-
Notifications
You must be signed in to change notification settings - Fork 49
MITRE ATTACK Mapping
shaddy43 edited this page Jul 16, 2026
·
1 revision
Techniques exhibited by BrowserSnatch, with the wiki pages that provide detection coverage for each.
| Tactic | Technique | Sub-technique | Description | Detection |
|---|---|---|---|---|
| Credential Access | T1555 | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | Sigma 9.2, Hunt 2 |
| Credential Access | T1539 | — | Steal Web Session Cookie (session-token theft / replay) | Sigma 9.2, IOCs |
| Credential Access | T1552 | T1552.001 | Unsecured Credentials: Credentials in Files (browser SQLite stores) | Sigma 9.2 |
| Collection | T1005 | — | Data from Local System (bookmarks, history aggregation) | Behavioral |
| Collection / Staging | T1074 | T1074.001 | Local Data Staging: drop to C:\Users\Public\NTUSER.dat
|
Sigma 9.4, Hunt 4 |
| Defense Evasion | T1140 | — | Deobfuscate/Decode: DPAPI + AES-GCM + app-bound decryption | Behavioral |
| Defense Evasion | T1036 | T1036.005 | Masquerading: self-copy as chrome.exe / msedge.exe / brave.exe
|
Sigma 9.5, Hunt 5 |
| Persistence | T1053 | T1053.005 | Scheduled Task/Job: Scheduled Task (author shaddy43); -service routine |
Sigma 9.6, Hunt 6 |
| Exfiltration | T1041 | — | Exfiltration Over C2 Channel (operator-staged, if weaponized) | IOCs — Network |
You can paste the following minimal layer JSON into the ATT&CK Navigator to visualize coverage.
{
"name": "BrowserSnatch",
"versions": { "layer": "4.5", "navigator": "4.9.1" },
"domain": "enterprise-attack",
"description": "BrowserSnatch browser data extraction tool coverage",
"techniques": [
{ "techniqueID": "T1555.003", "score": 100, "comment": "Browser credential theft" },
{ "techniqueID": "T1539", "score": 100, "comment": "Session cookie theft" },
{ "techniqueID": "T1552.001", "score": 75, "comment": "Credentials in files" },
{ "techniqueID": "T1005", "score": 50, "comment": "Local data collection" },
{ "techniqueID": "T1074.001", "score": 90, "comment": "Public\\NTUSER.dat staging" },
{ "techniqueID": "T1140", "score": 60, "comment": "DPAPI/AES/app-bound decryption" },
{ "techniqueID": "T1036.005", "score": 90, "comment": "Masquerade as browser binary" },
{ "techniqueID": "T1053.005", "score": 90, "comment": "Scheduled task persistence (shaddy43)" },
{ "techniqueID": "T1041", "score": 30, "comment": "Operator-staged exfil" }
],
"gradient": {
"colors": ["#ffe766", "#ff6666"],
"minValue": 0,
"maxValue": 100
}
}Continue to → Indicators of Compromise
BrowserSnatch Detection Wiki · Community-maintained defensive resource · Source: shaddy43/BrowserSnatch · For authorized detection-engineering and threat-hunting use only.
Intelligence
Detection Rules
Operations