AN0039: Analytic 0039
Scripting or CLI tool access to ~/Library/Application Support/Google/Chrome or ~/Library/Safari bookmarks, cookies, or history databases. Detection relies on unexpected processes accessing or reading from these locations.
Analyst context for executives and security teams
AN0039 is a macOS detection analytic focused on unexpected scripting or command-line tool access to local Chrome and Safari browser data locations, including bookmarks, cookies, and history databases. For leaders, the value is not the file paths themselves; it is whether the organization can see when non-browser processes touch sensitive browser artifacts that may matter during an incident, privacy review, or endpoint compromise investigation.
Executive priority
Prioritize this analytic where macOS endpoints are material to business operations, executive users, developers, or regulated workflows. It helps validate whether endpoint telemetry can support incident decisions involving browser data exposure, session-related artifacts, and user activity records. Because ATT&CK provides no detection logic or relationship context here, this should be treated as a coverage-validation item rather than proof of existing detection maturity.
Technical view
SOC and detection teams should validate monitoring for unexpected processes accessing or reading from ~/Library/Application Support/Google/Chrome and ~/Library/Safari browser databases on macOS. The key analytic question is whether access comes from normal browser components or from unusual scripting and CLI tools. Since no official detection logic is supplied, local baselining is required to define expected browser, backup, management, EDR, and user-support activity before alerting.
Likely telemetry
- macOS endpoint file access telemetry for Chrome and Safari profile directories
- Process execution telemetry showing scripting interpreters and command-line tools
- Parent-child process relationships for processes reading browser data locations
- User and device context for the macOS account involved
- EDR or endpoint security events covering file reads against browser bookmark, cookie, and history databases
Detection direction
- Baseline legitimate access to the specified Chrome and Safari paths before enabling high-severity alerting.
- Tune for unexpected scripting or CLI processes reading browser databases rather than browser-native activity alone.
- Account for administrative tools, backup agents, migration utilities, browser sync components, and endpoint management software as potential false positives.
- Validate that telemetry captures file reads, not only process starts; process-only logging may miss the behavior.
- Because no ATT&CK relationships or official detection query are supplied, map this analytic to local incident scenarios and control objectives before using it as a compliance or SOC coverage claim.
Mitigation priorities
- Ensure macOS endpoint logging or EDR policy can observe access to the specified browser data locations.
- Restrict unnecessary scripting and command-line tool use on sensitive macOS endpoints where operationally feasible.
- Review endpoint management, backup, and support tooling so legitimate access is documented and distinguishable from unexpected activity.
- Use least-privilege and device hardening practices to reduce unnecessary local access to user browser data.
- In incident response playbooks, include checks for unusual access to Chrome and Safari browser data when investigating suspicious macOS scripting or CLI activity.
Analyst notes and limits
This object is a detection analytic, not a full ATT&CK technique entry. It is platform-specific to macOS and limited to unexpected scripting or CLI access to Chrome and Safari browser data paths. The supplied object does not include tactics, relationships, adversary context, or a concrete detection query, so implementation depends heavily on local telemetry quality and baselining.
Official detection content is not provided, and no relationship context is supplied. This take does not infer active exploitation, attribution, impact, or guaranteed detection coverage. Organizations must validate actual endpoint telemetry, process visibility, and normal administrative activity in their own macOS fleet.
Analytic 0039
Scripting or CLI tool access to ~/Library/Application Support/Google/Chrome or ~/Library/Safari bookmarks, cookies, or history databases. Detection relies on unexpected processes accessing or reading from these locations.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | af6403189663… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0039Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.