T1539 Sumo Logic CSE · Sumo

Detect Steal Web Session Cookie in Sumo Logic CSE

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. Cookies are often valid for an extended period of time, even if the web application is not actively used. Session cookies can be found on disk in browser profile directories (SQLite databases), in the process memory of the browser, and in network traffic to remote systems. Tools such as Evilginx2 and Muraena act as adversary-in-the-middle proxies to capture session cookies from victims directed to phishing domains without the victim's endpoint ever being directly compromised. Malware families including Raccoon Stealer, QakBot, Spica, CookieMiner, Grandoreiro, and EVILNUM specifically target browser cookie stores for theft. Stolen session cookies can bypass multi-factor authentication by reusing authenticated sessions, enabling account takeover without requiring credentials.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1539 Steal Web Session Cookie
Canonical reference
https://attack.mitre.org/techniques/T1539/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=windows/sysmon (EventCode=11 OR EventCode=10)
| parse xml auto
| where EventCode = "11" or EventCode = "10"
| eval isCookieAccess = if(
    EventCode = "11" AND
    (TargetFilename matches "*Chrome*User Data*" OR TargetFilename matches "*Edge*User Data*" OR
     TargetFilename matches "*Firefox*Profiles*" OR TargetFilename matches "*BraveSoftware*Brave-Browser*" OR
     TargetFilename matches "*Opera Software*" OR TargetFilename matches "*Vivaldi*User Data*") AND
    (TargetFilename matches "*Cookies" OR TargetFilename matches "*cookies.sqlite*" OR
     TargetFilename matches "*Local State" OR TargetFilename matches "*Login Data") AND
    !(Image matches "*chrome.exe" OR Image matches "*msedge.exe" OR Image matches "*firefox.exe" OR
      Image matches "*brave.exe" OR Image matches "*opera.exe" OR Image matches "*vivaldi.exe" OR
      Image matches "*chromium.exe" OR Image matches "*msedgewebview2.exe" OR
      Image matches "*MsMpEng.exe" OR Image matches "*SearchIndexer.exe" OR
      Image matches "*SgrmBroker.exe" OR Image matches "*svchost.exe"),
    1, 0)
| eval isBrowserInjection = if(
    EventCode = "10" AND
    (TargetImage matches "*chrome.exe" OR TargetImage matches "*msedge.exe" OR
     TargetImage matches "*firefox.exe" OR TargetImage matches "*brave.exe") AND
    !(SourceImage matches "*chrome.exe" OR SourceImage matches "*msedge.exe" OR
      SourceImage matches "*firefox.exe" OR SourceImage matches "*brave.exe" OR
      SourceImage matches "*MsMpEng.exe" OR SourceImage matches "*SgrmBroker.exe" OR
      SourceImage matches "*vmtoolsd.exe" OR SourceImage matches "*csrss.exe"),
    1, 0)
| where isCookieAccess = 1 OR isBrowserInjection = 1
| eval DetectionType = if(isCookieAccess = 1 AND isBrowserInjection = 1, "CookieAccess+BrowserInjection",
    if(isCookieAccess = 1, "BrowserCookieFileAccess",
    if(isBrowserInjection = 1, "BrowserProcessInjection", "Unknown")))
| eval SuspiciousProcess = if(EventCode = "11", Image, SourceImage)
| eval TargetDetail = if(EventCode = "11", TargetFilename, TargetImage)
| eval IsScriptHost = if(
    SuspiciousProcess matches "*powershell*" OR SuspiciousProcess matches "*pwsh*" OR
    SuspiciousProcess matches "*cmd.exe*" OR SuspiciousProcess matches "*wscript*" OR
    SuspiciousProcess matches "*cscript*" OR SuspiciousProcess matches "*mshta*" OR
    SuspiciousProcess matches "*python*" OR SuspiciousProcess matches "*node.exe*",
    1, 0)
| fields _messageTime, Computer, User, DetectionType, SuspiciousProcess, TargetDetail, CommandLine, IsScriptHost
| sort by _messageTime desc
high severity high confidence

Sumo Logic query detecting web session cookie theft via non-browser process access to browser cookie stores (Sysmon Event 11 — file create) and suspicious process injection into browser processes (Sysmon Event 10 — process access). Correlates both access vectors and labels detections by type and whether a script interpreter is involved.

Data Sources

Windows Sysmon via Sumo Logic Installed CollectorSumo Logic Cloud SIEM Enterprise (CSE)

Required Tables

_sourceCategory=windows/sysmon

False Positives & Tuning

  • Endpoint backup agents (e.g., CrashPlan, Acronis) that perform file-level backups of the entire user profile including browser directories — scope exclusions to backup agent process names
  • Developer tools or testing frameworks that automate browser sessions using ChromeDriver or geckodriver may trigger process injection detections — whitelist known CI/CD or test automation process names
  • Browser profile roaming solutions in enterprise VDI environments (e.g., Citrix Profile Management, FSLogix) that copy or mount user profile containers including browser data at logon
Download portable Sigma rule (.yml)

Other platforms for T1539

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Copy Chrome Cookie Database via CMD

    Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename=%TEMP%\df00tech_test_cookies.db, Image=cmd.exe. DeviceFileEvents: ActionType=FileCreated, FileName=df00tech_test_cookies.db, FolderPath containing Chrome\User Data, InitiatingProcessFileName=cmd.exe. The source Cookies file read will appear as a separate FileAccess event for the Cookies file initiated by cmd.exe.

  2. Test 2Extract Chrome Cookies and Local State via PowerShell

    Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing Chrome\User Data and Copy-Item. Sysmon Event ID 11: Two FileCreate events — TargetFilename containing df00tech_chrome\LocalState and df00tech_chrome\Cookies, Image=powershell.exe. DeviceFileEvents: Two file access events for Local State and Cookies files, InitiatingProcessFileName=powershell.exe.

  3. Test 3Read Firefox Cookie Database via sqlite3

    Expected signal: Sysmon Event ID 1: sqlite3.exe Process Create with CommandLine containing Firefox\Profiles, cookies.sqlite, and SELECT. Sysmon Event ID 11: TargetFilename=%TEMP%\df00tech_ff_cookies.txt, Image=sqlite3.exe. DeviceProcessEvents: FileName=sqlite3.exe, ProcessCommandLine contains moz_cookies. DeviceFileEvents: sqlite3.exe accessing cookies.sqlite within Firefox Profiles path.

  4. Test 4Linux Firefox Cookie Theft via File Copy

    Expected signal: Linux auditd: syscall=openat with path containing .mozilla/firefox and cookies.sqlite, and syscall=open/write for /tmp/df00tech_ff_linux_cookies.sqlite. Syslog/auditd: process cp accessing Firefox profile path. Linux EDR agents: file access event for cookies.sqlite initiated by cp process.

Last updated: 2026-04-20 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1539 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1550.004Web Session CookieT1557Adversary-in-the-MiddleT1185Browser Session HijackingT1555.003Credentials from Web BrowsersT1566.002Spearphishing LinkT1534Internal SpearphishingT1078Valid AccountsT1114Email CollectionT1530Data from Cloud Storage

Same Tactic: Credential Access

Popular Detections