW() - 86400 SECONDS
  AND (
    ("filepath" ILIKE '%Chrome%User Data%' OR "filepath" ILIKE '%Edge%User Data%' OR
     "filepath" ILIKE '%Firefox%Profiles%' OR "filepath" ILIKE '%BraveSoftware%Brave-Browser%' OR
     "filepath" ILIKE '%Opera Software%Opera Stable%' OR "filepath" ILIKE '%Vivaldi%User Data%')
    AND (
      "filename" ILIKE 'Cookies' OR "filename" ILIKE 'cookies.sqlite' OR
      "filename" ILIKE 'cookies.sqlite-wal' OR "filename" ILIKE 'Local State' OR
      "filename" ILIKE 'Login Data'
    )
  )
  AND "processname" NOT ILIKE '%chrome.exe'
  AND "processname" NOT ILIKE '%msedge.exe'
  AND "processname" NOT ILIKE '%firefox.exe'
  AND "processname" NOT ILIKE '%brave.exe'
  AND "processname" NOT ILIKE '%opera.exe'
  AND "processname" NOT ILIKE '%vivaldi.exe'
  AND "processname" NOT ILIKE '%chromium.exe'
  AND "processname" NOT ILIKE '%msedgewebview2.exe'
  AND "processname" NOT ILIKE '%MsMpEng.exe'
  AND "processname" NOT ILIKE '%SearchIndexer.exe'
  AND "processname" NOT ILIKE '%SgrmBroker.exe'
  AND "processname" NOT ILIKE '%svchost.exe'
  AND "processname" NOT ILIKE '%TiWorker.exe'
  AND "processname" NOT ILIKE '%WerFault.exe'
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Windows Sysmon logs via QRadar DSM Windows Security Event logs via QRadar DSM

Required Tables

events

False Positives

Enterprise DLP agents (e.g., Symantec DLP, Forcepoint) scanning browser profile directories for sensitive data classification — add DLP agent process names to the exclusion list
Antivirus or EDR real-time protection performing on-access scanning of new or modified cookie files — whitelist AV engine process names (e.g., MsMpEng.exe, ekrn.exe, bdservicehost.exe)
User-initiated cookie export tools or browser migration assistants (e.g., Windows Easy Transfer, browser built-in profile import) running temporarily during browser setup or migration

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon (EventCode=11 OR EventCode=10)
| parse xml auto
| where EventCode = "11" or EventCode = "10"
| eval isCookieAccess = if(
    EventCode = "11" AND
    (TargetFilename matches "*Chrome*User Data*" OR TargetFilename matches "*Edge*User Data*" OR
     TargetFilename matches "*Firefox*Profiles*" OR TargetFilename matches "*BraveSoftware*Brave-Browser*" OR
     TargetFilename matches "*Opera Software*" OR TargetFilename matches "*Vivaldi*User Data*") AND
    (TargetFilename matches "*Cookies" OR TargetFilename matches "*cookies.sqlite*" OR
     TargetFilename matches "*Local State" OR TargetFilename matches "*Login Data") AND
    !(Image matches "*chrome.exe" OR Image matches "*msedge.exe" OR Image matches "*firefox.exe" OR
      Image matches "*brave.exe" OR Image matches "*opera.exe" OR Image matches "*vivaldi.exe" OR
      Image matches "*chromium.exe" OR Image matches "*msedgewebview2.exe" OR
      Image matches "*MsMpEng.exe" OR Image matches "*SearchIndexer.exe" OR
      Image matches "*SgrmBroker.exe" OR Image matches "*svchost.exe"),
    1, 0)
| eval isBrowserInjection = if(
    EventCode = "10" AND
    (TargetImage matches "*chrome.exe" OR TargetImage matches "*msedge.exe" OR
     TargetImage matches "*firefox.exe" OR TargetImage matches "*brave.exe") AND
    !(SourceImage matches "*chrome.exe" OR SourceImage matches "*msedge.exe" OR
      SourceImage matches "*firefox.exe" OR SourceImage matches "*brave.exe" OR
      SourceImage matches "*MsMpEng.exe" OR SourceImage matches "*SgrmBroker.exe" OR
      SourceImage matches "*vmtoolsd.exe" OR SourceImage matches "*csrss.exe"),
    1, 0)
| where isCookieAccess = 1 OR isBrowserInjection = 1
| eval DetectionType = if(isCookieAccess = 1 AND isBrowserInjection = 1, "CookieAccess+BrowserInjection",
    if(isCookieAccess = 1, "BrowserCookieFileAccess",
    if(isBrowserInjection = 1, "BrowserProcessInjection", "Unknown")))
| eval SuspiciousProcess = if(EventCode = "11", Image, SourceImage)
| eval TargetDetail = if(EventCode = "11", TargetFilename, TargetImage)
| eval IsScriptHost = if(
    SuspiciousProcess matches "*powershell*" OR SuspiciousProcess matches "*pwsh*" OR
    SuspiciousProcess matches "*cmd.exe*" OR SuspiciousProcess matches "*wscript*" OR
    SuspiciousProcess matches "*cscript*" OR SuspiciousProcess matches "*mshta*" OR
    SuspiciousProcess matches "*python*" OR SuspiciousProcess matches "*node.exe*",
    1, 0)
| fields _messageTime, Computer, User, DetectionType, SuspiciousProcess, TargetDetail, CommandLine, IsScriptHost
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Sysmon via Sumo Logic Installed Collector Sumo Logic Cloud SIEM Enterprise (CSE)

