Skip to content

Behavioral Detections

shaddy43 edited this page Jul 16, 2026 · 2 revisions

Behavioral Detections

Behavioral signals survive recompilation and obfuscation better than file hashes. This page documents the command-line patterns, process/file behaviors, and Windows event IDs that indicate BrowserSnatch activity.


Command-line patterns

BrowserSnatch.exe                        ← Default: snatch all passwords + cookies
BrowserSnatch.exe -h                     ← Help menu (recon / staging indicator)
BrowserSnatch.exe -pass                  ← Passwords from every browser
BrowserSnatch.exe -pass -c               ← Passwords, Chromium only
BrowserSnatch.exe -pass -g               ← Passwords, Gecko only
BrowserSnatch.exe -cookies               ← Cookies from every browser
BrowserSnatch.exe -cookies -c            ← Cookies, Chromium only
BrowserSnatch.exe -cookies -g            ← Cookies, Gecko only
BrowserSnatch.exe -app-bound-decryption  ← Decrypt v20 app-bound cookies (requires admin)
BrowserSnatch.exe -bookmarks             ← Bookmarks from every browser
BrowserSnatch.exe -history               ← History from every browser
BrowserSnatch.exe -greed                 ← Snatch EVERYTHING → single stealer DB
BrowserSnatch.exe -recalibrate           ← Fallback when extraction fails
BrowserSnatch.exe -service               ← Service / gain system privilege

High-confidence CommandLine IOC. The presence of any of -pass, -cookies, -app-bound-decryption, -bookmarks, -history, -greed, -recalibrate, or -service is a strong single-signal detection. -app-bound-decryption, -greed, and -service are the highest-severity flags (admin-context decryption, full collection, and persistence respectively).

Tuning note

-history, -service, and -pass are short and generic and could appear in unrelated tooling. In noisy environments, gate on the image name or require two or more flags together, keeping standalone-flag logic only for the high-specificity ones (-app-bound-decryption, -greed, -recalibrate).


Key behavioral signals

Behavior Description Relevant capability
Non-browser process opening Login Data / Cookies Direct read of encrypted credential/cookie SQLite stores 1, 2
Read of Local State / key4.db Access to master key material for decryption 1, 2, 3
DPAPI CryptUnprotectData by non-browser process Unwrapping DPAPI-protected secrets 1, 2
Admin-context app-bound key access Elevated decryption of v20 app-bound cookies 3
Bulk sequential access to many browser profile dirs Enumeration across 40+ browsers in one run All
Creation of consolidated stealer DB Aggregated exfil-ready output 6 (Greed)
SQLite queries against copied browser DBs Parsing logins, cookies, moz_places All
File written to C:\Users\Public\NTUSER.dat Drop of a file that never legitimately holds a live hive here Staging / Persistence
Self-copy into browser paths as a browser name Copies itself as chrome.exe / msedge.exe / brave.exe in Program Files Masquerading (T1036.005)
Scheduled task created/deleted, Author = shaddy43 Persistence via Task Scheduler; author string is hard-coded Persistence (T1053.005)
Service install routine (-service) Gain System level privileges Privilege Escalation

Windows event log & Sysmon IOCs

Event ID Log Description Relevance
4688 Security New process creation BrowserSnatch.exe / BrowserSnatch64.exe created
4663 Security Object access (file) Access to Login Data, Cookies, Local State
1 Sysmon Process creation BrowserSnatch with snatch/greed args
11 Sysmon File created Stealer DB / copied store / C:\Users\Public\NTUSER.dat / self-copy as browser name
10 Sysmon Process access Non-browser process accessing browser process/profile
1 / 4688 Sysmon / Security Process creation schtasks.exe create/delete, or browser exe launched from a non-standard path
4698 / 4699 Security Scheduled task created / deleted Task with <Author>shaddy43</Author> privilege escalation then cleanup
106 / 141 TaskScheduler/Operational Task registered / deleted Corroborates 4698/4699; capture task name and author
3 Sysmon Network connection Post-snatch exfiltration of stealer DB (if staged)

API & technique indicators

API / technique Capability Notes
CryptUnprotectData (DPAPI) 1, 2 Decrypts legacy Chromium and Gecko secrets
AES-256-GCM decryption (BCrypt) 1, 2, 3 Decrypts values with the Local State master key
App-bound encryption key retrieval 3 v20 cookie decryption; requires admin
SQLite read (sqlite3 / bundled) All Queries logins, cookies, urls, bookmarks tables
File copy of locked browser DBs All Copies store to bypass browser file locks
Profile / registry enumeration All Locates 40+ browser install and profile paths

Continue to → Sigma Rules

Clone this wiki locally