-
Notifications
You must be signed in to change notification settings - Fork 49
Hunting Queries
Retroactive threat-hunting queries. KQL targets Microsoft Defender for Endpoint / Sentinel; Splunk queries assume Sysmon and Windows Security logs. Adapt field names to your schema.
Contents
- Hunt 1 — Execution by name or flags
- Hunt 2 — Non-browser access to credential stores
- Hunt 3 — Stealer DB / copied store creation
- Hunt 4 — NTUSER.dat dropped in Public profile
- Hunt 5 — Browser binary from non-standard path / unsigned
- Hunt 6 — Scheduled task persistence (shaddy43)
DeviceProcessEvents
| where FileName in~ ("BrowserSnatch.exe","BrowserSnatch64.exe")
or ProcessCommandLine has_any ("-pass","-cookies","-app-bound-decryption",
"-bookmarks","-history","-greed","-recalibrate","-service")
or ProcessCommandLine has_any ("BrowserSnatch","shaddy43")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName
| order by Timestamp descDeviceFileEvents
| where FileName in~ ("Login Data","Local State","key4.db","logins.json","Cookies")
| where InitiatingProcessFileName !in~
("chrome.exe","msedge.exe","brave.exe","firefox.exe","opera.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FolderPath, FileName
| order by Timestamp descindex=windows_sysmon EventCode=11
(TargetFilename="*Login Data*" OR TargetFilename="*Cookies*" OR TargetFilename="*stealer*")
NOT (TargetFilename="*\\User Data\\*" OR TargetFilename="*\\Profiles\\*")
| stats count by Image, TargetFilename, ComputerName, _time
| sort -_time
DeviceFileEvents
| where FolderPath endswith @"\Users\Public\NTUSER.dat"
or (FileName =~ "NTUSER.dat" and FolderPath has @"\Users\Public\")
| project Timestamp, DeviceName, InitiatingProcessFileName,
InitiatingProcessCommandLine, FolderPath
| order by Timestamp descThis is one of the highest-signal, lowest-noise hunts in the set, a hit here rarely needs corroboration.
DeviceProcessEvents
| where FileName in~ ("chrome.exe", "msedge.exe", "brave.exe")
| where FolderPath has_any (
@"\Google\Chrome\chrome.exe",
@"\Microsoft\Edge\msedge.exe",
@"\BraveSoftware\Brave-Browser\brave.exe")
| where FolderPath !has @"\Application\"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
ProcessVersionInfoCompanyName, SHA256,
InitiatingProcessFileName, ProcessCommandLine
| order by Timestamp descBrowserSnatch masquerade browser binaries by copying itself in the parent directory of original browser binary path. Pair it with a certificate/signature check where available. A
chrome.exewith a blank or mismatchedCompanyNamerunning from any non-standard path is high-confidence masquerading.
index=windows_security (EventCode=4698 OR EventCode=4699)
| search (TaskContent="*shaddy43*" OR Task_Content="*shaddy43*")
| table _time, ComputerName, EventCode, Task_Name, SubjectUserName
| sort -_time
`` Corroborate with schtasks execution ``
index=windows_sysmon EventCode=1 Image="*\\schtasks.exe"
(CommandLine="*shaddy43*" OR CommandLine="*BrowserSnatch*")
| table _time, ComputerName, CommandLine, ParentImage
See the Detection Coverage Matrix for which behavior each hunt and rule covers, and the telemetry each requires.
Continue to → Detection Coverage Matrix
BrowserSnatch Detection Wiki · Community-maintained defensive resource · Source: shaddy43/BrowserSnatch · For authorized detection-engineering and threat-hunting use only.
Intelligence
Detection Rules
Operations