web session Cookie

攻击者可以使用被盗的会话cookie来对Web应用程序和服务进行身份验证。由于会话已通过身份验证，因此该技术绕过了一些多因素身份验证协议。

用户对服务进行身份验证后，身份验证cookie通常在Web应用程序（包括基于云的服务）中使用，因此无需传递凭据，也不需要频繁进行重新身份验证。即使没有积极使用Web应用程序，Cookie通常也可以长期有效。通过Steal Web Session Cookie(T1539)获得cookie之后(T1539)，对手将cookie导入到他们控制的浏览器中，并且只要会话cookie处于活动状态，便能够以用户身份使用该站点或应用程序。一旦登录到站点，攻击者就可以访问敏感信息，阅读电子邮件或执行受害者帐户有权执行的操作。

有针对会话cookie绕过多因素身份验证系统的恶意软件示例。

Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.

Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through Steal Web Session Cookie(T1539), the adversary then imports the cookie into a browser they control and is able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.

There have been examples of malware targeting session cookies to bypass multi-factor authentication systems

标签

ID编号： T1506

策略：绕过防御，横向移动

平台： Office 365，SaaS

数据源： 身份验证日志，Office 365帐户日志

绕过防御： 登录凭据，多因素身份验证

缓解措施

缓解	描述
软件配置 (M1054)	配置浏览器或任务以定期删除持久性cookie。

Mitigation	Description
Software Configuration (M1054)	Configure browsers or tasks to regularly delete persistent cookies.

检测

监视同一用户在不同位置或与预期配置不匹配的不同系统对网站和基于云的应用程序的异常访问。

Monitor for anomalous access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.