AN0105: Analytic 0105
Detects unauthorized access to web browser credential stores (e.g., Chrome Login Data, Edge Credential Locker) by processes other than the browser itself. Correlates file reads of credential databases with subsequent API calls to `CryptUnprotectData` or memory inspection attempts.
Analyst context for executives and security teams
This analytic is about spotting non-browser processes trying to access saved web browser credentials on Windows. For leaders, the value is identity risk reduction: browser-stored passwords can become a shortcut to account takeover if endpoint telemetry cannot show which process read credential stores and then attempted decryption or memory inspection.
Executive priority
Prioritize this as an identity and endpoint resilience control validation. Ask whether the organization can produce audit-ready evidence that Windows endpoints monitor suspicious access to browser credential stores, especially for Chrome and Edge examples named by MITRE. This supports incident response decisions around credential exposure, password reset scope, and whether endpoint logging is sufficient for managed detection or SOC triage.
Technical view
Validate visibility into Windows file reads against browser credential databases and correlate those reads with calls to CryptUnprotectData or memory inspection attempts by processes other than the browser itself. Because no ATT&CK tactic or separate detection logic is supplied, teams should treat this object as a detection analytic description rather than a complete rule. Baseline legitimate browser and security-tool behavior before alerting broadly.
Likely telemetry
- Windows endpoint process execution metadata
- File access or file read events for browser credential stores such as Chrome Login Data and Edge Credential Locker
- API call or EDR telemetry showing CryptUnprotectData usage
- Memory inspection or process access telemetry
- Process identity, parent process, user context, executable path, and code-signing metadata
Detection direction
- Confirm that endpoint telemetry can distinguish browser processes from non-browser processes accessing browser credential stores.
- Correlate credential-store file reads with subsequent CryptUnprotectData activity or memory inspection attempts, as described by the analytic.
- Tune for expected software behavior, including browsers, endpoint security tools, backup tools, and approved administrative utilities that may touch credential-related files.
- Prioritize alerts where an unusual process, unusual parent process, or unexpected user context accesses browser credential data.
- Document blind spots where file access auditing, API telemetry, or memory access visibility is unavailable on Windows endpoints.
Mitigation priorities
- Reduce reliance on saved browser passwords where business risk warrants stronger credential management controls.
- Harden endpoint monitoring coverage for Windows systems that handle privileged or sensitive user sessions.
- Use least privilege and application control concepts to reduce unauthorized processes that can access user credential material.
- Ensure incident response playbooks define when browser credential exposure triggers password resets, session revocation, or broader identity investigation.
- Maintain compliance evidence showing what endpoint telemetry is collected and how credential-access detections are reviewed.
Analyst notes and limits
This Glexia take is based only on ATT&CK analytic AN0105. The object provides a Windows platform and a description of the analytic, but no official detection text, tactics, relationships, procedure examples, or mitigations. The most useful defensive work is therefore validation of local telemetry and correlation capability rather than assuming a ready-made detection exists.
No relationship context, tactic mapping, official detection implementation, data source list, or external source beyond the MITRE reference was supplied. Local endpoint tooling determines whether CryptUnprotectData calls, credential-store file reads, and memory inspection attempts are observable with enough fidelity.
Analytic 0105
Detects unauthorized access to web browser credential stores (e.g., Chrome Login Data, Edge Credential Locker) by processes other than the browser itself. Correlates file reads of credential databases with subsequent API calls to `CryptUnprotectData` or memory inspection attempts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9ab39820df0d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0105Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.