盗取Web会话Cookie

攻击者可能会窃取Web应用程序或服务会话cookie，并以身份验证的用户身份使用它们来获取访问Web应用程序或Internet服务的权限，而无需凭据。用户对网站进行身份验证后，Web应用程序和服务通常将会话cookie用作身份验证令牌。

即使没有积极使用Web应用程序，Cookie通常也可以长期有效。Cookies可以在磁盘上，浏览器的进程内存中以及到远程系统的网络流量中找到。此外，目标计算机上的其他应用程序可能会将敏感的身份验证Cookie存储在内存中（例如，对云服务进行身份验证的应用程序）。会话cookie可用于绕过某些多因素身份验证协议。

有几个通过本地系统上的Web浏览器将Cookie定位为恶意软件的示例。还有诸如Evilginx 2和Mauraena之类的开源框架，它们可以通过中间人代理收集会话cookie，中间人代理可以由对手设置并用于网络钓鱼活动。

对手获取有效的Cookie后，他们可以执行Web会话Cookie(T1506)技术以登录到相应的Web应用程序。

An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.

There are several examples of malware targeting cookies from web browsers on the local system.There are also open source frameworks such as Evilginx 2 and Mauraena that can gather session cookies through a man-in-the-middle proxy that can be set up by an adversary and used in phishing campaigns.[

After an adversary acquires a valid cookie, they can then perform a Web Session Cookie(T1506) technique to login to the corresponding web application.

标签

ID编号： T1539

策略： 凭证访问

平台： Linux，macOS，Windows，Office 365，SaaS

所需权限： user

数据源： 文件监视，API监视

缓解措施

缓解	描述
多因素认证 (M1032)	使用目标登录域作为协商协议一部分的物理第二因素密钥将防止通过代理方法盗用会话cookie。
软件配置 (M1054)	配置浏览器或任务以定期删除持久性cookie。
用户培训 (M1017)	培训用户以识别网络钓鱼尝试的各个方面，在这些方面中，要求用户在其所登录应用程序的域不正确的站点中输入凭据。

Mitigation	Description
Multi-factor Authentication(M1032)	A physical second factor key that uses the target login domain as part of the negotiation protocol will prevent session cookie theft through proxy methods.
Software Configuration(M1054)	Configure browsers or tasks to regularly delete persistent cookies.
User Training (M1017)	Train users to identify aspects of phishing attempts where they're asked to enter credentials into a site that has the incorrect domain for the application they are logging into

检测

监视访问本地系统上用于存储浏览器会话cookie的文件和存储库的尝试。监视程序是否尝试将其插入或转储浏览器进程内存。

Monitor for attempts to access files and repositories on a local system that are used to store browser session cookies. Monitor for attempts by programs to inject into or dump browser process memory.