Required Tables

_sourceCategory=windows/sysmon

False Positives

Endpoint backup agents (e.g., CrashPlan, Acronis) that perform file-level backups of the entire user profile including browser directories — scope exclusions to backup agent process names
Developer tools or testing frameworks that automate browser sessions using ChromeDriver or geckodriver may trigger process injection detections — whitelist known CI/CD or test automation process names
Browser profile roaming solutions in enterprise VDI environments (e.g., Citrix Profile Management, FSLogix) that copy or mount user profile containers including browser data at logon

Google Chronicle / SecOps

yaral

rule t1539_steal_web_session_cookie {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects non-browser processes accessing browser session cookie stores or credential databases, indicating potential session cookie theft (T1539)"
    severity = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1539"
    reference = "https://attack.mitre.org/techniques/T1539/"
    version = "1.0"

  events:
    $file_access.metadata.event_type = "FILE_OPEN"
    $file_access.principal.hostname = $hostname
    $file_access.principal.process.file.full_path = $proc_path
    (
      re.regex($file_access.target.file.full_path,
        `(?i)(Chrome.User Data|Edge.User Data|Firefox.Profiles|BraveSoftware.Brave-Browser|Opera.Software.Opera.Stable|Vivaldi.User Data)`) and
      re.regex($file_access.target.file.full_path,
        `(?i)([\\/]Cookies$|cookies\.sqlite(-wal)?$|[\\/]Local State$|[\\/]Login Data$)`)
    )
    not re.regex($file_access.principal.process.file.full_path,
      `(?i)(\\chrome\.exe|\\msedge\.exe|\\firefox\.exe|\\brave\.exe|\\opera\.exe|\\vivaldi\.exe|\\chromium\.exe|\\msedgewebview2\.exe|\\MsMpEng\.exe|\\SearchIndexer\.exe|\\SgrmBroker\.exe|\\backgroundTaskHost\.exe|\\WerFault\.exe|\\svchost\.exe|\\TiWorker\.exe|\\TrustedInstaller\.exe)`)

  condition:
    $file_access
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows endpoint telemetry forwarded to Chronicle Sysmon logs ingested via Chronicle forwarder

Required Tables

UDM events with event_type FILE_OPEN

False Positives

Google Chrome or Edge update processes (GoogleUpdate.exe, MicrosoftEdgeUpdate.exe) that access User Data directories during in-place browser updates — add update helper executables to the exclusion regex
Enterprise password manager integrations (e.g., LastPass binary component, Keeper desktop app) that read browser cookie directories to detect active sessions for autofill context
System imaging or forensic tools run by IT administrators during incident response or routine audits — these should be detected but triaged as authorized activity

CrowdStrike LogScale (CQL)

cql

#event_simpleName=FileOpenInfo
| TargetFileName = /(?i)(Chrome.User.Data|Edge.User.Data|Firefox.Profiles|BraveSoftware.Brave-Browser|Opera.Software.Opera.Stable|Vivaldi.User.Data)/
| TargetFileName = /(?i)([\/\\]Cookies$|cookies\.sqlite(-wal)?$|[\/\\]Local.State$|[\/\\]Login.Data$)/
| ImageFileName != /(?i)(\\chrome\.exe|\\msedge\.exe|\\firefox\.exe|\\brave\.exe|\\opera\.exe|\\vivaldi\.exe|\\chromium\.exe|\\msedgewebview2\.exe|\\MsMpEng\.exe|\\SearchIndexer\.exe|\\SgrmBroker\.exe|\\backgroundTaskHost\.exe|\\WerFault\.exe|\\svchost\.exe|\\TiWorker\.exe|\\TrustedInstaller\.exe)/
| IsScriptHost := ImageFileName matches /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python[23]?\.exe|node\.exe|ruby\.exe|perl\.exe|sqlite3\.exe)/
| IsInterpreter := ImageFileName matches /(?i)(python[23]?\.exe|node\.exe|ruby\.exe|perl\.exe|sqlite3\.exe)/
| SuspicionScore := if(IsScriptHost == true, 2, 1) + if(IsInterpreter == true, 1, 0)
| table([_timstamp, ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, IsScriptHost, IsInterpreter, SuspicionScore])
| sort(field=SuspicionScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon sensor FileOpenInfo events CrowdStrike Humio/LogScale SIEM

Required Tables

#event_simpleName=FileOpenInfo

False Positives

Automated browser testing frameworks (Selenium, Playwright, Puppeteer) running in CI/CD pipelines where a node.exe or python.exe process manages a browser session — these will match IsInterpreter and should be scoped by hostname or user account to known build agents
SQLite database inspection tools used by developers to examine browser databases locally (e.g., DB Browser for SQLite, sqlite3.exe) for debugging web application cookie behavior
Enterprise endpoint management agents performing user profile size auditing or data governance scans that traverse browser profile directories as part of broader filesystem enumeration

Last updated: 2026-04-20 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1539 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Steal Web Session Cookie

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Credential Access

Popular Detections