MalChain Detections GitHub
ANC-05 Anchoring · Persistence KQL No YARA

Browser-Based Persistence

Browser-Based Persistence refers to the use of browser configuration mechanisms, extensions, or session components to maintain attacker-controlled execution within a target environment across browser sessions or system restarts..

Mappings

CVE examples
Not vulnerability-based — this capability is behavioural.
MalwareBazaar

Summary

Browser-Based Persistence refers to the use of browser configuration mechanisms, extensions, or session components to maintain attacker-controlled execution within a target environment across browser sessions or system restarts. This includes installing persistent extensions, modifying browser startup settings, or leveraging browser synchronization features to ensure repeated execution. Within MalChain, this capability begins once browser components are configured to automatically load attacker-controlled logic during browser initialization. Attackers exploit implicit trust in browser functionality and user productivity tools to maintain reliable presence with minimal visibility. Continuous browser usage and automated synchronization behavior often allow persistent components to operate without immediate inspection. Trust abuse may involve extensions disguised as legitimate utilities, modified homepage settings, or configuration entries presented as routine browser preferences. Common persistence methods include:

  • Installing browser extensions configured to load automatically
  • Modifying browser startup pages or default settings
  • Leveraging browser synchronization to propagate configuration changes
  • Registering scripts to execute during browser launch
  • Embedding persistent logic within browser profile configurations

Real world usage includes:

  • Credential harvesting and session monitoring operations
  • Persistent spyware deployment in enterprise environments
  • Browser-based surveillance in targeted intrusion campaigns
  • Long-term access maintenance through user session activity

Detection Guidance

Detection relies on monitoring browser configuration changes, extension lifecycle events, and runtime behavior associated with persistent browser components. Contextual correlation between configuration changes and repeated browser execution behavior is essential to reduce false positives.

  • Monitor installation or modification of browser extensions
  • Detect changes to browser startup configuration settings
  • Correlate browser activity with unexpected configuration updates
  • Alert on extensions installed outside approved distribution channels
  • Identify rare or unauthorized browser profile modifications

KQL Detection Concepts

  • Browser extension installation or configuration change events
  • Browser processes loading newly installed or modified extensions
  • Startup configuration changes associated with browser profiles

YARA Detection Concepts

  • Extension packages containing persistent execution logic
  • Scripts embedded within browser configuration files
  • Files designed to modify browser startup behavior

KQL Detection Rule

kql
// Browser-Based Persistence: registry-forced extension load / DebuggerPath
DeviceRegistryEvents
| where Timestamp > ago(14d)
| where RegistryKey has_any (@"\ExtensionInstallForcelist", @"\Chrome\NativeMessagingHosts", @"\Edge\NativeMessagingHosts")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName

YARA Detection Rule

YARA is not meaningfully applicable to this primarily behavioral / network-telemetry capability. Rely on the KQL rule above plus network and identity detections.

Mitigation

  • Restrict installation of browser extensions to approved sources
  • Enforce browser configuration auditing and management policies
  • Monitor browser startup behavior and extension activity
  • Implement security policies governing browser profiles

Incident Response

  • Identify installed or modified browser extensions
  • Remove unauthorized persistent browser components
  • Analyze browser configuration and associated files
  • Review browser usage and configuration timelines

Chain Linking