Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0486: Analytic 0486

Forged cookies on macOS may show up as abnormal access to Safari/Chrome cookie databases in ~/Library/Cookies, combined with unexpected logon sessions authenticated by those cookies. Unified Logs may show cookie injection events or abnormal access patterns to Keychain when linked to browser authentication flows.

EnterpriseAN0486AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because forged browser cookies on macOS can turn browser session data into an identity bypass problem: a user may appear logged in through Safari or Chrome without a normal authentication event. For leaders, the practical question is whether macOS endpoint, browser, and identity telemetry can prove that cookie database access and cookie-authenticated sessions are legitimate when an incident is being investigated.

Executive priority

Prioritize this as an identity and incident-response readiness check for macOS fleets. The business risk is not established by this object alone, but the described behavior affects confidence in session integrity, audit evidence, and the ability to distinguish valid user activity from suspicious cookie-based access. Security leaders should ask whether SOC teams collect enough macOS endpoint, Unified Log, browser data-location, and authentication-session evidence to investigate abnormal access to Safari/Chrome cookie stores and related Keychain activity.

Technical view

The supplied analytic is scoped to macOS and describes abnormal access to Safari/Chrome cookie databases under ~/Library/Cookies, unexpected logon sessions authenticated by those cookies, and possible Unified Log evidence of cookie injection or unusual Keychain access tied to browser authentication flows. SOC and IR teams should validate visibility into file access around browser cookie stores, process context for that access, Unified Logs, Keychain access patterns, and downstream authentication/session events. No ATT&CK tactic, technique relationship, or formal detection logic is supplied, so local baselining and environment-specific validation are required.

Likely telemetry

  • macOS endpoint file access telemetry for ~/Library/Cookies and browser cookie database paths
  • Process execution and process-to-file access context for Safari, Chrome, and non-browser processes touching cookie stores
  • macOS Unified Logs related to cookie injection indicators or abnormal browser authentication flows
  • Keychain access telemetry or logs when associated with browser authentication activity
  • Identity or application session logs showing unexpected logon sessions authenticated by browser cookies

Detection direction

  • Baseline normal Safari and Chrome cookie database access on macOS, including expected browser and helper processes.
  • Alert or hunt for non-browser or unusual processes accessing cookie databases in ~/Library/Cookies, while accounting for legitimate backup, security, browser update, and profile-management tools.
  • Correlate abnormal cookie-store access with unexpected cookie-authenticated sessions rather than treating file access alone as conclusive.
  • Review Unified Logs and Keychain-related activity for patterns linked to browser authentication flows, but tune carefully because the official object does not provide precise event IDs or logic.
  • Document visibility gaps where endpoint telemetry, Unified Logs, Keychain activity, or identity-session logs are unavailable or not retained long enough for investigation.

Mitigation priorities

  • Confirm macOS endpoint logging and retention cover browser cookie database access, relevant Unified Logs, and Keychain-related activity.
  • Strengthen investigation playbooks for suspected session misuse by requiring correlation between local cookie access and remote authentication/session evidence.
  • Limit and monitor unnecessary access to user browser data locations, especially by non-browser processes or administrative tooling.
  • Use identity/session governance processes to revoke suspicious sessions when investigation shows cookie-authenticated access is unexpected.
  • Maintain audit evidence showing what macOS, browser, Keychain, and session telemetry is collected and how it supports incident response.
Analyst notes and limits

This is a detection analytic object, not a technique description. The supplied fields support a macOS-focused analytic for suspicious browser cookie database access and related session behavior. There are no supplied relationships, tactics, aliases, labels, or formal detection logic, so the value is primarily in validating telemetry coverage and correlation readiness.

Official detection content is not provided, and no relationships to techniques, software, groups, mitigations, or campaigns are supplied. This take does not infer active exploitation, attribution, impact, or guaranteed detectability. Local macOS configuration, browser versions, logging policy, identity provider logs, and retention settings will determine practical coverage.

Official MITRE ATT&CK definition

Analytic 0486

Forged cookies on macOS may show up as abnormal access to Safari/Chrome cookie databases in ~/Library/Cookies, combined with unexpected logon sessions authenticated by those cookies. Unified Logs may show cookie injection events or abnormal access patterns to Keychain when linked to browser authentication flows.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
053e9fb93b376600...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 053e9fb93b37…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0486
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use