Investigating Browser Backdoors and Access Broker Tooling with Command Zero
Most EDR solutions have shallow visibility inside browser process space creating investigative blind spots.
Eric HulseMay 18, 2026 · 18 min read
Browser backdoors and IAB tooling sit at the worst end of the SOC investigation spectrum: the browser is both the asset and the telemetry gap, and IAB pre-sale activity is designed to look exactly like an authenticated user doing nothing interesting. Intel 471's June 2024–May 2025 dataset puts a hard number on the urgency: 19 days on average between an access listing going up and the buyer's ransomware victim appearing on a leak blog. Two days at the short end.
That window is shorter than most SOCs' mean-time-to-investigate, which creates a specific problem. These investigations don't fail because the signals aren't there. They fail because the signals live across five platforms (process telemetry, identity logs, SaaS audit, DNS, and forum intel) and by the time an analyst has pivoted through the first two, the clock has eaten a third of the window. This post covers how Command Zero's question library, and its custom-question authoring, addresses that specific friction for the three platforms most commonly deployed in this work: Cortex XSOAR/XDR, Splunk, and CrowdStrike Falcon.
The investigation problem
A browser-backdoor or IAB compromise has no clean "patient zero" alert. The malware ships encrypted credential blobs server-side (Storm, Torg Grabber). The IAB does not move laterally. That would devalue the listing. The RMM agent is a signed binary connecting to a legitimate-looking SaaS tenant. Nothing is obviously wrong, which is the whole design.
The deeper issue is structural. Most EDR solutions have shallow visibility inside browser process space. The browser handles its own memory encryption, credential storage, and network traffic in ways that are opaque to most logging pipelines by design. The result is that investigations into browser-resident threats frequently begin from peripheral signals, not direct evidence of what happened inside the process. By the time the analyst has established what the browser did, the credentials are already in a stealer log, the stealer log is already on a marketplace, and the IAB is already pricing the listing.
Command Zero's question library handles the pivot mechanics across these five surfaces so the analyst can spend time on judgment rather than console-switching.
Browsers with backdoors require understanding the threat before building the question chain
Before mapping questions to the threat, it helps to be precise about what "browser backdoor" actually covers, because the investigation approach differs significantly across the three sub-categories.
Trojanized browser installers use the browser brand as a lure, not the browser itself as the target. Malvertising campaigns distribute fake Chrome and Microsoft Teams installers that deploy backdoors on execution. Rapid7 documented this pattern extensively with the Oyster/Broomstick backdoor delivered through fake Google Chrome and Teams downloads. The browser process is not compromised; the staging path is.
Compromised browser extensions are a supply chain attack. The attacker compromises a trusted extension (a VPN tool, an AI assistant), ships a malicious update, and every user auto-updates silently. One compromised extension in the late 2024 campaign logged all DOM inputs, including usernames and passwords, directly to an attacker-controlled server. The malicious code runs inside the legitimate extension process with the same permissions the user originally granted. There is no process boundary crossing, which is why traditional EDR detection is unreliable here.
Browser zero-days are the APT-grade variant. CVE-2025-2783 in Chrome was exploited in Operation ForumTroll: clicking a short-lived malicious link led directly to infection with no user interaction required. The exploit deployed a sandbox escape and ultimately delivered the Dante commercial spyware platform (formerly Hacking Team's Remote Control System). Separately, CVE-2024-6473, a DLL hijacking zero-day in Yandex Browser, was weaponized by the same threat cluster. These are targeted operations, but the investigation methodology once the initial access artifact is found looks similar to the other categories.
The App-Bound Encryption arms race
The credential store is the prize in most browser attacks, and understanding the current evasion landscape matters for knowing which artifacts to look for.
