-
Notifications
You must be signed in to change notification settings - Fork 49
Sigma Rules
Six deployable Sigma detections covering execution, credential-store access, output staging, masquerading, and persistence. Convert to your SIEM backend with sigma-cli / pySigma.
Contents
- 9.1 — BrowserSnatch execution
- 9.2 — Non-browser process accessing browser credential store
- 9.3 — Stealer DB / copied store in non-standard path
- 9.4 — Anomalous NTUSER.dat dropped in Public profile
- 9.5 — BrowserSnatch masquerading as a browser binary
- 9.6 — Scheduled task persistence (author shaddy43)
title: BrowserSnatch Browser Credential Stealer Execution
id: e1f2a3b4-c5d6-7890-abcd-ef1234567890
status: stable
description: Detects execution of the BrowserSnatch browser data extraction tool
references:
- https://github.com/shaddy43/BrowserSnatch
author: shaddy43
date: 2026/07/15
tags:
- attack.credential_access
- attack.t1555.003
- attack.t1539
logsource:
category: process_creation
product: windows
detection:
selection_name:
Image|endswith:
- '\BrowserSnatch.exe'
- '\BrowserSnatch64.exe'
selection_args:
CommandLine|contains:
- '-pass'
- '-cookies'
- '-app-bound-decryption'
- '-bookmarks'
- '-history'
- '-greed'
- '-recalibrate'
- '-service'
selection_strings:
CommandLine|contains:
- 'BrowserSnatch'
- 'shaddy43'
condition: selection_name or selection_args or selection_strings
falsepositives:
- Low. Generic flags such as -history/-service could appear in unrelated
tooling; require selection_name, or 2+ selection_args, to reduce noise.
level: criticalTuning: -history, -service, and -pass are generic. In noisy environments require the image name or 2+ flags; keep standalone logic only for -app-bound-decryption, -greed, -recalibrate.
title: Suspicious Access to Browser Credential and Cookie Stores
id: f2a3b4c5-d6e7-8901-bcde-f12345678901
status: stable
description: Detects non-browser processes reading Chromium/Gecko credential stores
comments: Windows Security 4663 (object access) with a SACL set on the target files, and "Audit File System" enabled.
references:
- https://attack.mitre.org/techniques/T1555/003/
author: shaddy43
date: 2026/07/15
tags:
- attack.credential_access
- attack.t1555.003
logsource:
product: windows
category: file_access
detection:
selection:
TargetFilename|endswith:
- '\Login Data'
- '\Local State'
- '\Network\Cookies'
- '\key4.db'
- '\logins.json'
- '\cookies.sqlite'
filter_browser:
Image|contains:
- '\chrome.exe'
- '\msedge.exe'
- '\brave.exe'
- '\firefox.exe'
- '\opera.exe'
condition: selection and not filter_browser
falsepositives:
- Backup software, sync utilities, security/EDR agents
level: highCombine with 9.5: a process named
chrome.exebut unsigned that also readsLogin Datais high-confidence.
title: Browser Store Copy or Stealer DB Created Outside Profile Path
id: a3b4c5d6-e7f8-9012-cdef-123456789012
status: experimental
description: Detects copies of browser stores or aggregated stealer DBs in user-writable paths
author: shaddy43
date: 2026/07/15
tags:
- attack.credential_access
- attack.t1555.003
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
- 'Login Data'
- 'Cookies'
- 'stealer'
TargetFilename|contains:
- '\AppData\Local\Temp\'
- '\Users\Public\'
- '\Downloads\'
filter_profile:
TargetFilename|contains:
- '\User Data\'
- '\Profiles\'
condition: selection and not filter_profile
falsepositives:
- Legitimate backup or migration tooling
level: hightitle: NTUSER.dat Created in Public Profile Directory
id: b4c5d6e7-f8a9-0123-defa-234567890123
status: stable
description: A file named NTUSER.dat in C:\Users\Public is never legitimate;
characteristic of BrowserSnatch staging/collection behaviour
references:
- https://github.com/shaddy43/BrowserSnatch
author: shaddy43
date: 2026/07/15
tags:
- attack.credential_access
- attack.defense_evasion
- attack.t1074.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\Users\Public\NTUSER.dat'
condition: selection
falsepositives:
- Practically none. This path/name combination has no legitimate use
level: hightitle: BrowserSnatch Masquerade via Parent-Directory Path Anomaly
id: e7f8a9b0-c1d2-3456-abcd-56789012abcd
status: experimental
description: >
Detects BrowserSnatch masquerading as a legitimate browser by copying itself
into the PARENT of the real install directory, using the genuine browser
filename. Legitimate chrome.exe / msedge.exe / brave.exe always execute from
an 'Application\' subfolder (Chrome/Edge) or the versioned Application path
(Brave); execution directly from the parent folder is anomalous and specific to BrowserSnatch.
references:
- https://github.com/shaddy43/BrowserSnatch
- https://attack.mitre.org/techniques/T1036/005/
author: shaddy43
date: 2026/07/17
tags:
- attack.defense_evasion
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\brave.exe'
# Anomalous: the exe sits directly in the browser root, NOT under Application\
selection_bad_path:
Image|endswith:
- '\Google\Chrome\chrome.exe'
- '\Microsoft\Edge\msedge.exe'
- '\BraveSoftware\Brave-Browser\brave.exe'
# Belt-and-suspenders: explicitly clear the known-good Application\ paths
filter_legit:
Image|contains: '\Application\'
condition: selection_img and selection_bad_path and not filter_legit
falsepositives:
- Portable or non-standard browser repackaging that flattens the install tree (rare)
level: highCan be extended to other browsers as well. BrowserSnatch only decrypts app-bound data from these 3 browsers.
title: Scheduled Task Created or Deleted by BrowserSnatch
id: d6e7f8a9-b0c1-2345-fabc-456789012345
status: stable
description: Detects Task Scheduler persistence tied to the BrowserSnatch
author handle shaddy43, or via schtasks referencing the tool
author: shaddy43
date: 2026/07/15
tags:
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
detection:
selection_eventlog:
EventID:
- 4698 # task created
- 4699 # task deleted
TaskContent|contains: 'shaddy43'
selection_cmdline:
CommandLine|contains|all:
- 'schtasks'
- '/create'
CommandLine|contains:
- 'BrowserSnatch'
- 'shaddy43'
condition: selection_eventlog or selection_cmdline
falsepositives:
- None expected, author handle is specific to this tool
level: highContinue to → YARA Rule
BrowserSnatch Detection Wiki · Community-maintained defensive resource · Source: shaddy43/BrowserSnatch · For authorized detection-engineering and threat-hunting use only.
Intelligence
Detection Rules
Operations