Detect Steal Web Session Cookie in Microsoft Sentinel
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. Cookies are often valid for an extended period of time, even if the web application is not actively used. Session cookies can be found on disk in browser profile directories (SQLite databases), in the process memory of the browser, and in network traffic to remote systems. Tools such as Evilginx2 and Muraena act as adversary-in-the-middle proxies to capture session cookies from victims directed to phishing domains without the victim's endpoint ever being directly compromised. Malware families including Raccoon Stealer, QakBot, Spica, CookieMiner, Grandoreiro, and EVILNUM specifically target browser cookie stores for theft. Stolen session cookies can bypass multi-factor authentication by reusing authenticated sessions, enabling account takeover without requiring credentials.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1539 Steal Web Session Cookie
- Canonical reference
- https://attack.mitre.org/techniques/T1539/
KQL Detection Query
let LegitBrowserProcesses = dynamic([
"chrome.exe", "msedge.exe", "firefox.exe", "brave.exe",
"opera.exe", "vivaldi.exe", "chromium.exe", "msedgewebview2.exe",
"whale.exe", "iexplore.exe"
]);
let SystemAllowList = dynamic([
"SearchIndexer.exe", "MsMpEng.exe", "SgrmBroker.exe",
"backgroundTaskHost.exe", "WerFault.exe", "svchost.exe",
"TiWorker.exe", "TrustedInstaller.exe"
]);
// Primary: Non-browser process accessing browser cookie stores on disk
DeviceFileEvents
| where Timestamp > ago(24h)
| where (
FolderPath contains "Chrome\User Data"
or FolderPath contains "Edge\User Data"
or FolderPath contains "Firefox\Profiles"
or FolderPath contains "BraveSoftware\Brave-Browser"
or FolderPath contains "Opera Software\Opera Stable"
or FolderPath contains "Vivaldi\User Data"
)
| where FileName =~ "Cookies"
or FileName =~ "cookies.sqlite"
or FileName =~ "cookies.sqlite-wal"
or (FileName =~ "Local State" and FolderPath contains "User Data")
or FileName =~ "Login Data"
| where not (InitiatingProcessFileName in~ (LegitBrowserProcesses))
| where not (InitiatingProcessFileName in~ (SystemAllowList))
| extend AccountName = coalesce(RequestAccountName, InitiatingProcessAccountName)
| extend SuspicionReason = case(
FileName =~ "Local State",
"Chrome/Edge master encryption key (DPAPI-wrapped AES) accessed by non-browser process",
FileName =~ "Login Data",
"Browser saved credentials database accessed alongside cookie store — bulk stealer pattern",
FileName =~ "cookies.sqlite" or FileName =~ "cookies.sqlite-wal",
"Firefox cookie SQLite database accessed by non-browser process",
"Browser Cookies file accessed by non-browser process"
)
| extend IsScriptHost = InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| extend IsCommonStealer = InitiatingProcessFileName in~ ("python.exe", "python3.exe", "node.exe", "ruby.exe", "perl.exe", "sqlite3.exe")
| project Timestamp, DeviceName, AccountName,
FileName, FolderPath, ActionType,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName, SuspicionReason,
IsScriptHost, IsCommonStealer
| sort by Timestamp descDetects non-browser processes accessing browser cookie stores on Windows using Microsoft Defender for Endpoint DeviceFileEvents. Monitors Chrome, Edge, Firefox, Brave, Opera, and Vivaldi cookie files and the Chrome/Edge Local State file (which contains the DPAPI-wrapped AES master key required to decrypt modern cookie values). Also flags access to Login Data, which infostealers typically harvest alongside cookies. Excludes known legitimate browser executables and Windows system processes. Annotates detections with suspicion context and flags script interpreters and common stealer tooling as higher-confidence hits.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise backup agents (Acronis, Commvault, Veeam) reading browser profile directories as part of user data backup — typically run under service accounts from known backup process names
- IT asset management or software inventory agents (SCCM, Tanium) enumerating browser profile directories to report installed browser versions
- Endpoint DLP solutions that monitor file access patterns for sensitive data leaving the browser profile directory
- Browser profile migration or sync utilities (e.g., migration tools used during workstation refresh) that legitimately copy cookie stores between profiles
- Anti-malware scanners performing scheduled or on-demand scans of browser profile directories for known malware signatures
- Developer tooling performing automated browser testing (Selenium WebDriver, Playwright) that may read or write browser profile data
Other platforms for T1539
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Copy Chrome Cookie Database via CMD
Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename=%TEMP%\df00tech_test_cookies.db, Image=cmd.exe. DeviceFileEvents: ActionType=FileCreated, FileName=df00tech_test_cookies.db, FolderPath containing Chrome\User Data, InitiatingProcessFileName=cmd.exe. The source Cookies file read will appear as a separate FileAccess event for the Cookies file initiated by cmd.exe.
- Test 2Extract Chrome Cookies and Local State via PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing Chrome\User Data and Copy-Item. Sysmon Event ID 11: Two FileCreate events — TargetFilename containing df00tech_chrome\LocalState and df00tech_chrome\Cookies, Image=powershell.exe. DeviceFileEvents: Two file access events for Local State and Cookies files, InitiatingProcessFileName=powershell.exe.
- Test 3Read Firefox Cookie Database via sqlite3
Expected signal: Sysmon Event ID 1: sqlite3.exe Process Create with CommandLine containing Firefox\Profiles, cookies.sqlite, and SELECT. Sysmon Event ID 11: TargetFilename=%TEMP%\df00tech_ff_cookies.txt, Image=sqlite3.exe. DeviceProcessEvents: FileName=sqlite3.exe, ProcessCommandLine contains moz_cookies. DeviceFileEvents: sqlite3.exe accessing cookies.sqlite within Firefox Profiles path.
- Test 4Linux Firefox Cookie Theft via File Copy
Expected signal: Linux auditd: syscall=openat with path containing .mozilla/firefox and cookies.sqlite, and syscall=open/write for /tmp/df00tech_ff_linux_cookies.sqlite. Syslog/auditd: process cp accessing Firefox profile path. Linux EDR agents: file access event for cookies.sqlite initiated by cp process.
References (10)
- https://attack.mitre.org/techniques/T1539/
- https://wunderwuzzi23.github.io/blog/passthecookie.html
- https://github.com/kgretzky/evilginx2
- https://github.com/muraenateam/muraena
- https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
- https://securelist.com/project-tajmahal/90240/
- https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
- https://blog.talosintelligence.com/roblox-scam-overview/
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs
Unlock Pro Content
Get the full detection package for T1539 including response playbook, investigation guide, and atomic red team tests.