Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1398: Analytic 1398

Adversary gains high integrity or special privileges (e.g., SeDebugPrivilege), locates a running browser process, opens it with write/inject rights, and modifies it (e.g., CreateRemoteThread / DLL load) to inherit cookies/tokens or establish a browser pivot. Optional step: create a new logon session or use explicit credentials, then drive the victim browser to intranet resources.

EnterpriseAN1398AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic describes a Windows behavior where an adversary with elevated or special privileges modifies a running browser process to inherit browser-held access, such as cookies or tokens, or to use the browser as a pivot into internal resources. For leaders, the practical issue is that identity controls can be bypassed operationally if an endpoint allows privileged process tampering against trusted user applications like browsers.

Executive priority

Prioritize this as an endpoint, identity, and incident-response readiness question: can the organization prove when privileged code manipulates browsers, and can responders quickly determine whether browser sessions, intranet access, or user tokens may be affected? This matters for business continuity and audit evidence because browser sessions often front critical SaaS and internal applications, while the supplied ATT&CK object provides no built-in detection logic, requiring local telemetry validation.

Technical view

For Windows SOC and IR teams, validate visibility into privileged process access targeting browser processes, especially write or injection-capable access and subsequent process modification indicators such as remote thread creation or DLL loading. Because no ATT&CK detection text or relationship context is supplied, detection engineering should focus on correlating elevated privilege context, browser process targets, suspicious access rights, and follow-on browser activity toward intranet or authenticated resources. Tune carefully to account for legitimate security tools, accessibility software, browser extensions, enterprise management agents, and debugging workflows that may interact with browser processes.

Likely telemetry

  • Windows process creation and parent-child process lineage
  • Process access events showing write, injection, or high-risk access rights to browser processes
  • Privilege assignment or use events involving high integrity or special privileges such as SeDebugPrivilege
  • Module load or DLL load telemetry for browser processes
  • Remote thread or process injection telemetry where available

Detection direction

  • Confirm whether endpoint telemetry captures process access into browsers, not only process start events.
  • Correlate elevated integrity or special privilege context with attempts to modify running browser processes.
  • Baseline legitimate software that opens or instruments browsers to reduce false positives without suppressing high-risk write or injection patterns.
  • Look for suspicious sequencing: privilege use, browser process access, process modification indicators, then browser-driven access to internal resources.
  • Validate coverage specifically on Windows systems, as this is the only platform supplied for the analytic.

Mitigation priorities

  • Limit and monitor administrative rights and special privileges on Windows endpoints, especially privileges that enable process inspection or modification.
  • Harden endpoint controls to prevent or alert on unauthorized process injection or modification of browser processes where supported.
  • Reduce reliance on long-lived browser sessions for sensitive applications through appropriate identity and session controls.
  • Ensure incident response playbooks include browser session and token exposure assessment when privileged browser tampering is suspected.
  • Use telemetry validation as compliance evidence: show what is collected, what is correlated, and what response actions are triggered.
Analyst notes and limits

This is a detection analytic object, not a technique object, and no tactics, relationships, or official detection text were supplied. The description is still decision-useful because it identifies a concrete Windows behavior involving elevated privileges and browser process modification. Local environment baselining is essential because legitimate enterprise tools can interact with browsers in ways that resemble parts of this behavior.

Assessment is limited to the supplied ATT&CK fields and external reference. No active exploitation, attribution, prevalence, impact, or guaranteed detection coverage is implied. No non-Windows platform applicability is asserted.

Official MITRE ATT&CK definition

Analytic 1398

Adversary gains high integrity or special privileges (e.g., SeDebugPrivilege), locates a running browser process, opens it with write/inject rights, and modifies it (e.g., CreateRemoteThread / DLL load) to inherit cookies/tokens or establish a browser pivot. Optional step: create a new logon session or use explicit credentials, then drive the victim browser to intranet resources.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
88d635d714c10702...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 88d635d714c1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1398
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use