-
Notifications
You must be signed in to change notification settings - Fork 49
Detection Coverage Matrix
shaddy43 edited this page Jul 16, 2026
·
2 revisions
Maps each observable behavior to the detections that cover it, the telemetry required, the ATT&CK technique, and a confidence rating.
| Behavior | ATT&CK | Detection(s) | Telemetry required | Confidence |
|---|---|---|---|---|
| Tool executed by name | T1555.003 | Sigma 9.1, Hunt 1 | Process creation (Sysmon 1 / 4688 / EDR) | High |
| Tool executed by flag | T1555.003 | Sigma 9.1, Hunt 1 | Process creation w/ command line | Med–High* |
| Non-browser reads credential store | T1555.003 / T1552.001 | Sigma 9.2, Hunt 2 | File access (Sysmon 11/23, 4663, EDR file events) | Med–High |
| Session cookie theft | T1539 | Sigma 9.2, IOCs | File access to Cookies store |
Med |
| Stealer DB / copied store in odd path | T1074.001 | Sigma 9.3, Hunt 3 | File create (Sysmon 11) | Med |
C:\Users\Public\NTUSER.dat drop |
T1074.001 | Sigma 9.4, Hunt 4 | File create (Sysmon 11) | Very High |
| Masquerade as browser binary | T1036.005 | Sigma 9.5, Hunt 5 | Process creation w/ signature fields | Very High |
Scheduled-task persistence (shaddy43) |
T1053.005 | Sigma 9.6, Hunt 6 | Security 4698/4699, TaskScheduler 106/141 | Very High |
| Binary on disk / in memory | T1555.003 | YARA | File or memory scanning | High |
| DPAPI / AES-GCM decryption | T1140 | Behavioral | API telemetry / EDR | Low–Med |
| Exfiltration of stealer DB | T1041 | IOCs — Network | Network (Sysmon 3, proxy, NetFlow) | Low (variant-dependent) |
* Confidence depends on tuning, see the flag tuning note.
To get full coverage, ensure the following are enabled:
-
Process creation with command line — Sysmon Event ID 1, or Windows Security 4688 with command-line auditing enabled (
Include command line in process creation eventsGPO), or EDR process telemetry. - File create / file access — Sysmon Event ID 11 (create) and 23/26 (delete); Windows 4663 requires SACLs on the target files.
-
Process image signature fields — Sysmon config with
<HashAlgorithms>and signature capture, or EDR that records signer/signature status (paired with 9.5, high confidence). - Scheduled task auditing — Windows Security 4698/4699 (enable "Audit Other Object Access Events"), plus the TaskScheduler Operational log (106/141).
- Network connection — Sysmon Event ID 3 and/or proxy/DNS logs for the exfil hunts.
If you can only deploy a few detections first, start with the Very High confidence items, they have near-zero false positives:
- Sigma 9.4 — Public NTUSER.dat
- Sigma 9.6 — Scheduled task author
shaddy43 - Sigma 9.5 — Browser masquerade
- YARA rule + Sigma 9.1 execution
Continue to → Validation & Lab Testing
BrowserSnatch Detection Wiki · Community-maintained defensive resource · Source: shaddy43/BrowserSnatch · For authorized detection-engineering and threat-hunting use only.
Intelligence
Detection Rules
Operations