Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0484: Analytic 0484

Forged web cookies on Windows endpoints can be detected by monitoring unusual modifications of browser cookie stores (e.g., Chrome SQLite DB, Edge cache) by processes outside of browsers, followed by authentication events to SaaS or IaaS services. Defenders may observe processes writing directly to cookie storage paths or injecting tokens into browser sessions.

EnterpriseAN0484AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because forged or manipulated browser cookies can let an attacker reuse web sessions without needing a password prompt. For a business leader, the key issue is whether Windows endpoint monitoring and cloud/SaaS authentication logs can be connected well enough to spot suspicious cookie-store changes before they become an identity incident.

Executive priority

Prioritize this as an identity and cloud access assurance question: can the organization prove that unusual browser cookie-store modification on Windows endpoints is visible, investigated, and correlated with SaaS or IaaS sign-ins? This supports incident response readiness, audit evidence for access monitoring, and control decisions around endpoint telemetry, browser hardening, and cloud authentication logging.

Technical view

For SOC and detection engineering teams, validate monitoring for non-browser processes modifying browser cookie storage locations such as Chrome SQLite databases or Edge cache paths, then correlate those events with subsequent authentication activity to SaaS or IaaS services. Because no ATT&CK tactic or formal detection logic is supplied, treat this as a detection strategy seed rather than a complete analytic. Tuning should distinguish legitimate browser, update, backup, security, or profile-management activity from unusual direct writes or token injection indicators.

Likely telemetry

  • Windows endpoint file modification events for browser cookie stores and cache paths
  • Process creation and process identity for programs writing to browser storage locations
  • Browser process activity and parent/child process context
  • Endpoint detection telemetry showing direct writes to cookie databases or browser session data
  • SaaS and IaaS authentication logs occurring after suspicious endpoint activity

Detection direction

  • Inventory Windows browsers in scope and confirm where cookie stores are located for Chrome and Edge in the local environment.
  • Alert or hunt for processes outside expected browser-related processes writing directly to browser cookie storage paths.
  • Correlate suspicious cookie-store modification with later SaaS or IaaS authentication events for the same user or device.
  • Tune out known legitimate software that touches browser profile data, such as browser updaters, endpoint tools, backup agents, or enterprise profile-management utilities.
  • Review blind spots where endpoint file telemetry is not collected, browser profile paths are excluded, or cloud authentication logs are not integrated with SOC workflows.

Mitigation priorities

  • Ensure Windows endpoint telemetry includes process and file activity for browser profile and cookie storage paths.
  • Centralize SaaS and IaaS authentication logs and retain enough context to correlate sign-ins with endpoint activity.
  • Apply least-privilege and endpoint hardening practices to reduce unauthorized process access to browser session data.
  • Review browser and identity controls that reduce risk from session reuse, such as managed browser configuration and conditional access where applicable.
  • Create incident response procedures for suspected session cookie manipulation, including session revocation and affected account review.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Windows endpoints focused on forged web cookies. Its practical value is in cross-domain correlation: endpoint evidence of unusual cookie-store modification plus cloud or SaaS authentication events. Glexia teams should validate data availability before treating this as covered by existing detections.

The official detection field is not provided, tactics are not specified, and no relationship context is supplied. This summary does not assert active exploitation, actor usage, impact, or guaranteed detection. Local browser configurations, endpoint logging depth, and SaaS/IaaS log availability determine whether this analytic is actionable.

Official MITRE ATT&CK definition

Analytic 0484

Forged web cookies on Windows endpoints can be detected by monitoring unusual modifications of browser cookie stores (e.g., Chrome SQLite DB, Edge cache) by processes outside of browsers, followed by authentication events to SaaS or IaaS services. Defenders may observe processes writing directly to cookie storage paths or injecting tokens into browser sessions.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6c9933102ba12e65...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6c9933102ba1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0484
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use