-
Notifications
You must be signed in to change notification settings - Fork 49
Sigma Rules
Six deployable Sigma detections covering execution, credential-store access, output staging, masquerading, and persistence. Convert to your SIEM backend with sigma-cli / pySigma.
Contents
- 9.1 — BrowserSnatch execution
- 9.2 — Non-browser process accessing browser credential store
- 9.3 — Stealer DB / copied store in non-standard path
- 9.4 — Anomalous NTUSER.dat dropped in Public profile
- 9.5 — BrowserSnatch masquerading as a browser binary
- 9.6 — Scheduled task persistence (author shaddy43)
title: BrowserSnatch Browser Credential Stealer Execution
id: e1f2a3b4-c5d6-7890-abcd-ef1234567890
status: experimental
description: Detects execution of the BrowserSnatch browser data extraction tool
references:
- https://github.com/shaddy43/BrowserSnatch
author: Community / Threat Intelligence
date: 2026/07/15
tags:
- attack.credential_access
- attack.t1555.003
- attack.t1539
logsource:
category: process_creation
product: windows
detection:
selection_name:
Image|endswith:
- '\BrowserSnatch.exe'
- '\BrowserSnatch64.exe'
selection_args:
CommandLine|contains:
- '-pass'
- '-cookies'
- '-app-bound-decryption'
- '-bookmarks'
- '-history'
- '-greed'
- '-recalibrate'
- '-service'
selection_strings:
CommandLine|contains:
- 'BrowserSnatch'
- 'shaddy43'
condition: selection_name or selection_args or selection_strings
falsepositives:
- Low. Generic flags such as -history/-service could appear in unrelated
tooling; require selection_name, or 2+ selection_args, to reduce noise.
level: criticalTuning: -history, -service, and -pass are generic. In noisy environments require the image name or 2+ flags; keep standalone logic only for -app-bound-decryption, -greed, -recalibrate.
title: Suspicious Access to Browser Credential and Cookie Stores
id: f2a3b4c5-d6e7-8901-bcde-f12345678901
status: stable
description: Detects non-browser processes reading Chromium/Gecko credential stores
references:
- https://attack.mitre.org/techniques/T1555/003/
author: Community / Threat Intelligence
date: 2026/07/15
tags:
- attack.credential_access
- attack.t1555.003
logsource:
product: windows
category: file_access
detection:
selection:
TargetFilename|endswith:
- '\Login Data'
- '\Local State'
- '\Network\Cookies'
- '\key4.db'
- '\logins.json'
- '\cookies.sqlite'
filter_browser:
Image|contains:
- '\chrome.exe'
- '\msedge.exe'
- '\brave.exe'
- '\firefox.exe'
- '\opera.exe'
condition: selection and not filter_browser
falsepositives:
- Backup software, sync utilities, security/EDR agents
level: highCombine with 9.5: a process named
chrome.exebut unsigned that also readsLogin Datais high-confidence.
title: Browser Store Copy or Stealer DB Created Outside Profile Path
id: a3b4c5d6-e7f8-9012-cdef-123456789012
status: experimental
description: Detects copies of browser stores or aggregated stealer DBs in user-writable paths
author: Community / Threat Intelligence
date: 2026/07/15
tags:
- attack.credential_access
- attack.t1555.003
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
- 'Login Data'
- 'Cookies'
- 'stealer'
TargetFilename|contains:
- '\AppData\Local\Temp\'
- '\Users\Public\'
- '\Downloads\'
filter_profile:
TargetFilename|contains:
- '\User Data\'
- '\Profiles\'
condition: selection and not filter_profile
falsepositives:
- Legitimate backup or migration tooling
level: hightitle: NTUSER.dat Created in Public Profile Directory
id: b4c5d6e7-f8a9-0123-defa-234567890123
status: experimental
description: A file named NTUSER.dat in C:\Users\Public is never legitimate;
characteristic of BrowserSnatch staging behaviour
references:
- https://github.com/shaddy43/BrowserSnatch
author: Community / Threat Intelligence
date: 2026/07/15
tags:
- attack.credential_access
- attack.defense_evasion
- attack.t1074.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\Users\Public\NTUSER.dat'
condition: selection
falsepositives:
- Practically none — this path/name combination has no legitimate use
level: hightitle: Self-Copy Masquerading as chrome.exe / msedge.exe / brave.exe
id: c5d6e7f8-a9b0-1234-efab-345678901234
status: experimental
description: Detects a binary copied into browser install paths using a
legitimate browser filename but lacking the expected vendor signature
author: Community / Threat Intelligence
date: 2026/07/15
tags:
- attack.defense_evasion
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\brave.exe'
filter_signed:
Signed: 'true'
SignatureStatus: 'Valid'
Signature:
- 'Google LLC'
- 'Microsoft Corporation'
- 'Brave Software, Inc.'
condition: selection and not filter_signed
falsepositives:
- Portable/dev browser builds; nightly channels with atypical signers
level: highRequires signature fields in process-creation telemetry (Sysmon Event ID 1 with
Signed/Signature/SignatureStatus, or EDR equivalent).
title: Scheduled Task Created or Deleted by BrowserSnatch
id: d6e7f8a9-b0c1-2345-fabc-456789012345
status: stable
description: Detects Task Scheduler persistence tied to the BrowserSnatch
author handle shaddy43, or via schtasks referencing the tool
author: Community / Threat Intelligence
date: 2026/07/15
tags:
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
detection:
selection_eventlog:
EventID:
- 4698 # task created
- 4699 # task deleted
TaskContent|contains: 'shaddy43'
selection_cmdline:
CommandLine|contains|all:
- 'schtasks'
- '/create'
CommandLine|contains:
- 'BrowserSnatch'
- 'shaddy43'
condition: selection_eventlog or selection_cmdline
falsepositives:
- None expected — author handle is specific to this tool
level: highContinue to → YARA Rule
BrowserSnatch Detection Wiki · Community-maintained defensive resource · Source: shaddy43/BrowserSnatch · For authorized detection-engineering and threat-hunting use only.
Intelligence
Detection Rules
Operations