title: Steal Web Session Cookie (T1539)
id: df00tech-t1539
status: experimental
description: "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. Cookies are often valid for an extended period of time, even if the web application is not actively used. Session cookies can be found on disk in browser profile directories (SQLite databases), in the process memory of the browser, and in network traffic to remote systems. Tools such as Evilginx2 and Muraena act as adversary-in-the-middle proxies to capture session cookies from victims directed to phishing domains without the victim's endpoint ever being directly compromised. Malware families including Raccoon Stealer, QakBot, Spica, CookieMiner, Grandoreiro, and EVILNUM specifically target browser cookie stores for theft. Stolen session cookies can bypass multi-factor authentication by reusing authenticated sessions, enabling account takeover without requiring credentials."
references:
  - https://attack.mitre.org/techniques/T1539/
  - https://df00tech.com/detections/T1539
author: df00tech
date: 2026/04/20
tags:
  - attack.t1539
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Enterprise backup agents (Acronis, Commvault, Veeam) reading browser profile directories as part of user data backup — typically run under service accounts from known backup process names"
  - "IT asset management or software inventory agents (SCCM, Tanium) enumerating browser profile directories to report installed browser versions"
  - Endpoint DLP solutions that monitor file access patterns for sensitive data leaving the browser profile directory
  - "Browser profile migration or sync utilities (e.g., migration tools used during workstation refresh) that legitimately copy cookie stores between profiles"
  - Anti-malware scanners performing scheduled or on-demand scans of browser profile directories for known malware signatures
  - "Developer tooling performing automated browser testing (Selenium WebDriver, Playwright) that may read or write browser profile data"
level: high