Skip to content

Sigma Rules

shaddy43 edited this page Jul 16, 2026 · 2 revisions

Sigma Rules

Six deployable Sigma detections covering execution, credential-store access, output staging, masquerading, and persistence. Convert to your SIEM backend with sigma-cli / pySigma.

Contents


9.1 — BrowserSnatch execution

title: BrowserSnatch Browser Credential Stealer Execution
id: e1f2a3b4-c5d6-7890-abcd-ef1234567890
status: stable
description: Detects execution of the BrowserSnatch browser data extraction tool
references:
  - https://github.com/shaddy43/BrowserSnatch
author: shaddy43
date: 2026/07/15
tags:
  - attack.credential_access
  - attack.t1555.003
  - attack.t1539
logsource:
  category: process_creation
  product: windows
detection:
  selection_name:
    Image|endswith:
      - '\BrowserSnatch.exe'
      - '\BrowserSnatch64.exe'
  selection_args:
    CommandLine|contains:
      - '-pass'
      - '-cookies'
      - '-app-bound-decryption'
      - '-bookmarks'
      - '-history'
      - '-greed'
      - '-recalibrate'
      - '-service'
  selection_strings:
    CommandLine|contains:
      - 'BrowserSnatch'
      - 'shaddy43'
  condition: selection_name or selection_args or selection_strings
falsepositives:
  - Low. Generic flags such as -history/-service could appear in unrelated
    tooling; require selection_name, or 2+ selection_args, to reduce noise.
level: critical

Tuning: -history, -service, and -pass are generic. In noisy environments require the image name or 2+ flags; keep standalone logic only for -app-bound-decryption, -greed, -recalibrate.


9.2 — Non-browser process accessing browser credential store

title: Suspicious Access to Browser Credential and Cookie Stores
id: f2a3b4c5-d6e7-8901-bcde-f12345678901
status: stable
description: Detects non-browser processes reading Chromium/Gecko credential stores
comments: Windows Security 4663 (object access) with a SACL set on the target files, and "Audit File System" enabled.
references:
  - https://attack.mitre.org/techniques/T1555/003/
author: shaddy43
date: 2026/07/15
tags:
  - attack.credential_access
  - attack.t1555.003
logsource:
  product: windows
  category: file_access
detection:
  selection:
    TargetFilename|endswith:
      - '\Login Data'
      - '\Local State'
      - '\Network\Cookies'
      - '\key4.db'
      - '\logins.json'
      - '\cookies.sqlite'
  filter_browser:
    Image|contains:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\brave.exe'
      - '\firefox.exe'
      - '\opera.exe'
  condition: selection and not filter_browser
falsepositives:
  - Backup software, sync utilities, security/EDR agents
level: high

Combine with 9.5: a process named chrome.exe but unsigned that also reads Login Data is high-confidence.


9.3 — Stealer DB / copied store in non-standard path

title: Browser Store Copy or Stealer DB Created Outside Profile Path
id: a3b4c5d6-e7f8-9012-cdef-123456789012
status: experimental
description: Detects copies of browser stores or aggregated stealer DBs in user-writable paths
author: shaddy43
date: 2026/07/15
tags:
  - attack.credential_access
  - attack.t1555.003
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - 'Login Data'
      - 'Cookies'
      - 'stealer'
    TargetFilename|contains:
      - '\AppData\Local\Temp\'
      - '\Users\Public\'
      - '\Downloads\'
  filter_profile:
    TargetFilename|contains:
      - '\User Data\'
      - '\Profiles\'
  condition: selection and not filter_profile
falsepositives:
  - Legitimate backup or migration tooling
level: high

9.4 — Anomalous NTUSER.dat dropped in Public profile

title: NTUSER.dat Created in Public Profile Directory
id: b4c5d6e7-f8a9-0123-defa-234567890123
status: stable
description: A file named NTUSER.dat in C:\Users\Public is never legitimate;
  characteristic of BrowserSnatch staging/collection behaviour
references:
  - https://github.com/shaddy43/BrowserSnatch
author: shaddy43
date: 2026/07/15
tags:
  - attack.credential_access
  - attack.defense_evasion
  - attack.t1074.001
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|endswith: '\Users\Public\NTUSER.dat'
  condition: selection
falsepositives:
  - Practically none. This path/name combination has no legitimate use
level: high

9.5 — BrowserSnatch masquerading as a browser binary

title: BrowserSnatch Masquerade via Parent-Directory Path Anomaly
id: e7f8a9b0-c1d2-3456-abcd-56789012abcd
status: experimental
description: >
  Detects BrowserSnatch masquerading as a legitimate browser by copying itself
  into the PARENT of the real install directory, using the genuine browser
  filename. Legitimate chrome.exe / msedge.exe / brave.exe always execute from
  an 'Application\' subfolder (Chrome/Edge) or the versioned Application path
  (Brave); execution directly from the parent folder is anomalous and specific to BrowserSnatch.
references:
  - https://github.com/shaddy43/BrowserSnatch
  - https://attack.mitre.org/techniques/T1036/005/
author: shaddy43
date: 2026/07/17
tags:
  - attack.defense_evasion
  - attack.t1036.005
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\brave.exe'
  # Anomalous: the exe sits directly in the browser root, NOT under Application\
  selection_bad_path:
    Image|endswith:
      - '\Google\Chrome\chrome.exe'
      - '\Microsoft\Edge\msedge.exe'
      - '\BraveSoftware\Brave-Browser\brave.exe'
  # Belt-and-suspenders: explicitly clear the known-good Application\ paths
  filter_legit:
    Image|contains: '\Application\'
  condition: selection_img and selection_bad_path and not filter_legit
falsepositives:
  - Portable or non-standard browser repackaging that flattens the install tree (rare)
level: high

Can be extended to other browsers as well. BrowserSnatch only decrypts app-bound data from these 3 browsers.


9.6 — Scheduled task persistence (author shaddy43)

title: Scheduled Task Created or Deleted by BrowserSnatch
id: d6e7f8a9-b0c1-2345-fabc-456789012345
status: stable
description: Detects Task Scheduler persistence tied to the BrowserSnatch
  author handle shaddy43, or via schtasks referencing the tool
author: shaddy43
date: 2026/07/15
tags:
  - attack.persistence
  - attack.t1053.005
logsource:
  product: windows
  service: security
detection:
  selection_eventlog:
    EventID:
      - 4698   # task created
      - 4699   # task deleted
    TaskContent|contains: 'shaddy43'
  selection_cmdline:
    CommandLine|contains|all:
      - 'schtasks'
      - '/create'
    CommandLine|contains:
      - 'BrowserSnatch'
      - 'shaddy43'
  condition: selection_eventlog or selection_cmdline
falsepositives:
  - None expected, author handle is specific to this tool
level: high

Continue to → YARA Rule

Clone this wiki locally