Skip to content

Hunting Queries

shaddy43 edited this page Jul 16, 2026 · 2 revisions

Hunting Queries (KQL & Splunk)

Retroactive threat-hunting queries. KQL targets Microsoft Defender for Endpoint / Sentinel; Splunk queries assume Sysmon and Windows Security logs. Adapt field names to your schema.

Contents


Hunt 1 — Execution by name or flags (KQL)

DeviceProcessEvents
| where FileName in~ ("BrowserSnatch.exe","BrowserSnatch64.exe")
    or ProcessCommandLine has_any ("-pass","-cookies","-app-bound-decryption",
        "-bookmarks","-history","-greed","-recalibrate","-service")
    or ProcessCommandLine has_any ("BrowserSnatch","shaddy43")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName
| order by Timestamp desc

Hunt 2 — Non-browser access to credential stores (KQL)

DeviceFileEvents
| where FileName in~ ("Login Data","Local State","key4.db","logins.json","Cookies")
| where InitiatingProcessFileName !in~
    ("chrome.exe","msedge.exe","brave.exe","firefox.exe","opera.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FolderPath, FileName
| order by Timestamp desc

Hunt 3 — Stealer DB / copied store creation (Splunk)

index=windows_sysmon EventCode=11
(TargetFilename="*Login Data*" OR TargetFilename="*Cookies*" OR TargetFilename="*stealer*")
NOT (TargetFilename="*\\User Data\\*" OR TargetFilename="*\\Profiles\\*")
| stats count by Image, TargetFilename, ComputerName, _time
| sort -_time

Hunt 4 — NTUSER.dat dropped in Public profile (KQL)

DeviceFileEvents
| where FolderPath endswith @"\Users\Public\NTUSER.dat"
    or (FileName =~ "NTUSER.dat" and FolderPath has @"\Users\Public\")
| project Timestamp, DeviceName, InitiatingProcessFileName,
          InitiatingProcessCommandLine, FolderPath
| order by Timestamp desc

This is one of the highest-signal, lowest-noise hunts in the set, a hit here rarely needs corroboration.


Hunt 5 — Browser binary from non-standard path / unsigned (KQL)

DeviceProcessEvents
| where FileName in~ ("chrome.exe", "msedge.exe", "brave.exe")
| where FolderPath has_any (
    @"\Google\Chrome\chrome.exe",
    @"\Microsoft\Edge\msedge.exe",
    @"\BraveSoftware\Brave-Browser\brave.exe")
| where FolderPath !has @"\Application\"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          ProcessVersionInfoCompanyName, SHA256,
          InitiatingProcessFileName, ProcessCommandLine
| order by Timestamp desc

BrowserSnatch masquerade browser binaries by copying itself in the parent directory of original browser binary path. Pair it with a certificate/signature check where available. A chrome.exe with a blank or mismatched CompanyName running from any non-standard path is high-confidence masquerading.


Hunt 6 — Scheduled task persistence (shaddy43) (Splunk)

index=windows_security (EventCode=4698 OR EventCode=4699)
| search (TaskContent="*shaddy43*" OR Task_Content="*shaddy43*")
| table _time, ComputerName, EventCode, Task_Name, SubjectUserName
| sort -_time
`` Corroborate with schtasks execution ``
index=windows_sysmon EventCode=1 Image="*\\schtasks.exe"
(CommandLine="*shaddy43*" OR CommandLine="*BrowserSnatch*")
| table _time, ComputerName, CommandLine, ParentImage

Coverage reference

See the Detection Coverage Matrix for which behavior each hunt and rule covers, and the telemetry each requires.

Continue to → Detection Coverage Matrix

Clone this wiki locally