Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0037: Analytic 0037

Access to browser artifact locations (e.g., Chrome, Edge, Firefox) by processes like PowerShell, cmd.exe, or unknown tools, followed by file reads, decoding, or export operations indicating enumeration of bookmarks, autofill, or history databases.

EnterpriseAN0037AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because browser artifacts can contain business-sensitive user activity data such as bookmarks, autofill-related records, and browsing history. On Windows endpoints, access to Chrome, Edge, or Firefox artifact locations by command shells, PowerShell, or unknown tools may indicate attempted collection or staging of browser data rather than normal browser use.

Executive priority

Prioritize this as an endpoint visibility and incident-readiness question: can the organization prove when non-browser processes access browser data stores, and can responders quickly determine whether the activity was administrative, user-driven, or suspicious? This is relevant to privacy, compliance evidence, identity-risk investigations, and SOC triage quality, especially where browser data may expose internal portals, user behavior, or sensitive workflow context.

Technical view

For SOC and detection teams, validate Windows telemetry that shows process identity, command context, file access, and read/export behavior against browser artifact paths for Chrome, Edge, and Firefox. The supplied analytic focuses on suspicious access patterns: PowerShell, cmd.exe, or unknown tools reading browser artifact locations, followed by decoding or export-like operations. Because no ATT&CK detection logic is provided, teams should develop and test local analytics around non-browser process access to browser databases and distinguish expected administrative, backup, forensic, or security tooling from unusual access.

Likely telemetry

  • Windows process creation telemetry, including parent-child process context
  • Command-line telemetry for PowerShell, cmd.exe, and unknown executables
  • File access or file read telemetry for Chrome, Edge, and Firefox artifact locations
  • Endpoint telemetry showing decoding, copying, exporting, or database read activity after browser artifact access
  • Asset and user context to determine whether the process, host, and account normally perform this activity

Detection direction

  • Baseline legitimate browser, backup, EDR, forensic, and administrative access to browser artifact paths before alerting broadly.
  • Alert or hunt for non-browser processes, especially PowerShell, cmd.exe, or unknown tools, reading browser artifact locations and then performing export, decode, or enumeration-like actions.
  • Correlate file reads with process lineage, command arguments, user account, host role, and timing to reduce false positives.
  • Treat sparse process names alone as insufficient; the stronger signal is non-browser access to browser artifacts plus follow-on read, decode, or export behavior.
  • Validate coverage specifically on Windows endpoints, since Windows is the only platform supplied for this analytic.

Mitigation priorities

  • Restrict unnecessary interactive shell and scripting use where business operations allow.
  • Harden endpoint monitoring for browser artifact directories and ensure process and file access telemetry is retained for investigations.
  • Review least-privilege and administrative tool usage so routine support activity does not require broad access to user browser data.
  • Define response playbooks for suspected browser artifact collection, including user, host, and privacy review steps.
  • Use findings from validation to improve SOC tuning and compliance evidence around sensitive local user data access.
Analyst notes and limits

This is a detection analytic object, not a full ATT&CK technique entry. The official description provides behavior to monitor but no formal detection logic, tactics, relationships, or mitigations. The strongest defensive value is using it as a validation prompt for endpoint telemetry and SOC triage around browser artifact access by non-browser processes.

No official detection text, tactic mapping, relationships, aliases, labels, or related techniques were supplied. The assessment is limited to the provided Windows platform and the described access to Chrome, Edge, and Firefox artifact locations. Local path conventions, approved tools, logging configuration, and business processes are required to determine severity and tune detections.

Official MITRE ATT&CK definition

Analytic 0037

Access to browser artifact locations (e.g., Chrome, Edge, Firefox) by processes like PowerShell, cmd.exe, or unknown tools, followed by file reads, decoding, or export operations indicating enumeration of bookmarks, autofill, or history databases.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
93a5fe946360d93e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 93a5fe946360…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0037
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use