T1550.004: Web Session Cookie
Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.[1]
Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through Steal Web Session Cookie or Web Cookies, the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.
There have been examples of malware targeting session cookies to bypass multi-factor authentication systems.[2]
Analyst context for executives and security teams
Web Session Cookie abuse matters because it can let an adversary act as an already-authenticated user in SaaS, Office Suite, or IaaS services. For leaders, the key issue is that MFA may not stop the session if the cookie was stolen after login, so resilience depends on session governance, audit visibility, and rapid revocation—not only password resets.
Executive priority
Prioritize this as an identity and cloud control validation issue. Ask whether critical web services can detect unusual reuse of authenticated sessions, revoke sessions quickly during incidents, and produce audit evidence showing who accessed sensitive data, email, or cloud resources. This technique is especially material where business operations depend on SaaS and cloud administration portals.
Technical view
Treat T1550.004 as lateral movement using alternate authentication material under T1550. Validate coverage across IaaS, Office Suite, and SaaS services for session reuse that does not follow normal user, device, network, or browser patterns. ATT&CK provides no official detection text for this object, but the relationship to DET0074 indicates a detection strategy focused on stolen web session cookies across platforms. IR playbooks should include session invalidation in addition to credential reset, because the described behavior can persist while the cookie remains active.
Likely telemetry
- SaaS, Office Suite, and IaaS authentication and audit logs
- Session creation, refresh, expiration, and revocation records where available
- User, source IP, geolocation, user-agent, device, and browser context associated with web sessions
- Cloud console and application activity logs showing actions performed after authentication
- Email, sensitive information access, and administrative action audit events
Detection direction
- Validate whether monitoring can identify authenticated web activity without a recent expected login or MFA event.
- Tune for session use from unusual IPs, locations, devices, browsers, or user agents relative to the account’s normal pattern.
- Correlate suspicious SaaS or cloud actions with session metadata rather than relying only on failed-login or MFA telemetry.
- Account for false positives from legitimate travel, VPNs, browser updates, mobile clients, and managed service access.
- Use relationship context carefully: ATT&CK links this technique to SolarWinds Compromise and Star Blizzard, but that should inform threat modeling, not imply current exposure or attribution in a local incident.
Mitigation priorities
- Review software and application security configuration as reflected by mitigation M1054.
- Shorten or risk-adjust session lifetime for high-value applications where business requirements allow.
- Ensure administrators and incident responders can revoke active sessions across SaaS, Office Suite, and IaaS services.
- Require stronger session controls for privileged and sensitive-data access, including device and context checks where supported.
- Include cookie/session theft scenarios in incident response exercises so teams do not stop at password reset or MFA re-enrollment.
Analyst notes and limits
The practical decision point is whether the organization can see and terminate authenticated sessions, not just enforce initial login controls. This is a common blind spot for SOC and IR teams because cookie-based access may look like normal user activity unless session context is collected and correlated.
The supplied ATT&CK object does not include official detection text, specific data sources, or vendor implementation details. Recommendations are therefore framed as validation directions tied to the supplied platforms, tactic, description, DET0074 relationship, and M1054 mitigation relationship. Local application capabilities and log availability determine actual coverage.
Web Session Cookie
Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.[1]
Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through Steal Web Session Cookie or Web Cookies, the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.
There have been examples of malware targeting session cookies to bypass multi-factor authentication systems.[2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1550 | Use Alternate Authentication Material | This object subtechnique of Use Alternate Authentication Material. |
| Enterprise | T1506 | Web Session Cookie | Web Session Cookie revoked by this object. |
Groups, software, and campaigns
G1033: Star Blizzard
Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.[1][2][3][4]
C0024: SolarWinds Compromise
The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 726791a94aa2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Pass The Cookie
Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.
Open source URL -
[2]
Unit 42 Mac Crypto Cookies January 2019
Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019.
Open source URL -
[3]
mitre-attack T1550.004Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.