Browser-Based Persistence
Browser-Based Persistence refers to the use of browser configuration mechanisms, extensions, or session components to maintain attacker-controlled execution within a target environment across browser sessions or system restarts..
Mappings
Summary
Browser-Based Persistence refers to the use of browser configuration mechanisms, extensions, or session components to maintain attacker-controlled execution within a target environment across browser sessions or system restarts. This includes installing persistent extensions, modifying browser startup settings, or leveraging browser synchronization features to ensure repeated execution. Within MalChain, this capability begins once browser components are configured to automatically load attacker-controlled logic during browser initialization. Attackers exploit implicit trust in browser functionality and user productivity tools to maintain reliable presence with minimal visibility. Continuous browser usage and automated synchronization behavior often allow persistent components to operate without immediate inspection. Trust abuse may involve extensions disguised as legitimate utilities, modified homepage settings, or configuration entries presented as routine browser preferences. Common persistence methods include:
- Installing browser extensions configured to load automatically
- Modifying browser startup pages or default settings
- Leveraging browser synchronization to propagate configuration changes
- Registering scripts to execute during browser launch
- Embedding persistent logic within browser profile configurations
Real world usage includes:
- Credential harvesting and session monitoring operations
- Persistent spyware deployment in enterprise environments
- Browser-based surveillance in targeted intrusion campaigns
- Long-term access maintenance through user session activity
Detection Guidance
Detection relies on monitoring browser configuration changes, extension lifecycle events, and runtime behavior associated with persistent browser components. Contextual correlation between configuration changes and repeated browser execution behavior is essential to reduce false positives.
- Monitor installation or modification of browser extensions
- Detect changes to browser startup configuration settings
- Correlate browser activity with unexpected configuration updates
- Alert on extensions installed outside approved distribution channels
- Identify rare or unauthorized browser profile modifications
KQL Detection Concepts
- Browser extension installation or configuration change events
- Browser processes loading newly installed or modified extensions
- Startup configuration changes associated with browser profiles
YARA Detection Concepts
- Extension packages containing persistent execution logic
- Scripts embedded within browser configuration files
- Files designed to modify browser startup behavior
KQL Detection Rule
// Browser-Based Persistence: registry-forced extension load / DebuggerPath
DeviceRegistryEvents
| where Timestamp > ago(14d)
| where RegistryKey has_any (@"\ExtensionInstallForcelist", @"\Chrome\NativeMessagingHosts", @"\Edge\NativeMessagingHosts")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileNameYARA Detection Rule
Mitigation
- Restrict installation of browser extensions to approved sources
- Enforce browser configuration auditing and management policies
- Monitor browser startup behavior and extension activity
- Implement security policies governing browser profiles
Incident Response
- Identify installed or modified browser extensions
- Remove unauthorized persistent browser components
- Analyze browser configuration and associated files
- Review browser usage and configuration timelines