Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1402: Analytic 1402

Detects suspicious access to browser session cookie storage (e.g., Chrome’s `Cookies` SQLite DB) or memory reads of browser processes. Anomalous injection or memory dump utilities targeting browser processes such as `chrome.exe`, `firefox.exe`, or `msedge.exe`.

EnterpriseAN1402AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting attempts on Windows systems to access browser session cookies or read browser process memory. For executives and security leaders, the practical concern is identity risk: browser cookies can represent active user sessions, so suspicious access to cookie databases or browser memory may indicate an attempt to bypass normal login controls and reuse authenticated sessions.

Executive priority

Prioritize this as an identity and incident-response readiness issue rather than a generic endpoint alert. Leaders should ask whether the organization can detect unusual access to browser cookie storage and browser process memory, whether SOC teams can triage that activity quickly, and whether incident responders have playbooks for suspected session compromise. This also supports compliance and audit discussions around protection of authentication material and evidence that endpoint telemetry is sufficient for credential/session theft investigations.

Technical view

The supplied ATT&CK analytic applies to Windows and describes suspicious access to browser cookie storage, such as Chrome Cookies SQLite databases, and memory reads or dumping/injection behavior targeting browser processes including chrome.exe, firefox.exe, and msedge.exe. SOC and detection teams should validate whether endpoint telemetry records file access to browser cookie stores, process access events involving browser processes, and execution of utilities that read, dump, or inject into browser memory. Because no official detection logic is provided, local implementation should be based on observed process lineage, user context, target process, access type, and whether the accessing process is expected for the environment.

Likely telemetry

  • Windows endpoint process creation events
  • Process access or handle events involving browser processes
  • File access events for browser cookie storage locations
  • Endpoint detection and response telemetry for memory reads, injection, or dump behavior
  • Command-line and parent-child process context for utilities interacting with chrome.exe, firefox.exe, or msedge.exe

Detection direction

  • Validate visibility into access to browser cookie databases and browser process memory on Windows endpoints.
  • Tune detections around unexpected processes accessing cookie storage or reading browser process memory, especially when the process is not the browser, a known security tool, or an approved administrative utility.
  • Correlate suspicious browser memory access with process lineage, command-line arguments, user identity, host role, and recent authentication activity where available.
  • Account for false positives from legitimate endpoint security tools, forensic tools, browser management utilities, backup software, or troubleshooting workflows.
  • Identify blind spots where file access auditing, process access telemetry, or EDR memory-access events are not collected or are retained for too short a period.

Mitigation priorities

  • Ensure endpoint telemetry collection covers browser cookie storage access and process memory access on Windows systems.
  • Limit unnecessary local administrative privileges and restrict use of utilities capable of reading or dumping process memory.
  • Harden identity response procedures for suspected session compromise, including session revocation and user risk review where applicable.
  • Document approved tools and workflows that legitimately access browser processes or cookie stores so detections can be tuned without suppressing meaningful anomalies.
  • Use this analytic as validation evidence for managed detection, incident response readiness, and controls protecting authentication/session material.
Analyst notes and limits

This object is a detection analytic, not a technique description. Its value is in validating whether defenders can observe suspicious access to browser session cookie storage or browser process memory on Windows. Since no relationships or tactics were supplied, interpretation should stay focused on the analytic’s stated behavior and local telemetry coverage.

The official detection field is not provided, and no relationship context is supplied. The object only specifies Windows as a platform and names example browser processes and cookie storage behavior. Any production detection logic, severity model, or incident conclusion requires local environment baselines and supporting telemetry.

Official MITRE ATT&CK definition

Analytic 1402

Detects suspicious access to browser session cookie storage (e.g., Chrome’s `Cookies` SQLite DB) or memory reads of browser processes. Anomalous injection or memory dump utilities targeting browser processes such as `chrome.exe`, `firefox.exe`, or `msedge.exe`.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
52a92fa1722e96aa...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 52a92fa1722e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1402
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use