new: Potential Browser Cache Smuggling Payload Extraction

[Tetryl12]

Summary of the Pull Request

Adds a new process_creation rule detecting the local extraction stage of browser cache smuggling (a.k.a. "Living off the Browser"), a delivery/defense-evasion technique observed in recent ClickFix and FileFix campaigns.

In cache smuggling, a phishing page serves an executable payload (ZIP/DLL/EXE/script) under an image/jpeg Content-Type. The browser silently caches it as a normal static resource — no download prompt, no Mark-of-the-Web, no second network request. The victim is then social-engineered (ClickFix Run dialog / FileFix Explorer address bar) into running a benign-looking command that carves the payload back out of the browser cache file — typically by enumerating the cache directory, regex-matching the payload between two marker strings, writing the bytes to a writable/executable location, and executing it.

Because no network fetch occurs at execution time, network/proxy controls and MotW/download-based detections are evaded. Existing SigmaHQ browser-cache rules (Potential Browser Data Stealing, PowerShell Web Browser Login Data Access) target the opposite direction — credential theft reading the \User Data login store — so this behavior was previously uncovered. This rule targets the local extraction step (the only reliably observable host artifact) rather than the invisible delivery step, keying on a process touching a browser cache subdirectory (Cache_Data / cache2\entries / INetCache) combined with read/carve/stage verbs.

Rule set to experimental / medium, consistent with a new behavioral heuristic that requires an environment-specific tuning phase before promotion.

Changelog

new: Potential Browser Cache Smuggling Payload Extraction

Example Log Event

EventID: 1
UtcTime: 2026-06-23 15:16:11.322
ProcessId: 6848
Image: C:\Windows\System32\certutil.exe
CommandLine: certutil.exe -decode
C:\Users\Owner\AppData\Local\Temp\T1027_cs_emulation\inetcache\payload.b64
C:\Users\Owner\AppData\Local\Temp\T1027_cs_emulation\inetcache\staged.zip
CurrentDirectory: C:\T1027_test
User: TestingGrounds\Owner
IntegrityLevel: Medium
Hashes: SHA256=684144665A390182CA8FF2867DD683D7DAB11C784D246A81E21A88CA3076C00C
ParentProcessId: 8404
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentUser: TestingGrounds\Owner

certutil present in selection_read_extract; staging path contains \inetcache\ (matched via \Windows\INetCache condition in a real-world inline attack chain). Medium integrity confirms standard user execution. The above event was captured from the companion Atomic Red Team emulation test (T1027_cache_smuggling_atomic.yaml, Test 2 — INetCache/certutil variant).

Fixed Issues

N/A — new detection. No associated rule-proposal issue. (Happy to open one first if the maintainers prefer it tracked.)

SigmaHQ Rule Creation Conventions

Validated locally against the SigmaHQ validator set (sigma check, plugin pySigma-validators-sigmaHQ): 0 errors, 0 issues. Filename, title casing, experimental status, tactic↔technique tag pairing (attack.stealth/T1027, attack.execution/T1059.001+T1204.004), and filter_optional_* naming all conform.

[github-actions]

Welcome @Tetryl12 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

If you want to engage more with the community for official support, general discussions or announcements:

👉 Join our Discord server