-
Notifications
You must be signed in to change notification settings - Fork 49
Tool Overview
BrowserSnatch is an open-source offensive-security tool designed to "snatch" sensitive data from a wide range of web browsers on Windows. It targets both Chromium-based browsers (Chrome, Edge, Brave, Opera, Vivaldi, and others) and Gecko-based browsers (Firefox, Thunderbird, Waterfox, and others), covering more than 40 browsers. Extracted data includes saved passwords, cookies (including the latest v20 app-bound-encrypted cookies), bookmarks, and browsing history.
The tool is written almost entirely in C/C++ for speed and to minimize external dependencies, producing a small standalone executable. It is published publicly on GitHub under the MIT license and is intended for penetration testing, red teaming, and adversary emulation.
| Attribute | Detail |
|---|---|
| Author | shaddy43 |
| GitHub | https://github.com/shaddy43/BrowserSnatch |
| Language | C / C++ (~98.8% C, ~1.2% C++) |
| Build environment | Visual Studio, ISO C++17 (/std:c++17) or higher; nlohmann/json via NuGet |
| Target OS | Windows x86 / x64 |
| Versions | Up to V2.2 (latest release Mar 12, 2025); 5 releases |
| License | MIT |
| # | Capability | Stealth | Key behavior |
|---|---|---|---|
| 1 | Snatch saved passwords | Low–Medium | Reads Chromium Login Data and Gecko logins.json; DPAPI + AES-GCM decryption across 40+ browsers |
| 2 | Snatch cookies | Low–Medium | Extracts cookies from profile SQLite stores; session-cookie theft enables auth-token replay |
| 3 | App-bound cookie decryption (v20) | Medium–High | Decrypts latest app-bound-encrypted cookies (Chrome/Edge/Brave); requires admin |
| 4 | Snatch bookmarks | Low | Reads Bookmarks (Chromium) and Gecko equivalents |
| 5 | Snatch history | Low | Reads History SQLite DB across all supported browsers |
| 6 | Greed mode | Medium | Snatches everything from every browser into a single consolidated stealer database |
| 7 | Recalibrate mode | N/A | Fallback routine when password/cookie extraction fails |
| 8 | Service | N/A | Run as service to decrypt app-bound passwords & cookies (-service) |
See Behavioral Detections for the full command-line reference.
shaddy43/BrowserSnatch/
│
├── Assets/ ← Screenshots, banner, demo GIF
│ ├── browser_snatch1.jpg ← Tool banner image
│ ├── help-menu.png ← -h help menu screenshot
│ └── Demo.gif ← Working demo animation
│
├── BrowserSnatch/ ← Core C/C++ source code
│ └── [C/C++ source files] ← Snatching technique implementations
│
├── BrowserSnatch.sln ← Visual Studio solution
├── CODE_OF_CONDUCT.md
├── LICENSE ← MIT License
└── README.md ← Full documentation
Release artifacts:
BrowserSnatch.exe ← Main executable (x86 build)
BrowserSnatch64.exe ← Main executable (x64 build)
- Credential theft at scale: a single run can harvest passwords and session cookies from dozens of browsers.
- Session-cookie replay (T1539): stolen cookies enable account takeover that bypasses MFA. Treat any cookie-store exfiltration as an ATO precursor and force session invalidation.
- App-bound decryption: the tool keeps pace with Chrome's v20 app-bound cookie encryption, so "we're on the latest Chrome" is not mitigation.
- Masquerading: beyond collection, observed variants establish scheduled-task system privilege and masquerade as legitimate browser binaries (see IOCs).
Continue to → MITRE ATT&CK Mapping
BrowserSnatch Detection Wiki · Community-maintained defensive resource · Source: shaddy43/BrowserSnatch · For authorized detection-engineering and threat-hunting use only.
Intelligence
Detection Rules
Operations