-
Notifications
You must be signed in to change notification settings - Fork 49
Home
A community detection knowledge base for BrowserSnatch, an open-source browser data extraction tool. Source repository: shaddy43/BrowserSnatch
BrowserSnatch is an open-source offensive-security tool that "snatches" saved passwords, cookies (including the latest v20 app-bound-encrypted cookies), bookmarks, and browsing history from 40+ Chromium- and Gecko-based browsers on Windows. It is intended for authorized penetration testing and red teaming — but like any dual-use info-stealer, it can be abused.
This wiki gives blue teams, threat hunters, and detection engineers a ready-to-deploy detection package: Sigma rules, a YARA rule, KQL/Splunk hunts, IOCs, and MITRE ATT&CK mappings — all in one browsable place.
⚠️ Purpose & ethics. Everything here is for defensive use: detection engineering, threat hunting, and security research. It contains no offensive instructions, payloads, or new capability — only signatures and indicators for detecting the tool.
| Page | Contents |
|---|---|
| Tool Overview | What the tool is, versions, capabilities, repo structure |
| MITRE ATT&CK Mapping | Tactic/technique coverage |
| Indicators of Compromise (IOCs) | Files, strings, dropped/masquerade artifacts, network |
| Behavioral Detections | CommandLine patterns, process/file behavior, event IDs |
| Sigma Rules | 6 deployable Sigma detections |
| YARA Rule | Binary detection signature |
| Hunting Queries (KQL & Splunk) | 6 threat-hunting queries |
| Detection Coverage Matrix | Behavior → rule mapping, telemetry needs |
| Validation & Lab Testing | How to safely validate these detections |
| Contributing | How the community can improve this wiki |
-
Highest-confidence, near-zero-false-positive IOCs — start here:
- Author string
shaddy43in the binary and as a Scheduled Task<Author> - Creation of
C:\Users\Public\NTUSER.dat(no legitimate use) - A binary named
chrome.exe/msedge.exe/brave.exethat is unsigned or signed by the wrong vendor
- Author string
- Deploy the Sigma Rules and YARA Rule into your SIEM/EDR.
- Hunt retroactively with the KQL & Splunk queries.
- Validate in a lab using the testing guide before trusting production alerts.
| Attribute | Detail |
|---|---|
| Tool type | Open-source red-team / dual-use info-stealer |
| Primary function | Browser credential, cookie, bookmark & history theft (40+ browsers) |
| Author | shaddy43 |
| Platform | Windows x86 / x64 |
| Language | C / C++ |
| License | MIT |
| Primary ATT&CK | T1555.003, T1539, T1053.005, T1036.005, T1074.001 |
| Risk | HIGH — freely available, small footprint, v20 app-bound decryption, persistence + masquerading |
Maintained by the cybersecurity community. Contributions welcome — see Contributing. Not affiliated with the tool's author.
BrowserSnatch Detection Wiki · Community-maintained defensive resource · Source: shaddy43/BrowserSnatch · For authorized detection-engineering and threat-hunting use only.
Intelligence
Detection Rules
Operations