-
Notifications
You must be signed in to change notification settings - Fork 49
Contributing
This wiki is a community defensive resource. Contributions that improve detection accuracy, add telemetry sources, or correct tool-specific details are welcome.
- New or improved detections — Sigma rules, YARA signatures, KQL/Splunk/other-SIEM queries.
- Validated artifacts — confirmed paths, task names, filenames, or behavior from lab testing (see Validation & Lab Testing).
- False-positive reports — legitimate software that trips a rule, plus a suggested filter.
- Additional telemetry sources — Elastic, CrowdStrike, Carbon Black, Chronicle, etc.
- Translations / backend conversions — Sigma converted to specific SIEM query languages.
- Defensive only. This wiki documents how to detect the tool. Do not add offensive tradecraft, weaponization guidance, payloads, or instructions to extend the tool's capability.
- Cite your evidence. For a new IOC, say how it was observed (lab run, incident, sample hash) so others can validate.
- No live malware or real credentials. Never attach samples, real victim data, or working exfil endpoints.
- Keep hashes qualified. Because the tool is open-source, hashes are build-specific; label them with the build/source they came from rather than presenting them as universal IOCs.
- Stay legal and ethical. Only submit content gathered from authorized testing or your own environment.
GitHub Wikis are backed by a git repo. You can clone and submit changes:
git clone https://github.com/<owner>/<repo>.wiki.git
cd <repo>.wiki
# edit the .md pages
git add . && git commit -m "Add Elastic EQL variant for 9.4"
git pushFor discussion or proposals, open an Issue on the main repository and tag it detection or wiki.
- One topic per page; link between pages with
[Title](Page-Name)(no.mdextension). - Put rules in fenced code blocks with the right language hint (
yaml,yara,kql,spl). - Give every Sigma rule a unique
id(UUID) and setstatushonestly (experimental/test/stable). - Add new techniques to the MITRE ATT&CK Mapping and Coverage Matrix.
When adding a Sigma rule, include at minimum:
title: <concise, specific>
id: <new UUID>
status: experimental # experimental | test | stable
description: <what it detects and why>
references:
- https://github.com/shaddy43/BrowserSnatch
author: <your handle or "Community">
date: <YYYY/MM/DD>
tags:
- attack.<tactic>
- attack.t<technique>
level: <low | medium | high | critical>This wiki is maintained by the tool's author and cybersecurity community is encouraged to contribute. All content is provided for authorized detection-engineering, threat-hunting, and research use. See the Home page for scope.
Thanks for helping defenders keep pace. 🛡️
BrowserSnatch Detection Wiki · Community-maintained defensive resource · Source: shaddy43/BrowserSnatch · For authorized detection-engineering and threat-hunting use only.
Intelligence
Detection Rules
Operations