Skip to content

MITRE ATTACK Mapping

shaddy43 edited this page Jul 16, 2026 · 1 revision

MITRE ATT&CK Mapping

Techniques exhibited by BrowserSnatch, with the wiki pages that provide detection coverage for each.

Tactic Technique Sub-technique Description Detection
Credential Access T1555 T1555.003 Credentials from Password Stores: Credentials from Web Browsers Sigma 9.2, Hunt 2
Credential Access T1539 Steal Web Session Cookie (session-token theft / replay) Sigma 9.2, IOCs
Credential Access T1552 T1552.001 Unsecured Credentials: Credentials in Files (browser SQLite stores) Sigma 9.2
Collection T1005 Data from Local System (bookmarks, history aggregation) Behavioral
Collection / Staging T1074 T1074.001 Local Data Staging: drop to C:\Users\Public\NTUSER.dat Sigma 9.4, Hunt 4
Defense Evasion T1140 Deobfuscate/Decode: DPAPI + AES-GCM + app-bound decryption Behavioral
Defense Evasion T1036 T1036.005 Masquerading: self-copy as chrome.exe / msedge.exe / brave.exe Sigma 9.5, Hunt 5
Persistence T1053 T1053.005 Scheduled Task/Job: Scheduled Task (author shaddy43); -service routine Sigma 9.6, Hunt 6
Exfiltration T1041 Exfiltration Over C2 Channel (operator-staged, if weaponized) IOCs — Network

ATT&CK Navigator layer

You can paste the following minimal layer JSON into the ATT&CK Navigator to visualize coverage.

{
  "name": "BrowserSnatch",
  "versions": { "layer": "4.5", "navigator": "4.9.1" },
  "domain": "enterprise-attack",
  "description": "BrowserSnatch browser data extraction tool coverage",
  "techniques": [
    { "techniqueID": "T1555.003", "score": 100, "comment": "Browser credential theft" },
    { "techniqueID": "T1539",     "score": 100, "comment": "Session cookie theft" },
    { "techniqueID": "T1552.001", "score": 75,  "comment": "Credentials in files" },
    { "techniqueID": "T1005",     "score": 50,  "comment": "Local data collection" },
    { "techniqueID": "T1074.001", "score": 90,  "comment": "Public\\NTUSER.dat staging" },
    { "techniqueID": "T1140",     "score": 60,  "comment": "DPAPI/AES/app-bound decryption" },
    { "techniqueID": "T1036.005", "score": 90,  "comment": "Masquerade as browser binary" },
    { "techniqueID": "T1053.005", "score": 90,  "comment": "Scheduled task persistence (shaddy43)" },
    { "techniqueID": "T1041",     "score": 30,  "comment": "Operator-staged exfil" }
  ],
  "gradient": {
    "colors": ["#ffe766", "#ff6666"],
    "minValue": 0,
    "maxValue": 100
  }
}

Continue to → Indicators of Compromise

Clone this wiki locally