-
Notifications
You must be signed in to change notification settings - Fork 49
Behavioral Detections
Behavioral signals survive recompilation and obfuscation better than file hashes. This page documents the command-line patterns, process/file behaviors, and Windows event IDs that indicate BrowserSnatch activity.
BrowserSnatch.exe ← Default: snatch all passwords + cookies
BrowserSnatch.exe -h ← Help menu (recon / staging indicator)
BrowserSnatch.exe -pass ← Passwords from every browser
BrowserSnatch.exe -pass -c ← Passwords, Chromium only
BrowserSnatch.exe -pass -g ← Passwords, Gecko only
BrowserSnatch.exe -cookies ← Cookies from every browser
BrowserSnatch.exe -cookies -c ← Cookies, Chromium only
BrowserSnatch.exe -cookies -g ← Cookies, Gecko only
BrowserSnatch.exe -app-bound-decryption ← Decrypt v20 app-bound cookies (requires admin)
BrowserSnatch.exe -bookmarks ← Bookmarks from every browser
BrowserSnatch.exe -history ← History from every browser
BrowserSnatch.exe -greed ← Snatch EVERYTHING → single stealer DB
BrowserSnatch.exe -recalibrate ← Fallback when extraction fails
BrowserSnatch.exe -service ← Service / gain system privilege
High-confidence CommandLine IOC. The presence of any of
-pass,-cookies,-app-bound-decryption,-bookmarks,-history,-greed,-recalibrate, or-serviceis a strong single-signal detection.-app-bound-decryption,-greed, and-serviceare the highest-severity flags (admin-context decryption, full collection, and persistence respectively).
-history, -service, and -pass are short and generic and could appear in unrelated tooling. In noisy environments, gate on the image name or require two or more flags together, keeping standalone-flag logic only for the high-specificity ones (-app-bound-decryption, -greed, -recalibrate).
| Behavior | Description | Relevant capability |
|---|---|---|
Non-browser process opening Login Data / Cookies
|
Direct read of encrypted credential/cookie SQLite stores | 1, 2 |
Read of Local State / key4.db
|
Access to master key material for decryption | 1, 2, 3 |
DPAPI CryptUnprotectData by non-browser process |
Unwrapping DPAPI-protected secrets | 1, 2 |
| Admin-context app-bound key access | Elevated decryption of v20 app-bound cookies | 3 |
| Bulk sequential access to many browser profile dirs | Enumeration across 40+ browsers in one run | All |
| Creation of consolidated stealer DB | Aggregated exfil-ready output | 6 (Greed) |
| SQLite queries against copied browser DBs | Parsing logins, cookies, moz_places
|
All |
File written to C:\Users\Public\NTUSER.dat |
Drop of a file that never legitimately holds a live hive here | Staging / Persistence |
| Self-copy into browser paths as a browser name | Copies itself as chrome.exe / msedge.exe / brave.exe in Program Files |
Masquerading (T1036.005) |
Scheduled task created/deleted, Author = shaddy43 |
Persistence via Task Scheduler; author string is hard-coded | Persistence (T1053.005) |
Service install routine (-service) |
Gain System level privileges | Privilege Escalation |
| Event ID | Log | Description | Relevance |
|---|---|---|---|
| 4688 | Security | New process creation |
BrowserSnatch.exe / BrowserSnatch64.exe created |
| 4663 | Security | Object access (file) | Access to Login Data, Cookies, Local State
|
| 1 | Sysmon | Process creation | BrowserSnatch with snatch/greed args |
| 11 | Sysmon | File created | Stealer DB / copied store / C:\Users\Public\NTUSER.dat / self-copy as browser name |
| 10 | Sysmon | Process access | Non-browser process accessing browser process/profile |
| 1 / 4688 | Sysmon / Security | Process creation |
schtasks.exe create/delete, or browser exe launched from a non-standard path |
| 4698 / 4699 | Security | Scheduled task created / deleted | Task with <Author>shaddy43</Author> privilege escalation then cleanup |
| 106 / 141 | TaskScheduler/Operational | Task registered / deleted | Corroborates 4698/4699; capture task name and author |
| 3 | Sysmon | Network connection | Post-snatch exfiltration of stealer DB (if staged) |
| API / technique | Capability | Notes |
|---|---|---|
CryptUnprotectData (DPAPI) |
1, 2 | Decrypts legacy Chromium and Gecko secrets |
| AES-256-GCM decryption (BCrypt) | 1, 2, 3 | Decrypts values with the Local State master key |
| App-bound encryption key retrieval | 3 | v20 cookie decryption; requires admin |
| SQLite read (sqlite3 / bundled) | All | Queries logins, cookies, urls, bookmarks tables |
| File copy of locked browser DBs | All | Copies store to bypass browser file locks |
| Profile / registry enumeration | All | Locates 40+ browser install and profile paths |
Continue to → Sigma Rules
BrowserSnatch Detection Wiki · Community-maintained defensive resource · Source: shaddy43/BrowserSnatch · For authorized detection-engineering and threat-hunting use only.
Intelligence
Detection Rules
Operations