AN1403: Analytic 1403
Detects access to known browser cookie files (e.g., `~/.mozilla/firefox/*.default/cookies.sqlite`, `~/.config/google-chrome/`) and suspicious reads of browser memory via `/proc/[pid]/mem` or ptrace.
Analyst context for executives and security teams
This analytic matters because browser cookies and live browser memory can contain session material that may let an intruder bypass normal login checks. For Linux environments, the practical question is whether the SOC can see suspicious access to browser cookie stores and browser process memory, not just whether endpoint tools are installed.
Executive priority
Prioritize this as an identity and incident-response readiness issue for Linux workstations, jump hosts, and administrator systems where browser sessions may provide access to business applications. Leaders should ask whether security teams collect the file and process telemetry needed to prove or disprove cookie or browser-memory access during an investigation.
Technical view
AN1403 is a Linux detection analytic focused on access to known browser cookie locations such as Firefox cookies.sqlite paths and Google Chrome configuration directories, plus suspicious reads of browser memory through /proc/[pid]/mem or ptrace. SOC and detection teams should validate that Linux endpoint telemetry can record file reads against browser profile paths and process behavior involving memory access to browser processes. No ATT&CK tactic, relationship context, or official detection logic was supplied, so implementation should be tested locally against normal browser, backup, EDR, debugging, and administrative activity.
Likely telemetry
- Linux file access events for browser profile and cookie database paths
- Process execution and process ancestry on Linux endpoints
- Access attempts to /proc/[pid]/mem
- ptrace-related activity or audit events where available
- User, host, and session context for the process performing the access
Detection direction
- Baseline legitimate access to browser cookie files by browsers, profile managers, backup tools, security tools, and administrative scripts before alerting broadly.
- Correlate cookie-file access with unusual process names, unexpected parent processes, non-interactive users, or access outside normal browser activity.
- Treat reads of browser process memory through /proc/[pid]/mem or ptrace as higher-signal when the accessing process is not a known debugger, security tool, or approved administrative utility.
- Validate that telemetry captures file reads and process memory access on Linux; many environments collect process starts but not detailed file-read or ptrace evidence.
- Use host and user context to reduce false positives and to support incident-response scoping if suspicious access is found.
Mitigation priorities
- Harden and monitor Linux endpoints that handle privileged browser sessions first, especially administrator workstations and shared operational systems.
- Limit unnecessary local access to browser profile directories through least privilege and workstation hygiene.
- Control and audit debugging or process-inspection capabilities where operationally feasible.
- Ensure incident-response playbooks include session-token and browser-cookie exposure considerations when this analytic fires.
- Preserve endpoint telemetry long enough to support investigation of prior cookie or memory access.
Analyst notes and limits
The supplied object is a detection analytic, not a full ATT&CK technique entry. Its value is in validating visibility over Linux browser cookie stores and browser memory access patterns. Because no relationships were supplied, this take does not infer a specific technique, campaign, malware family, or tactic.
Official detection logic was not provided, tactics were not specified, and no relationship context was supplied. Coverage depends on local Linux audit, EDR, and logging configuration; this object alone does not prove that an environment can detect the behavior.
Analytic 1403
Detects access to known browser cookie files (e.g., `~/.mozilla/firefox/*.default/cookies.sqlite`, `~/.config/google-chrome/`) and suspicious reads of browser memory via `/proc/[pid]/mem` or ptrace.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 28b5037a6f6f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1403Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.