T1550.004 Splunk · SPL

Detect Web Session Cookie in Splunk

Adversaries steal and reuse valid web session cookies to authenticate to web applications and cloud services, effectively bypassing multi-factor authentication. Because session cookies represent a completed authentication event, they allow adversaries to impersonate users without knowing credentials or possessing their MFA device. Cookies are commonly obtained via adversary-in-the-middle (AiTM) phishing frameworks such as Evilginx2, Modlishka, or Muraena, which proxy the legitimate login flow and capture the post-MFA session token in real time. Once imported into an attacker-controlled browser or HTTP client, the stolen cookie grants full access to the victim's SaaS applications, cloud consoles, and email for the lifetime of the session. Star Blizzard (APT29 affiliate) has used this technique via EvilGinx to compromise email accounts protected by MFA.

MITRE ATT&CK

Tactic
Defense Evasion Lateral Movement
Technique
T1550 Use Alternate Authentication Material
Sub-technique
T1550.004 Web Session Cookie
Canonical reference
https://attack.mitre.org/techniques/T1550/004/

SPL Detection Query

Splunk (SPL)
spl 
| tstats count min(_time) as firstSeen max(_time) as lastSeen
    from datamodel=Authentication
    where Authentication.action=success
    by Authentication.user Authentication.src Authentication.app Authentication.dest _time span=1h
| `drop_dm_object_name("Authentication")`
| eval _time=firstSeen
| appendcols
    [search index=azure sourcetype="azure:aad:signin" ResultType=0
    | eval Country=mvindex(split('LocationDetails.countryOrRegion',""),0)
    | eval City=mvindex(split('LocationDetails.city',""),0)
    | eval AuthMethod=mvindex(AuthenticationDetails{}.authenticationMethod,0)
    | eval AuthStepResult=mvindex(AuthenticationDetails{}.authenticationStepResultDetail,0)
    | eval IsCookieReuse=if(match(AuthStepResult,"(?i)(previously satisfied|token broker|existing token)"),1,0)
    | eval IsRiskySignin=if(match(RiskLevelDuringSignIn,"(?i)(medium|high)"),1,0)
    | eval IsSingleFactor=if(AuthenticationRequirement="singleFactorAuthentication",1,0)
    | eval MFABypassCookie=if(IsCookieReuse=1 AND IsSingleFactor=1,1,0)
    | eval SuspiciousApp=if(match(AppDisplayName,"(?i)(microsoft 365|office 365|azure portal|teams|sharepoint|onedrive|exchange|outlook|azure active directory)"),1,0)
    | fields _time UserPrincipalName IPAddress Country City AppDisplayName AuthenticationRequirement
             AuthStepResult IsCookieReuse IsRiskySignin MFABypassCookie SuspiciousApp CorrelationId]
| where IsCookieReuse=1 OR IsRiskySignin=1
| stats count as SigninCount
        values(Country) as Countries
        values(IPAddress) as IPAddresses
        values(AppDisplayName) as Apps
        dc(Country) as UniqueCountries
        dc(IPAddress) as UniqueIPs
        max(MFABypassCookie) as MFABypass
        max(IsRiskySignin) as RiskySignin
        min(_time) as firstSeen
        max(_time) as lastSeen
    by UserPrincipalName
| eval ImpossibleTravel=if(UniqueCountries>1 AND (lastSeen-firstSeen)<3600,1,0)
| eval ThreatScore=MFABypass + ImpossibleTravel + RiskySignin
| where ThreatScore>0
| eval DetectionTypes=case(
    ImpossibleTravel=1 AND MFABypass=1, "ImpossibleTravel+MFABypass",
    ImpossibleTravel=1, "ImpossibleTravel",
    MFABypass=1, "MFABypassViaCookie",
    true(), "AnomalousSignin")
| table firstSeen lastSeen UserPrincipalName DetectionTypes ThreatScore UniqueCountries Countries UniqueIPs IPAddresses Apps MFABypass ImpossibleTravel RiskySignin SigninCount
| sort - ThreatScore lastSeen
high severity medium confidence

Detects web session cookie theft via Azure AD sign-in log analysis using the Splunk Add-on for Microsoft Azure (sourcetype azure:aad:signin). Identifies two primary patterns: (1) impossible travel where a user authenticates from multiple countries within one hour; and (2) MFA bypass via cookie reuse where authentication was satisfied by a previously-authenticated session token rather than fresh MFA. A composite ThreatScore aggregates multiple risk signals per user to prioritize high-confidence alerts. Requires the Splunk Add-on for Microsoft Azure or Microsoft Cloud Services Add-on with Azure AD data ingestion configured.

Data Sources

Azure Active Directory: Sign-in LogsAzure AD Authentication DetailsMicrosoft Cloud Services Add-on for Splunk

Required Sourcetypes

azure:aad:signin

False Positives & Tuning

  • VPN users whose authentication origin IP and browsing IP differ across countries
  • Users near national borders frequently crossing authentication geolocation boundaries
  • Shared service accounts or emergency access accounts accessed from multiple locations
  • Legitimate persistent session policies configured in Azure AD Conditional Access allowing long-lived tokens
  • Travel scenarios where users authenticate legitimately from multiple locations within a workday
Download portable Sigma rule (.yml)

Other platforms for T1550.004

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Extract Chrome Session Cookies Using SQLite (Windows)

    Expected signal: Sysmon Event ID 11 (File Create): Target image %TEMP%\stolen_cookies.db created by cmd.exe or powershell.exe. Sysmon Event ID 1 (Process Create): powershell.exe with CommandLine referencing 'SQLiteConnection' and 'Cookies'. Sysmon Event ID 10 (Process Access): If Chrome is running, file access conflict may be logged. Security Event ID 4663 if file auditing is enabled on Chrome profile directories.

  2. Test 2Replay Stolen Session Cookie via Python Requests

    Expected signal: Network connection from python3 to httpbin.org on port 443. Linux audit log (auditd): SYSCALL record for socket/connect from python3 process. Syslog/EDR network telemetry showing python3 making outbound HTTPS connections with cookie headers in the User-Agent matching Windows browser patterns (OS mismatch indicator).

  3. Test 3Import Cookie to Browser via EditThisCookie and Access Authenticated Session

    Expected signal: Sysmon Event ID 1: python3.exe or playwright process spawned with CDP flags. Sysmon Event ID 3: Network connection from chromium subprocess to httpbin.org on port 443. Sysmon Event ID 23 (File Delete) or 11 (File Create) for Playwright browser cache. Security Event ID 4688 if process creation auditing enabled.

  4. Test 4Simulate AiTM Cookie Theft Detection via Impossible Travel Pattern

    Expected signal: Azure AD Sign-in Logs (SigninLogs): Two non-interactive token use events for the authenticated user against Microsoft Graph within seconds. OfficeActivity or CloudAppEvents: MailItemsAccessed or ListMessages operation from the Graph API call. Azure AD audit logs: Token issued and used for mail access.

Last updated: 2026-04-21 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1550.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1550Use Alternate Authentication Material

Related Sub-techniques

T1550.001Application Access TokenT1550.002Pass the HashT1550.003Pass the Ticket

Related Techniques

T1539Steal Web Session CookieT1606.001Web CookiesT1557Adversary-in-the-MiddleT1566.002Spearphishing LinkT1078.004Cloud AccountsT1114.002Remote Email CollectionT1530Data from Cloud StorageT1098.001Additional Cloud CredentialsT1564.008Email Hiding Rules

Same Tactic: Defense Evasion

Popular Detections