Zscaler Alert Details
Alert ID: ZSCALER-COOKIE-STEAL-1539-7842 Alert Time: 2024-02-21 10:30:22 EST Severity: HIGH (88/100) Source: Zscaler Internet Access (ZIA) Rule: “Suspicious Outbound Traffic – Session Cookie Exfiltration” MITRE ATT&CK: T1539 – Steal Web Session Cookie
Alert Details:
Detection: Outbound traffic containing session cookies to suspicious destination
User: rpatel@company.com (Raj Patel, Engineer) Source IP: 192.168.78.45 (Internal) Destination: 185.143.221[.]89:8080 (Bulgaria) Time: 10:25-10:30 EST
Traffic Analysis:
HTTP POST request to http://185.143.221[.]89:8080/collect
POST data contains multiple session cookies:
Cookie: ASP.NET_SessionId=abc123def456 (company portal)
Cookie: .AspNet.Cookies=ghi789jkl012 (Office 365)
Cookie: JSESSIONID=mnop345qrs678 (Confluence)
Cookie: sessionid=tuv901wxy234 (Jira)
Plus 8 additional cookies
Request Details:
User-Agent: Mozilla/5.0 (compatible; CookieThief/1.0)
Referer: http://evil-site.com/stealer.js
Content-Type: application/x-www-form-urlencoded
Additional Context:
User rpatel visited compromised website earlier
Site contained JavaScript that stole cookies
Cookies valid for active sessions
Destination IP known for credential theft
Detection Logic:
Outbound traffic containing multiple session cookies
Destination not a legitimate cloud service
User-Agent indicates cookie stealing tool
Pattern matches session hijacking preparation
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zscaler alert
Zscaler Admin Console
Confirmed cookie exfiltration to malicious IP
2. Session Termination
Force logout all applications
Azure AD, Okta, Application Logs
All active sessions terminated
3. Cookie Invalidation
Clear server-side sessions
IT Ops Team
All sessions invalidated
4. User Notification
Contact rpatel
Teams, Phone
User logged out; password reset
5. Source Investigation
Identify compromised site
Zscaler, Web Logs
User visited forum with malicious ad
6. IP Blocking
Block destination IP
Zscaler, Palo Alto
IP 185.143.221[.]89 blocked
Jira Incident Report
Ticket: SOC-2024-110 Summary: T1539 – Web Session Cookies Exfiltrated via Malicious JavaScript Status: RESOLVED Resolution: MALICIOUS – Sessions Terminated Priority: P2 – MEDIUM Labels: T1539, session-cookie, cookie-theft, zscaler, session-hijacking Components: Web-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zscaler Internet Access (ZIA).
Alert: “Suspicious Outbound Traffic – Session Cookie Exfiltration”.
User: rpatel@company.com (Engineering Department).
Destination: 185.143.221[.]89:8080.
Time: 2024-02-21 10:30 EST.
Technique: MITRE ATT&CK T1539 – Steal Web Session Cookie.
2. Technical Analysis:
Attack Chain:
10:00 – User visits engineering forum (forum.techhelp.com)
10:01 – Forum page contains malicious ad (injected via compromised ad network)
10:01 – Ad loads JavaScript from evil-site.com/stealer.js
10:02 – JavaScript runs in user’s browser
10:02 – Script enumerates all cookies from browser storage
10:03 – Script collects 13 session cookies
10:03 – Script sends cookies to 185.143.221[.]89:8080
10:05-10:30 – Attacker has valid session cookies
10:30 – Zscaler detects and alerts
Cookies Exfiltrated:
Company portal (ASP.NET_SessionId) – valid 30 minutes
Office 365 (.AspNet.Cookies) – valid 60 minutes
Confluence (JSESSIONID) – valid 2 hours
Jira (sessionid) – valid 2 hours
Salesforce (sid) – valid 1 hour
8 additional application cookies
Attacker Activity (based on logs):
10:04 – Accessed company portal using stolen cookie
10:05 – Viewed 3 documents
10:06 – Accessed Jira, viewed 2 tickets
10:07-10:30 – No further activity (possibly preparing)
No data downloaded
Malicious JavaScript:
URL: hxxp://evil-site.com/stealer.js
Function: document.cookie access, exfiltration via AJAX
Obfuscated to evade detection
3. Investigation Findings:
Timeline:
10:00 – User visits forum
10:02 – Cookies stolen
10:03 – Exfiltration
10:04-10:07 – Attacker accesses applications
10:30 – Zscaler alert
10:32 – SOC investigates
10:35 – All sessions terminated
10:36 – User logged out
Indicators of Compromise (IoCs):
Network:
– Exfiltration IP: 185.143.221[.]89:8080
– Malicious Script: hxxp://evil-site.com/stealer.js
– Compromised Site: forum.techhelp.com
Cookies:
– Multiple session cookies (all invalidated)
4. Containment Actions:
Immediate Actions:
Terminated all active sessions for user rpatel.
Invalidated all server-side sessions for affected applications.
Forced user logout from all applications.
Blocked exfiltration IP at firewall and Zscaler.
User Remediation:
Reset user password.
Cleared browser cache and cookies.
User educated on malicious ads.
Application Review:
Checked application logs for unauthorized access.
No data exfiltration confirmed.
No privilege escalation observed.
5. Root Cause Analysis:
Primary Cause: User visited compromised forum with malicious ad.
Contributing Factors:
Ad network security weak (allowed malicious script).
Session cookies not tied to IP/browser fingerprint.
No additional verification for session usage.
6. Business Impact:
Operational Impact: Engineering user offline for 1 hour.
Data Exposure: 3 documents and 2 Jira tickets viewed; no exfiltration.
Reputational Impact: None.
7. Remediation & Prevention:
Completed Actions:
Sessions terminated.
User logged out.
IP blocked.
Cookies invalidated.
Technical Controls Enhanced:
Implemented IP binding for session cookies (where supported).
Enabled additional session verification (user agent, IP consistency).
Deployed script blocking (NoScript, uBlock Origin) via GPO.
Enhanced Zscaler policy to block known malicious ad domains.
8. Conclusion:
A user visited a compromised forum where a malicious ad stole session cookies and exfiltrated them. The attacker briefly accessed applications before detection. Zscaler detected the cookie exfiltration, enabling session termination within minutes. No data was exfiltrated.
Closure Rationale: Sessions terminated; user secured; cookie exfiltration blocked.
Analyst: [Walter White], SOC Analyst Date: 2024-02-21 11:30 EST
End of Batch 14
Ready for your next batch of prompts whenever you are.
Batch 15: Credential Access & Defense Evasion Incident Reports
Here are the next 5 detailed SOC incident reports.