Google introduced App-Bound Encryption in Chrome 127 in July 2024, tying encryption keys to the browser itself to prevent credential theft by external processes. The adversarial response moved through predictable phases:
Generation | Technique | On-host telemetry |
|---|---|---|
Legacy | Direct SQLite access ( | File read by non-browser process |
First bypass wave | Chrome process injection / debug protocol abuse | ETW telemetry, debug port activity |
Current generation | Server-side decryption: ships encrypted files to attacker infrastructure | Near zero |
Storm infostealer represents the current generation. Rather than decrypting on the victim's machine, it ships the encrypted credential files to attacker infrastructure and handles decryption server-side. There is no local decryption artifact to detect. It covers both Chromium and Gecko-based browsers (Chrome, Edge, Firefox, Waterfox) through the same server-side path, and it is productized as a subscription service starting at $300 for a seven-day demo.
Torg Grabber takes a different approach to the same problem. A standalone component called Underground injects a DLL reflectively into the browser to access Chrome's COM Elevation Service and extract the master encryption key directly. This injection into the browser process is the one moment where a detection opportunity exists. After that, Torg Grabber targets 25 Chromium-based browsers and 8 Firefox variants and exfiltrates through Cloudflare infrastructure using chunked HTTPS uploads that are functionally invisible on the wire.
The practical implication for investigation: SIEM signatures tuned to legacy infostealer behavior (external SQLite access, LSASS-adjacent credential queries) will not fire on current-generation stealers. The detection opportunity is the brief DLL injection or COM service access, not the exfiltration.
The question chain
The forensic anchors for browser-resident threats fall into three buckets: process telemetry around the browser, file-system access to credential stores, and downstream identity anomalies.
Process and credential-store access (CrowdStrike Falcon). What Windows binaries were executed from non-standard paths on this device according to CrowdStrike Falcon Next-Gen SIEM? surfaces browser processes launched from AppData\Local\Temp or ProgramData, the staging pattern used by trojanized Chrome and Teams installers delivering Oyster/Broomstick. Pair it with What processes with this SHA256 were created according to CrowdStrike Falcon? to confirm whether the binary's hash matches the genuine vendor build or a malvertising drop. For the credential store specifically, any non-browser process accessing Login Data, Web Data, or Cookies SQLite files under AppData\Local\Google\Chrome\User Data is worth flagging. Most environments do not have this file-access telemetry enabled by default because the noise floor is high, but it is the right hunt for legacy-generation stealers that have not moved to server-side decryption.
Extension and ABE-bypass signals (Microsoft Defender XDR). Current-generation stealers like Storm and Torg Grabber leave almost no on-host artifact except the moment of Chrome COM Elevation Service DLL touch or a reflective DLL injection event into the browser process. What images were loaded by this process according to Microsoft Defender for Endpoint? and What registry changes were performed by this process according to Microsoft Defender for Endpoint? pivot from a single anomalous module load into the full process registry footprint. For compromised extensions specifically, the investigation pivots to extension inventory. What devices have a web server process launching anomalous child processes according to Microsoft Defender for Endpoint? can surface unexpected browser child processes, but the cleaner approach is comparing installed extension hashes against known-good versions. Most environments have no centralized extension inventory, which is the persistent visibility gap this question is trying to partially address.
Downstream identity correlation (Entra + Falcon IDP). Browser-backdoor investigations almost always resolve here, not at the endpoint. Session cookies are often more dangerous than passwords in the immediate term because they bypass MFA entirely. The investigation needs to determine not just whether credentials were stolen but whether active authenticated sessions were exported. What users have successful sign-in activity from this IP address in Microsoft Entra ID?, What Microsoft Entra accounts are associated with this Okta user login?, and What failed user authentication events occurred according to CrowdStrike Falcon? answer the foundational question directly: did the credentials harvested at 14:02 show up in an authentication event at 14:11? Beyond that, downstream SaaS logs matter: inbox forwarding rules added after compromise, bulk downloads from SharePoint, new MFA devices enrolled before the user noticed anything wrong.
Credential exposure intelligence (Flashpoint). What credential sightings are available in Flashpoint Ignite? and What compromised credentials information does Flashpoint have for this affected email address? close the loop on whether a credential observed inside the org's identity provider already exists in a stealer log marketplace. That correlation usually determines scope faster than anything else in this class of investigation. If the credential appeared in a stealer log two weeks before the anomalous authentication event, you are dealing with a different timeline than if they appeared simultaneously.
