{'created': '2020-01-30T17:48:49.395Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries can use stolen session cookies to authenticate to '
                'web applications and services. This technique bypasses some '
                'multi-factor authentication protocols since the session is '
                'already authenticated.(Citation: Pass The Cookie)\n'
                '\n'
                'Authentication cookies are commonly used in web applications, '
                'including cloud-based services, after a user has '
                'authenticated to the service so credentials are not passed '
                'and re-authentication does not need to occur as frequently. '
                'Cookies are often valid for an extended period of time, even '
                'if the web application is not actively used. After the cookie '
                'is obtained through [Steal Web Session '
                'Cookie](https://attack.mitre.org/techniques/T1539) or [Web '
                'Cookies](https://attack.mitre.org/techniques/T1606/001), the '
                'adversary may then import the cookie into a browser they '
                'control and is then able to use the site or application as '
                'the user for as long as the session cookie is active. Once '
                'logged into the site, an adversary can access sensitive '
                'information, read email, or perform actions that the victim '
                'account has permissions to perform.\n'
                '\n'
                'There have been examples of malware targeting session cookies '
                'to bypass multi-factor authentication systems.(Citation: Unit '
                '42 Mac Crypto Cookies January 2019)',
 'external_references': [{'external_id': 'T1550.004',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1550/004'},
                         {'description': 'Chen, Y., Hu, W., Xu, Z., et. al. '
                                         '(2019, January 31). Mac Malware '
                                         'Steals Cryptocurrency Exchanges’ '
                                         'Cookies. Retrieved October 14, 2019.',
                          'source_name': 'Unit 42 Mac Crypto Cookies January '
                                         '2019',
                          'url': 'https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/'},
                         {'description': 'Rehberger, J. (2018, December). '
                                         'Pivot to the Cloud using Pass the '
                                         'Cookie. Retrieved April 5, 2019.',
                          'source_name': 'Pass The Cookie',
                          'url': 'https://wunderwuzzi23.github.io/blog/passthecookie.html'}],
 'id': 'attack-pattern--c3c8c916-2f3c-4e71-94b2-240bdfc996f0',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'lateral-movement'}],
 'modified': '2025-10-24T17:49:20.943Z',
 'name': 'Web Session Cookie',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Johann Rehberger', 'Jack Burns, HubSpot'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['SaaS', 'IaaS', 'Office Suite'],
 'x_mitre_version': '1.5'}