AN1404: Analytic 1404
Detects unauthorized access to browser cookie paths (e.g., `~/Library/Application Support/Google/Chrome/Default/Cookies`) or `task_for_pid`/`vm_read` calls to Safari/Chrome memory space.
Analyst context for executives and security teams
AN1404 is a macOS detection analytic focused on suspicious access to browser cookie storage or browser memory for Safari and Chrome. For leaders, the practical issue is session and identity risk: browser cookies can represent authenticated access, so visibility into unauthorized cookie-path access and memory reads helps determine whether endpoint monitoring can support fast containment and account/session response decisions.
Executive priority
Prioritize this as an identity and endpoint resilience validation item for macOS fleets. Security leaders should ask whether SOC and IR teams can prove collection and alerting for access to Chrome/Safari cookie locations and memory-read behavior, and whether response processes include session revocation, endpoint isolation, and user/account review when such activity is confirmed.
Technical view
The supplied analytic applies to macOS and describes detection of unauthorized access to browser cookie paths such as `~/Library/Application Support/Google/Chrome/Default/Cookies`, plus `task_for_pid` or `vm_read` calls against Safari or Chrome memory space. Detection engineers should validate whether endpoint telemetry can identify the accessing process, user, target browser process or file path, timestamp, and authorization context. Because no official detection logic or tactics are supplied, local baselining is required to distinguish browser maintenance, backup, security tooling, and administrative activity from suspicious access.
Likely telemetry
- macOS endpoint file access telemetry for browser profile and cookie database paths
- process execution telemetry showing the process accessing Chrome or Safari cookie locations
- macOS process/API/syscall telemetry for `task_for_pid` and `vm_read` activity
- target process context for Safari and Chrome memory access
- user, parent process, code-signing, and command-line context for the accessing process
Detection direction
- Confirm collection actually covers macOS browser cookie paths and browser memory access events; many environments collect process starts but not sensitive file reads or memory-read APIs.
- Create allowlists cautiously for known browser, backup, endpoint management, or security tools; require path, signer, parent process, and user context before suppressing events.
- Tune for non-browser processes accessing Chrome/Safari cookie files or invoking `task_for_pid`/`vm_read` against browser processes.
- Correlate detections with recent process execution and user context so IR can decide whether to revoke sessions or investigate account misuse.
- Document coverage gaps explicitly because the ATT&CK object provides a detection concept but no full detection rule, tactic mapping, or relationship context.
Mitigation priorities
- Validate macOS endpoint monitoring coverage for browser cookie file access and browser process memory access before relying on this analytic operationally.
- Limit unnecessary local administrative privileges and reduce tools or workflows that legitimately read browser cookie stores where business operations allow.
- Harden incident response playbooks to include browser/session review, credential or session revocation decisions, and endpoint containment when unauthorized access is confirmed.
- Use compliance evidence from monitoring tests and alert review to show that sensitive local identity artifacts are being watched on supported macOS systems.
Analyst notes and limits
This take is based only on the supplied AN1404 fields. The object is a detection analytic for macOS with an official description but no official detection body and no relationship context. The value is highest as a coverage-validation and IR-readiness prompt for identity/session material stored or accessed through browsers.
No tactics, related techniques, mitigations, data sources, or detection implementation details were supplied. This summary does not assert active exploitation, attribution, customer exposure, or guaranteed detection. Local telemetry, browser mix, endpoint tooling, and administrative workflows must be reviewed before operational conclusions are made.
Analytic 1404
Detects unauthorized access to browser cookie paths (e.g., `~/Library/Application Support/Google/Chrome/Default/Cookies`) or `task_for_pid`/`vm_read` calls to Safari/Chrome memory space.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1cf6a96d91e7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1404Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.