Skip to content
shaddy43 edited this page Jul 16, 2026 · 4 revisions

BrowserSnatch — Detection & Threat Intelligence Wiki

A community detection knowledge base for BrowserSnatch, an open-source browser data extraction tool. Source repository: shaddy43/BrowserSnatch


What is this?

BrowserSnatch is an open-source offensive-security tool that "snatches" saved passwords, cookies (including the latest v20 app-bound-encrypted cookies), bookmarks, and browsing history from 40+ Chromium- and Gecko-based browsers on Windows. It is intended for authorized penetration testing and red teaming — but like any dual-use info-stealer, it can be abused.

This wiki gives blue teams, threat hunters, and detection engineers a ready-to-deploy detection package: Sigma rules, a YARA rule, KQL/Splunk hunts, IOCs, and MITRE ATT&CK mappings — all in one browsable place.

⚠️ Purpose & ethics. Everything here is for defensive use: detection engineering, threat hunting, and security research. It contains no offensive instructions, payloads, or new capability — only signatures and indicators for detecting the tool.


Navigation

Page Contents
Tool Overview What the tool is, versions, capabilities, repo structure
MITRE ATT&CK Mapping Tactic/technique coverage
Indicators of Compromise (IOCs) Files, strings, dropped/masquerade artifacts, network
Behavioral Detections CommandLine patterns, process/file behavior, event IDs
Sigma Rules 6 deployable Sigma detections
YARA Rule Binary detection signature
Hunting Queries (KQL & Splunk) 6 threat-hunting queries
Detection Coverage Matrix Behavior → rule mapping, telemetry needs
Validation & Lab Testing How to safely validate these detections
Contributing How the community can improve this wiki

Quick-start for defenders

  1. Highest-confidence, near-zero-false-positive IOCs — start here:
    • Author string shaddy43 in the binary and as a Scheduled Task <Author>
    • Creation of C:\Users\Public\NTUSER.dat (no legitimate use)
    • A binary named chrome.exe / msedge.exe / brave.exe that is unsigned or signed by the wrong vendor
  2. Deploy the Sigma Rules and YARA Rule into your SIEM/EDR.
  3. Hunt retroactively with the KQL & Splunk queries.
  4. Validate in a lab using the testing guide before trusting production alerts.

At a glance

Attribute Detail
Tool type Open-source red-team / dual-use info-stealer
Primary function Browser credential, cookie, bookmark & history theft (40+ browsers)
Author shaddy43
Platform Windows x86 / x64
Language C / C++
License MIT
Primary ATT&CK T1555.003, T1539, T1053.005, T1036.005, T1074.001
Risk HIGH — freely available, small footprint, v20 app-bound decryption, persistence + masquerading

Maintained by the cybersecurity community. Contributions welcome — see Contributing. Not affiliated with the tool's author.

Clone this wiki locally