Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0106: Analytic 0106

Detects attempts to access browser credential stores (e.g., Firefox `logins.json`, Chrome SQLite DB) or processes (e.g., gnome-keyring-daemon). Observes unauthorized file reads and memory inspection of browser processes using ptrace or gdb.

EnterpriseAN0106AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because browser-stored credentials on Linux workstations can become a shortcut to account takeover if an attacker or unauthorized process can read browser credential files or inspect browser/keyring process memory. For leaders, the key decision is whether endpoint monitoring can show when sensitive local credential stores are accessed outside normal browser behavior, especially on Linux systems used by administrators, developers, or other privileged staff.

Executive priority

Prioritize this as an identity and endpoint visibility validation item for Linux fleets. It supports incident decision-making by helping determine whether browser credentials may have been exposed during a host investigation. It also has compliance and audit value where the organization must demonstrate monitoring around credential access and protection of stored secrets. Because ATT&CK provides no relationship context or detection implementation details here, leadership should treat this as a coverage question rather than proof that existing tools detect the behavior.

Technical view

For SOC, detection engineering, and IR teams, validate whether Linux endpoint telemetry can identify unauthorized reads of browser credential stores such as Firefox logins.json and Chrome SQLite databases, and memory inspection of browser-related processes such as gnome-keyring-daemon using mechanisms such as ptrace or gdb. Baseline legitimate browser, backup, endpoint management, and user-support activity before alerting broadly. During IR, use this analytic as a prompt to assess possible credential exposure when suspicious file access or process memory inspection is observed on Linux endpoints.

Likely telemetry

  • Linux file access events for browser profile and credential database paths
  • Process execution telemetry for tools capable of memory inspection, including gdb where collected
  • System call or audit telemetry related to ptrace or process memory access
  • Process-to-file and process-to-process access relationships from endpoint detection tooling
  • User, host, and process context for distinguishing normal browser activity from unusual access

Detection direction

  • Confirm that Linux telemetry includes file read visibility for browser credential store locations, not only process start events.
  • Tune for non-browser or unexpected processes reading browser credential files, with exceptions for known administrative, backup, or security tools after validation.
  • Look for process memory inspection involving browser or keyring processes, especially when associated with ptrace, gdb, or similar debugging behavior.
  • Correlate suspicious credential-store access with user context, parent process, host role, and recent interactive activity to reduce false positives.
  • Account for blind spots where endpoint agents do not collect file-read events, ptrace activity, or detailed process access telemetry on Linux.

Mitigation priorities

  • Limit storage and reuse of sensitive credentials in browsers where policy and user workflows allow.
  • Harden Linux endpoint permissions and administrative access so untrusted users and processes cannot freely inspect other users' browser data or process memory.
  • Review controls around debugging and process inspection tools on sensitive workstations and servers.
  • Ensure endpoint monitoring is deployed and configured for Linux systems that handle privileged or business-critical access.
  • Use incident response playbooks to require credential exposure assessment and password/session remediation when browser credential-store access is confirmed.
Analyst notes and limits

This object is a detection analytic for Linux focused on access to browser credential stores and browser/keyring process memory. No ATT&CK tactics, relationships, aliases, or official detection logic were supplied, so the take is centered on defensive validation rather than a specific adversary pattern. The highest-value use is to test whether the organization can observe and investigate local credential exposure on Linux endpoints.

The supplied ATT&CK fields do not specify tactics, related techniques, threat groups, procedures, data sources, or a concrete detection query. Local browser paths, endpoint tooling, audit configuration, and approved administrative workflows are required to determine practical coverage and false-positive handling.

Official MITRE ATT&CK definition

Analytic 0106

Detects attempts to access browser credential stores (e.g., Firefox `logins.json`, Chrome SQLite DB) or processes (e.g., gnome-keyring-daemon). Observes unauthorized file reads and memory inspection of browser processes using ptrace or gdb.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ff7163cbb4e3a3a5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ff7163cbb4e3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0106
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use