Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0485: Analytic 0485

On Linux, defenders may observe forged cookie activity as unauthorized modifications to browser cookie databases (e.g., ~/.mozilla/firefox/*/cookies.sqlite, ~/.config/chromium/Default/Cookies) or scripted injection of session tokens. Suspicious usage includes curl/wget commands embedding forged cookies in headers, correlated with abnormal session activity in SaaS or IaaS logs.

EnterpriseAN0485AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because forged or injected browser cookies can turn a valid session into an identity-control problem: the attacker may not need a password prompt if a session token is accepted. For Linux environments, the practical concern is whether defenders can see unauthorized changes to browser cookie stores and suspicious command-line use of cookies, then correlate that activity with abnormal SaaS or IaaS session behavior.

Executive priority

Prioritize this as an identity and cloud visibility question, not only an endpoint issue. Leaders should ask whether Linux endpoints, SaaS logs, and IaaS logs can be correlated quickly enough during an incident to determine whether a session token was abused, which accounts were affected, and whether session revocation or credential containment is needed. This also supports audit evidence around session monitoring and incident response readiness.

Technical view

For SOC and IR teams, validate visibility on Linux file activity involving browser cookie databases such as ~/.mozilla/firefox/*/cookies.sqlite and ~/.config/chromium/Default/Cookies, plus process activity where curl or wget embeds cookies in HTTP headers. Detection value depends on correlating those endpoint observations with abnormal session activity in SaaS or IaaS logs. Because no ATT&CK tactic or relationship context is supplied, treat this analytic as a focused detection opportunity for suspicious cookie manipulation and usage rather than a complete attack-chain indicator.

Likely telemetry

  • Linux file modification events for browser cookie database paths
  • Linux process execution telemetry, including command-line arguments where available
  • Shell history or script execution evidence where collected and appropriate
  • Network or proxy evidence of curl/wget web requests where available
  • SaaS authentication and session activity logs

Detection direction

  • Confirm whether endpoint telemetry captures modifications to the listed Firefox and Chromium cookie database locations on Linux systems.
  • Tune for suspicious scripted or command-line use of cookies, especially curl/wget requests embedding cookie headers, while accounting for legitimate automation that may use similar tools.
  • Correlate endpoint cookie activity with abnormal SaaS or IaaS session behavior, such as unusual session timing, source changes, or account activity as represented in available platform logs.
  • Avoid treating cookie database access alone as conclusive; browsers and legitimate tools may modify these files during normal use.
  • Document blind spots where Linux endpoints lack file auditing, process command-line logging, or where SaaS/IaaS session logs are unavailable or not retained long enough for investigation.

Mitigation priorities

  • Ensure Linux endpoint logging covers browser cookie store modification and relevant process execution details.
  • Centralize SaaS and IaaS session logs so they can be correlated with endpoint events during triage.
  • Define incident response actions for suspected forged session activity, including session review, session revocation where supported, and account containment procedures.
  • Review legitimate automation that uses curl/wget with cookies so detections can distinguish expected behavior from suspicious use.
  • Use this analytic to validate identity and cloud incident readiness rather than relying on endpoint controls alone.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Linux with an official description but no official detection text, no tactics, and no relationship context. The strongest defensive value comes from combining Linux endpoint evidence with SaaS/IaaS session telemetry.

This take is limited to the supplied STIX fields and external reference. It does not establish active exploitation, actor attribution, affected products beyond the named Linux browser paths and tools, or guaranteed detection coverage. Local baselining is required to separate legitimate browser and automation behavior from suspicious cookie manipulation.

Official MITRE ATT&CK definition

Analytic 0485

On Linux, defenders may observe forged cookie activity as unauthorized modifications to browser cookie databases (e.g., ~/.mozilla/firefox/*/cookies.sqlite, ~/.config/chromium/Default/Cookies) or scripted injection of session tokens. Suspicious usage includes curl/wget commands embedding forged cookies in headers, correlated with abnormal session activity in SaaS or IaaS logs.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b73fd04fa7469751...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b73fd04fa746…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0485
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use