title: Web Cookies (T1606.001)
id: df00tech-t1606-001
status: experimental
description: "Adversaries may forge web cookies to gain unauthorized access to web applications or internet services. Unlike cookie theft (T1539), forged cookies are newly crafted by the adversary using stolen cryptographic material such as HMAC signing keys, private keys, or application secrets. Common targets include JWT bearer tokens, Flask session cookies (signed with itsdangerous using SECRET_KEY), Django session tokens, and platform-specific SaaS session identifiers. Because forged cookies appear as valid, trusted session credentials, they can bypass multi-factor authentication — the application trusts the cookie without re-challenging the user. The SolarWinds (SUNBURST) attack demonstrated this technique at scale when UNC2452/Dark Halo forged SAML assertion cookies after stealing ADFS signing certificates, enabling persistent access to cloud tenants that bypassed MFA entirely. Detection focuses on authentication anomalies in identity provider logs (sessions appearing from new locations without prior interactive authentication), endpoint activity where signing key material is accessed prior to token generation, and web server log patterns indicating session anomalies such as the same session ID appearing from multiple IPs."
references:
  - https://attack.mitre.org/techniques/T1606/001/
  - https://df00tech.com/detections/T1606.001
author: df00tech
date: 2026/03/13
tags:
  - attack.t1606.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Corporate VPN users whose traffic egresses through shared or anonymized IP ranges — establish Conditional Access Named Locations for known corporate VPN egress IPs and exclude them from Branch 2
  - Mobile or desktop applications using OAuth token refresh flows that generate non-interactive sign-ins from changing IPs as users roam between WiFi and cellular networks — review DeviceDetail and AppDisplayName to confirm legitimate client patterns
  - Office 365 service accounts and automation scripts performing scheduled tasks can trigger non-interactive high-risk sign-in signals due to unusual IP ranges or off-hours scheduling
  - Users with international travel whose sessions span multiple countries — correlate with HR travel records or look for preceding interactive re-authentication events
  - "Azure AD Identity Protection 'anomalousToken' risk detail may fire on legitimate tokens issued by older authentication library versions that produce non-standard claim structures"
level: high