<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Session-Cookie - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/session-cookie/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/session-cookie/feed.xml" rel="self" type="application/rss+xml"/><item><title>Okta Suspicious Session Cookie Use</title><link>https://feed.craftedsignal.io/briefs/2024-01-okta-session-cookie-reuse/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-okta-session-cookie-reuse/</guid><description>This detection identifies the suspicious use of a session cookie by detecting multiple client values (IP, User Agent, etc.) changing for the same Device Token associated with a specific user, potentially indicating credential access and unauthorized account access.</description><content:encoded><![CDATA[<p>This analytic detects the suspicious use of session cookies within Okta environments. The activity is identified by tracking multiple client attribute changes (IP address, User Agent, OS) associated with the same device token and user. This behavior is indicative of an attacker attempting to reuse stolen session cookies. The detection leverages Okta policy evaluation events (policy.evaluate_sign_on) and filters for successful authentication attempts to identify deviations in user behavior. The scope includes any organization using Okta for identity management. Defenders should be aware of this technique as it can bypass multi-factor authentication, granting unauthorized access to user accounts and sensitive resources.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains access to a valid Okta session cookie (e.g., via malware or phishing).</li>
<li>Attacker attempts to authenticate to Okta using the stolen session cookie.</li>
<li>Okta generates a policy evaluation event (policy.evaluate_sign_on) upon successful authentication.</li>
<li>The attacker initiates subsequent login attempts from a different IP address than the original session.</li>
<li>The attacker may also change the User-Agent string (browser/OS) to further mask their activity.</li>
<li>Okta logs these changes in client attributes (client.ipAddress, client.userAgent) associated with the same device token (debugContext.debugData.dtHash).</li>
<li>The detection identifies the multiple client attribute changes, specifically IP address, browser, and OS.</li>
<li>If the activity is not authorized, the attacker gains unauthorized access to the user's Okta account, potentially leading to further lateral movement and data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Compromised Okta accounts can lead to significant data breaches and unauthorized access to sensitive applications and resources. Attackers can leverage these accounts for lateral movement within the network and access confidential data stored within cloud applications. The number of affected users depends on the scope of the compromised Okta tenant. Organizations in all sectors are potentially vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Okta Suspicious Session Cookie Use</code> to your SIEM and tune for your environment to detect the described activity.</li>
<li>Investigate any alerts generated by the <code>Okta Suspicious Session Cookie Use</code> rule, focusing on identifying the source of the session cookie theft and any subsequent unauthorized access.</li>
<li>Ensure that Okta logs, specifically <code>OktaIm2</code> logs, are being ingested through the Splunk Add-on for Okta Identity Cloud to enable the detection (reference: <a href="https://splunkbase.splunk.com/app/6553)">https://splunkbase.splunk.com/app/6553)</a>.</li>
<li>Monitor Okta policy evaluation events (<code>policy.evaluate_sign_on</code>) for unexpected changes in client attributes (IP address, user agent) associated with the same device token.</li>
<li>Review Okta's risk scoring and authentication policies to strengthen defenses against session cookie theft and reuse.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>okta</category><category>session-cookie</category><category>credential-access</category></item></channel></rss>