The pivot sequence end-to-end:
Defender XDR: anomalous browser child process or DLL load into browser
↓
Falcon NGSIEM: full process tree + hash reputation + credential store file access
↓
Entra/Okta: authentication events for that device in the window; new device enrollments; MFA changes
↓
SaaS audit logs: forwarding rules, bulk downloads, permission changes
↓
Flashpoint: did this credential appear in a stealer log first?
Each arrow is a Command Zero question. The chain runs in a single investigation, with each output carrying its identifiers forward as the lead value for the next question. No copy-paste between consoles.
For access broker tooling pre-sale recon is the detection window
Access brokers spend days to weeks characterizing access before listing it. That window is behaviorally distinct from operator activity: no LSASS dump, no shadow-copy deletion, no DC targeting. It is when the analyst has the best chance to close the case before ransomware enters the picture.
The behavioral signature of IAB activity versus ransomware operator activity is worth being explicit about, because it determines where in the investigation to focus:
Behavior | IAB phase | Operator phase |
|---|---|---|
Recon commands ( | Yes, extensive | Minimal (already done) |
Lateral movement | No (deliberate restraint) | Yes, immediate |
DC targeting | No | Yes |
LSASS access | No | Yes |
Shadow copy deletion | No | Yes (pre-ransomware) |
BloodHound/SharpHound execution | Sometimes | Usually |
RMM agent enrollment | Yes | Sometimes |
Dwell time before action | Days to weeks | Hours to days post-purchase |
The deliberate restraint is a feature, not a bug. An IAB that moves laterally risks triggering detection before the listing sells, which devalues the access. The goal is characterization: understand what the environment contains, estimate its value, price the listing. This means the reconnaissance commands run, the actor notes the results, and then goes quiet. That quiet dwell period is one of the most useful detection signals, though it is also the hardest to act on without context.
Reconnaissance command patterns
- What Windows services were installed on this device according to CrowdStrike Falcon?,
- What scheduled tasks have been created, updated, or deleted on this device according to CrowdStrike Falcon?, and
- What devices have a web server process launching anomalous child processes according to Microsoft Defender for Endpoint?
capture the first-hour reconnaissance sequence that almost every IAB runs:
whoami /all
net user
net group "Domain Admins" /domain
nltest /dclist:<domain>
[ping sweep or port scan]
[scheduled task creation for lightweight persistence during characterization]
The whoami /all is particularly useful as a hunt anchor because it produces a token with all group memberships, which is exactly what an IAB needs to understand the value of the access. Running it once is unremarkable; running it within minutes of an anomalous process chain is not.
RMM enrollment to attacker tenants
TThe legitimate enterprise RMM tenant resolves to a known domain; an attacker-enrolled agent does not. That relay-domain mismatch is the most reliable IAB signal of 2025–2026, and it is also the one most likely to be missed because the agent itself is signed and the traffic looks like normal RMM activity.
The ScreenConnect picture illustrates the full problem. CVE-2024-1709 was a CVSS 10.0 authentication bypass that required no credentials and no user interaction. Within 48 hours of the advisory, proof-of-concept exploits were circulating and ransomware groups including Play and Black Basta were using them. By 2025 the exploitation pattern had evolved: trojanized ScreenConnect installers using ClickOnce loaders (which lack embedded configuration and fetch components at runtime, making static detection unreliable) immediately deploy dual RATs post-installation: AsyncRAT plus a custom PowerShell-based RAT, providing redundancy if one component is neutralized.
The installer naming grammar is worth knowing as a hunt pattern: Social_Security_Statement_Documents_386267.exe, agreement_support-pdf.Client.exe, SSADocumentViewer-nXpJ2.exe. These follow a social engineering template designed to convince a user they are opening a document.
The Scattered Spider variant of RMM abuse works differently. Instead of trojanized installers, Scattered Spider uses social engineering against IT help desks to get RMM agents enrolled legitimately. LogMeIn Resolve binaries named Invitation.exe or ContractAgreementToSign.exe silently install and enroll the endpoint into an attacker-controlled tenant. Sophos tracking of the STAC6405 campaign found that in most observed cases, malicious activity stopped after this initial access step, sometimes for weeks. That idle behavior is consistent with IAB parking: establish the foothold, monitor for detection, sell when ready.
