AN0038: Analytic 0038
Unauthorized shell or script-based access to browser config or SQLite history files, typically in ~/.config/google-chrome/, ~/.mozilla/, or ~/.var/app folders, indicating enumeration of bookmarks or saved credentials.
Analyst context for executives and security teams
This analytic is about spotting unauthorized shell or script access to Linux browser configuration and SQLite history locations, such as Chrome, Firefox, or Flatpak application folders. For leaders, the practical issue is not the browser files themselves; it is that browser data can contain user activity, bookmarks, and saved credential material that may influence account compromise investigations and privacy/compliance exposure.
Executive priority
Prioritize this as a validation item for Linux endpoint visibility and incident response readiness. Security leaders should ask whether SOC teams can see script or shell-driven access to user browser data, whether investigations can distinguish legitimate user or admin activity from suspicious enumeration, and whether controls around saved browser credentials align with identity and compliance expectations.
Technical view
For Linux endpoints, validate whether monitoring can identify shell or script processes accessing browser configuration and SQLite history files under user profile paths such as ~/.config/google-chrome/, ~/.mozilla/, and ~/.var/app. Because ATT&CK provides no official detection logic and no tactic mapping for this analytic, teams should treat it as a detection-engineering requirement: confirm file-access telemetry, process ancestry, command context where available, user context, and path normalization across home directories and Flatpak-style locations.
Likely telemetry
- Linux endpoint process execution telemetry for shells and scripting runtimes
- File access or file open events for browser configuration and SQLite history paths
- Process ancestry and user/session context for activity touching browser profile directories
- Command-line or script invocation metadata where collected
- Endpoint file path telemetry that preserves user home directory and Flatpak application paths
Detection direction
- Validate monitoring specifically covers Linux browser profile paths named in the ATT&CK description, including Chrome, Mozilla/Firefox, and ~/.var/app locations.
- Tune for shell or script-based access rather than normal browser application reads to reduce false positives.
- Correlate file access with process ancestry, user identity, and whether the accessing process is an expected browser process, backup process, or administrative tool.
- Account for legitimate cases such as user-initiated browser activity, profile backup, migration, forensics, or system administration.
- Document blind spots where endpoint tooling does not collect file access events, command-line context, or per-user home directory activity.
Mitigation priorities
- Review whether saved browser credentials are allowed by policy and whether identity controls reduce reliance on browser-stored secrets.
- Harden Linux endpoint monitoring so SOC teams can observe process and file access activity in user profile directories.
- Limit unnecessary script or shell access to user browser data through least privilege and endpoint control policy where operationally feasible.
- Include browser-data access checks in incident response playbooks for suspected credential or user activity enumeration on Linux systems.
- Use the analytic as compliance evidence only after confirming local telemetry coverage and documented detection logic.
Analyst notes and limits
The ATT&CK object is a detection analytic, not a technique, and no relationships or official detection logic were supplied. The strongest use is as a coverage prompt for Linux endpoint telemetry around browser profile data access. Any production detection should be tested against local endpoint tools, user workflows, backup processes, and administrative practices.
Tactics are not specified, official detection is not provided, and no relationship context was supplied. This take does not establish attacker intent, active exploitation, attribution, business impact, or guaranteed detection coverage. Applicability is limited to the supplied Linux platform field.
Analytic 0038
Unauthorized shell or script-based access to browser config or SQLite history files, typically in ~/.config/google-chrome/, ~/.mozilla/, or ~/.var/app folders, indicating enumeration of bookmarks or saved credentials.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8c9f1466d086… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0038Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.