Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0013: Detection of Local Browser Artifact Access for Reconnaissance

DET0013 is a MITRE detection strategy for spotting access to local browser artifacts associated with Browser Information Discovery (T1217). The business re...

EnterpriseDET0013Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0013 is a MITRE detection strategy for spotting access to local browser artifacts associated with Browser Information Discovery (T1217). The business relevance is that browser data can expose internal tools, dashboards, accounts, browsing history, and other context that helps an intruder understand the environment. For leaders, this is less about the browser itself and more about whether endpoint monitoring can identify early reconnaissance before it enables follow-on activity.

Executive priority

Prioritize this as an endpoint visibility and incident-readiness question: do security teams have reliable evidence when local browser data is accessed in unusual ways on Windows, macOS, or Linux systems? The object has no official detection text, so it should not be treated as a ready-made control. It is best used to drive validation of logging, managed detection use cases, investigation playbooks, and audit evidence around reconnaissance of user and internal-resource information.

Technical view

This detection strategy detects T1217 Browser Information Discovery, which is mapped to the Discovery tactic and supports Linux, macOS, and Windows in the related technique context. SOC and detection engineering teams should validate whether they can observe suspicious access to local browser artifacts and distinguish expected browser, backup, administration, or security-tool activity from reconnaissance behavior. Because the detection strategy itself does not provide an official detection analytic, local baselining and environment-specific process/file access context are required.

Likely telemetry

  • Endpoint process execution telemetry
  • File access or file modification telemetry for local browser data locations
  • User and host context associated with browser artifact access
  • Security tool or EDR alerts involving discovery or suspicious local data access
  • Investigation records linking browser artifact access to broader Discovery activity

Detection direction

  • Confirm telemetry exists across the related technique platforms: Windows, macOS, and Linux, where applicable to the environment.
  • Baseline legitimate browser, browser-update, backup, migration, administrative, and security-tool access to browser artifacts to reduce false positives.
  • Look for non-browser or unusual processes accessing browser-stored data, especially when paired with other Discovery activity.
  • Validate whether managed detection and SOC triage procedures preserve enough process, user, host, and file context to determine whether access is suspicious.
  • Treat this ATT&CK object as detection-strategy guidance, not a complete analytic, because official detection text is not provided.

Mitigation priorities

  • First ensure endpoint logging/EDR coverage is deployed and retained for systems where browser artifacts may contain sensitive internal-resource information.
  • Limit unnecessary local exposure of sensitive information in browser-stored data through user guidance and secure handling practices where appropriate.
  • Review access controls and hardening practices for endpoints used to reach internal tools and dashboards.
  • Use incident response playbooks to define when browser artifact access should trigger containment, credential review, or broader Discovery investigation.
  • Maintain compliance evidence showing that reconnaissance-relevant endpoint telemetry is collected, reviewed, and retained according to organizational requirements.
Analyst notes and limits

The supplied object is a detection strategy, DET0013, named Detection of Local Browser Artifact Access for Reconnaissance. It has no official description, no official detection text, no specified platforms or tactics on the detection strategy itself, and one supplied relationship: it detects T1217 Browser Information Discovery. The practical interpretation should therefore be anchored to the related technique’s Discovery tactic and Linux, macOS, and Windows platform context, not to unsupported claims about a specific analytic.

This take is limited by sparse official fields. No active exploitation, threat actor attribution, product coverage, detection logic, or guaranteed telemetry source is provided. Local environment evidence is required to define exact browser artifact locations, legitimate access patterns, alert thresholds, and incident severity.

Official MITRE ATT&CK definition

Detection of Local Browser Artifact Access for Reconnaissance

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1217 Browser Information Discovery This object detects Browser Information Discovery.
Relationship explorer

All related ATT&CK context

detects · Technique T1217: Browser Information Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9bc5ce58e53865cc...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9bc5ce58e538…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0013
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use