{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/session-cookie/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Okta Identity Cloud"],"_cs_severities":["high"],"_cs_tags":["okta","session-cookie","credential-access"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eThis analytic detects the suspicious use of session cookies within Okta environments. The activity is identified by tracking multiple client attribute changes (IP address, User Agent, OS) associated with the same device token and user. This behavior is indicative of an attacker attempting to reuse stolen session cookies. The detection leverages Okta policy evaluation events (policy.evaluate_sign_on) and filters for successful authentication attempts to identify deviations in user behavior. The scope includes any organization using Okta for identity management. Defenders should be aware of this technique as it can bypass multi-factor authentication, granting unauthorized access to user accounts and sensitive resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to a valid Okta session cookie (e.g., via malware or phishing).\u003c/li\u003e\n\u003cli\u003eAttacker attempts to authenticate to Okta using the stolen session cookie.\u003c/li\u003e\n\u003cli\u003eOkta generates a policy evaluation event (policy.evaluate_sign_on) upon successful authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates subsequent login attempts from a different IP address than the original session.\u003c/li\u003e\n\u003cli\u003eThe attacker may also change the User-Agent string (browser/OS) to further mask their activity.\u003c/li\u003e\n\u003cli\u003eOkta logs these changes in client attributes (client.ipAddress, client.userAgent) associated with the same device token (debugContext.debugData.dtHash).\u003c/li\u003e\n\u003cli\u003eThe detection identifies the multiple client attribute changes, specifically IP address, browser, and OS.\u003c/li\u003e\n\u003cli\u003eIf the activity is not authorized, the attacker gains unauthorized access to the user's Okta account, potentially leading to further lateral movement and data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised Okta accounts can lead to significant data breaches and unauthorized access to sensitive applications and resources. Attackers can leverage these accounts for lateral movement within the network and access confidential data stored within cloud applications. The number of affected users depends on the scope of the compromised Okta tenant. Organizations in all sectors are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOkta Suspicious Session Cookie Use\u003c/code\u003e to your SIEM and tune for your environment to detect the described activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eOkta Suspicious Session Cookie Use\u003c/code\u003e rule, focusing on identifying the source of the session cookie theft and any subsequent unauthorized access.\u003c/li\u003e\n\u003cli\u003eEnsure that Okta logs, specifically \u003ccode\u003eOktaIm2\u003c/code\u003e logs, are being ingested through the Splunk Add-on for Okta Identity Cloud to enable the detection (reference: \u003ca href=\"https://splunkbase.splunk.com/app/6553)\"\u003ehttps://splunkbase.splunk.com/app/6553)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor Okta policy evaluation events (\u003ccode\u003epolicy.evaluate_sign_on\u003c/code\u003e) for unexpected changes in client attributes (IP address, user agent) associated with the same device token.\u003c/li\u003e\n\u003cli\u003eReview Okta's risk scoring and authentication policies to strengthen defenses against session cookie theft and reuse.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-okta-session-cookie-reuse/","summary":"This detection identifies the suspicious use of a session cookie by detecting multiple client values (IP, User Agent, etc.) changing for the same Device Token associated with a specific user, potentially indicating credential access and unauthorized account access.","title":"Okta Suspicious Session Cookie Use","url":"https://feed.craftedsignal.io/briefs/2024-01-okta-session-cookie-reuse/"}],"language":"en","title":"CraftedSignal Threat Feed - Session-Cookie","version":"https://jsonfeed.org/version/1.1"}