AN0719: Analytic 0719
Forged web credentials on Windows endpoints may be detected by anomalous browser cookie files, local token cache manipulations, or tools injecting tokens into sessions. Defenders may observe processes accessing LSASS or browser credential stores unexpectedly, followed by unusual logon sessions.
Analyst context for executives and security teams
This analytic matters because forged web credentials can let an attacker appear as a legitimate user on a Windows endpoint, potentially bypassing normal password-focused controls. For leaders, the practical question is whether the organization can see suspicious manipulation of browser cookies, local token caches, credential stores, and follow-on logon behavior before it becomes an incident-response guessing game.
Executive priority
Prioritize this as an identity and endpoint visibility issue. It supports decisions about EDR logging depth, browser credential-store monitoring, LSASS access oversight, and incident response readiness for suspected session abuse. Because the ATT&CK object provides no specific tactic mapping or detection logic, treat it as a validation prompt rather than proof of coverage: ask whether SOC teams can correlate local credential access with unusual logon sessions on Windows systems.
Technical view
For Windows endpoints, validate whether telemetry can show anomalous browser cookie files, local token cache manipulation, unexpected access to LSASS or browser credential stores, and subsequent unusual logon sessions. Detection engineering should focus on correlation rather than a single event: suspicious process access to credential material followed by authentication/session activity that is abnormal for the user or host. The official object does not provide a full detection analytic, so local baselining and environment-specific allowlisting are required.
Likely telemetry
- Windows endpoint process execution and process access events
- Events showing access to LSASS or browser credential stores
- Browser cookie file creation, modification, or anomalous access metadata
- Local token cache file or registry modification evidence where available
- User and host logon/session telemetry
Detection direction
- Confirm whether endpoint tooling records processes accessing LSASS and browser credential stores, not just process start events.
- Correlate credential-store or token-cache manipulation with unusual logon sessions for the same user or host.
- Baseline legitimate browser, identity agent, security tool, and administrative activity to reduce false positives.
- Review blind spots on unmanaged Windows endpoints, privacy-restricted browser data collection, and systems where token/cache file monitoring is not enabled.
- Because no official detection logic is supplied, test candidate rules against local administrative workflows before using them for high-severity alerting.
Mitigation priorities
- Reduce unnecessary local exposure of web credentials and session material where business operations allow.
- Limit and monitor privileged or unusual process access to LSASS and browser credential locations.
- Ensure Windows endpoints are covered by endpoint telemetry capable of supporting credential-store and session-correlation investigations.
- Prepare incident response playbooks for suspected forged web credential or session-token abuse, including user session review and containment decisions.
- Use findings to inform identity, endpoint, and compliance evidence discussions around session security and credential handling.
Analyst notes and limits
The object is a MITRE ATT&CK detection analytic for Windows endpoints, external ID AN0719, associated with forged web credentials and observable local credential/token manipulation. No relationships, tactics, aliases, or official detection logic were supplied, so this take emphasizes defensive validation and telemetry readiness rather than a finished detection rule.
Source fields are sparse. The ATT&CK object does not provide a tactic, technique relationship, detection pseudocode, data sources, mitigations, or evidence of exploitation. Local endpoint architecture, browser usage, identity stack, and logging configuration are required to determine actual detection feasibility.
Analytic 0719
Forged web credentials on Windows endpoints may be detected by anomalous browser cookie files, local token cache manipulations, or tools injecting tokens into sessions. Defenders may observe processes accessing LSASS or browser credential stores unexpectedly, followed by unusual logon sessions.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a237d037c69a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0719Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.