MITRE ATT&CK Technique
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie) There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on [User Execution](https://attack.mitre.org/techniques/T1204) by tricking victims into running malicious JavaScript in their browser.(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023) There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (e.g., [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena) After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2019-10-08T20:04:35.508Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'An adversary may steal web application or service session '
'cookies and use them to gain access to web applications or '
'Internet services as an authenticated user without needing '
'credentials. Web applications and services often use session '
'cookies as an authentication token after a user has '
'authenticated to a website.\n'
'\n'
'Cookies are often valid for an extended period of time, even '
'if the web application is not actively used. Cookies can be '
'found on disk, in the process memory of the browser, and in '
'network traffic to remote systems. Additionally, other '
'applications on the targets machine might store sensitive '
'authentication cookies in memory (e.g. apps which '
'authenticate to cloud services). Session cookies can be used '
'to bypasses some multi-factor authentication '
'protocols.(Citation: Pass The Cookie)\n'
'\n'
'There are several examples of malware targeting cookies from '
'web browsers on the local system.(Citation: Kaspersky '
'TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies '
'January 2019) Adversaries may also steal cookies by injecting '
'malicious JavaScript content into websites or relying on '
'[User Execution](https://attack.mitre.org/techniques/T1204) '
'by tricking victims into running malicious JavaScript in '
'their browser.(Citation: Talos Roblox Scam 2023)(Citation: '
'Krebs Discord Bookmarks 2023)\n'
'\n'
'There are also open source frameworks such as `Evilginx2` and '
'`Muraena` that can gather session cookies through a malicious '
'proxy (e.g., '
'[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) '
'that can be set up by an adversary and used in phishing '
'campaigns.(Citation: Github evilginx2)(Citation: GitHub '
'Mauraena)\n'
'\n'
'After an adversary acquires a valid cookie, they can then '
'perform a [Web Session '
'Cookie](https://attack.mitre.org/techniques/T1550/004) '
'technique to login to the corresponding web application.',
'external_references': [{'external_id': 'T1539',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1539'},
{'description': 'Brian Krebs. (2023, May 30). Discord '
'Admins Hacked by Malicious '
'Bookmarks. Retrieved January 2, '
'2024.',
'source_name': 'Krebs Discord Bookmarks 2023',
'url': 'https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/'},
{'description': 'Chen, Y., Hu, W., Xu, Z., et. al. '
'(2019, January 31). Mac Malware '
'Steals Cryptocurrency Exchanges’ '
'Cookies. Retrieved October 14, 2019.',
'source_name': 'Unit 42 Mac Crypto Cookies January '
'2019',
'url': 'https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/'},
{'description': 'GReAT. (2019, April 10). Project '
'TajMahal – a sophisticated new APT '
'framework. Retrieved October 14, '
'2019.',
'source_name': 'Kaspersky TajMahal April 2019',
'url': 'https://securelist.com/project-tajmahal/90240/'},
{'description': 'Gretzky, Kuba. (2019, April 10). '
'Retrieved October 8, 2019.',
'source_name': 'Github evilginx2',
'url': 'https://github.com/kgretzky/evilginx2'},
{'description': 'Orrù, M., Trotta, G.. (2019, '
'September 11). Muraena. Retrieved '
'October 14, 2019.',
'source_name': 'GitHub Mauraena',
'url': 'https://github.com/muraenateam/muraena'},
{'description': 'Rehberger, J. (2018, December). '
'Pivot to the Cloud using Pass the '
'Cookie. Retrieved April 5, 2019.',
'source_name': 'Pass The Cookie',
'url': 'https://wunderwuzzi23.github.io/blog/passthecookie.html'},
{'description': 'Tiago Pereira. (2023, November 2). '
'Attackers use JavaScript URLs, API '
'forms and more to scam users in '
'popular online game “Roblox”. '
'Retrieved January 2, 2024.',
'source_name': 'Talos Roblox Scam 2023',
'url': 'https://blog.talosintelligence.com/roblox-scam-overview/'}],
'id': 'attack-pattern--10ffac09-e42d-4f56-ab20-db94c67d76ff',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'}],
'modified': '2025-10-24T17:48:25.272Z',
'name': 'Steal Web Session Cookie',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['Microsoft Threat Intelligence Center (MSTIC)',
'Johann Rehberger',
'Menachem Goldstein',
'Don Le, Stifel Financial'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'Office Suite', 'SaaS', 'Windows', 'macOS'],
'x_mitre_version': '1.5'}