Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0074: Detect Use of Stolen Web Session Cookies Across Platforms

This detection strategy is about recognizing when a stolen authenticated web session cookie is reused to access cloud or web services. The business signifi...

EnterpriseDET0074Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is about recognizing when a stolen authenticated web session cookie is reused to access cloud or web services. The business significance is that this can let an adversary appear as a legitimate user and may bypass some MFA prompts because the session is already authenticated. For leaders, the key question is whether identity, SaaS, Office Suite, and IaaS access logs can show when a session behaves differently from the user’s normal pattern across services.

Executive priority

Prioritize this where business operations depend on SaaS, Office Suite, or IaaS access and where lateral movement through authenticated web sessions would create material risk. Executive review should focus on whether the organization can prove session activity, investigate suspicious session reuse quickly, and revoke or contain affected sessions during an incident. This also supports audit and compliance conversations around identity monitoring, MFA limitations, and incident response readiness.

Technical view

The supplied ATT&CK relationship says this strategy detects T1550.004 Web Session Cookie, a lateral-movement technique affecting IaaS, Office Suite, and SaaS environments. Because the detection strategy object does not provide official detection logic, SOC and detection teams should validate whether they collect enough authentication, session, user, device, IP, and cloud application telemetry to distinguish normal session continuity from suspicious cookie reuse. IR teams should confirm they can correlate a session identifier or equivalent access event across identity providers and cloud services and can revoke sessions when warranted.

Likely telemetry

  • Identity provider sign-in and session logs
  • SaaS and Office Suite audit logs
  • IaaS control-plane authentication and access logs
  • User, device, browser, IP address, geolocation, and user-agent context associated with web sessions
  • Session creation, refresh, reuse, and termination events where available

Detection direction

  • Validate visibility into authenticated web sessions for the related platforms: IaaS, Office Suite, and SaaS.
  • Look for session activity that is inconsistent with the user’s expected device, location, network, browser, or timing, while tuning carefully for travel, VPNs, mobile networks, and shared egress points.
  • Correlate identity-provider events with downstream cloud and application audit logs; a single log source may not show enough context to judge cookie reuse.
  • Prioritize detections that support incident triage: which account, which session, which application, what access occurred, and whether MFA was recently satisfied or absent because the session was already authenticated.
  • Treat this as an identity and cloud detection engineering problem rather than only an endpoint problem, since the related technique concerns web applications and services.

Mitigation priorities

  • Confirm session revocation and account containment procedures for SaaS, Office Suite, and IaaS services before an incident.
  • Harden identity controls that reduce session abuse risk, including conditional access, session lifetime policies, device trust, and reauthentication requirements where appropriate.
  • Ensure incident response playbooks include steps to invalidate sessions, review recent cloud/application activity, and assess whether lateral movement occurred.
  • Review logging retention and audit evidence requirements so investigations can reconstruct session use over the relevant period.
  • Use detection outcomes to inform identity governance and cloud security priorities rather than assuming MFA alone fully addresses this behavior.
Analyst notes and limits

MITRE provides the detection strategy name and relationship to T1550.004, but no official description or detection text for DET0074 in the supplied fields. The practical interpretation is therefore driven by the related technique: stolen web session cookies used to authenticate to web applications and services, with relevance to lateral movement across IaaS, Office Suite, and SaaS environments.

Platforms and tactics are not specified on the detection strategy object itself, and no official detection analytic is supplied. Local environment details are required to define exact log sources, field names, baselines, thresholds, and response actions. This take does not assert active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Detect Use of Stolen Web Session Cookies Across Platforms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1550.004 Web Session Cookie Sub-technique This object detects Web Session Cookie.
Relationship explorer

All related ATT&CK context

detects · Technique T1550.004: Web Session Cookie Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b02155be46e928ae...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b02155be46e9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0074
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use