Command Zero ships:
- What Microsoft Quick Assist sessions were initiated according to Microsoft Defender for Endpoint? and
- What Microsoft Quick Assist sessions were initiated on this device according to Microsoft Defender for Endpoint?
for the Scattered Spider-style Quick Assist abuse path. For ScreenConnect, AnyDesk, and LogMeIn Resolve, the relay-domain check needs a custom question, covered below.LogMeIn Resolve, the relay-domain check needs a custom question, covered below.
C2 framework signals
IABs doing their own exploitation increasingly use C2 frameworks that have lower detection coverage than Cobalt Strike. The market has been moving for two years, and it matters for investigation:
Framework | Status | Detection gap | Key forensic anchor |
|---|---|---|---|
Cobalt Strike | Still common but declining | Well-covered by most platforms | Named pipe patterns; in-memory beacon config |
Brute Ratel C4 | Active | Heaven's Gate (32-to-64-bit syscall transition creates ETW blind spot) | Syscall anomalies; |
Sliver | Rapidly growing | Lower coverage in most commercial platforms | mTLS certs with random CN values; multi-protocol DNS patterns |
Havoc | Emerging | Minimal vendor coverage | HTTP header fingerprinting; JA3 hashes on |
The current generation of C2 frameworks also abuses cloud APIs (Microsoft Graph, SharePoint, Telegram, Steam) as relay layers. Traffic to these services from process trees that have no business reason to access them is the behavioral anchor, not any signature of the framework itself.
RDP and lateral-access pre-positioning. What Remote Desktop Protocol (RDP) activity targeted this CrowdStrike Falcon device?, What Remote Desktop Protocol (RDP) activity originated from this device according to Palo Alto Cortex XDR?, and What Remote Desktop Protocol (RDP) activity targeted this host? together cover the RDP/RDWeb access type that makes up about 32% of advertised IAB listings. The shift from direct RDP exposure to RDWeb portals is notable in 2025 data: improved defenses against RDP reduced that vector, and attackers adapted by targeting RDWeb, which is often less protected and provides equivalent enterprise access.
Causality chain for Cortex XDR shops. What parent process created this causality group owner process according to Palo Alto Cortex XDR? plus What process injection activity was initiated by processes in this causality chain according to Palo Alto Cortex XDR? and What HTTP requests were initiated by processes in this causality chain according to Palo Alto Cortex XDR? reconstruct an IAB's tooling deployment from a single observed process, which is useful when you have a process anomaly but not yet a clear picture of what was dropped.
Cortex XSOAR incident enrichment. For SOCs whose primary case management is XSOAR, What Palo Alto Cortex XSOAR incidents contain this hostname?, What indicators extracted from Palo Alto Cortex XSOAR incidents contain this IP address?, and What indicators extracted from Palo Alto Cortex XSOAR incidents contain this SHA256? make Command Zero a sidecar enrichment layer rather than a console replacement. Every IAB indicator pivots back to existing XSOAR cases.
Custom questions are where the library ends and the SOC begins
Threat actor TTPs outrun any pre-built library. Three IAB-specific signals are well-suited to custom questions in Command Zero:
1. GoldMelody's C:\Windows\Temp\111t staging directory. This is a hard, vendor-confirmed IOC present across all observed UNC961 intrusions documented by Palo Alto Unit 42 between October 2024 and mid-2025. GoldMelody exploits exposed ASP.NET Machine Keys to deploy malicious ViewState payloads, drops in-memory IIS modules for persistence, and uses a custom C# privilege escalation binary disguised as updf.exe (mimicking the legitimate UPDF PDF editor). The 111t directory appears consistently across victims regardless of other tooling variation. A custom question against DeviceFileEvents (Defender XDR), Falcon NGSIEM, or Cortex XDR file events looking for directory creation under C:\Windows\Temp\111t by IIS-adjacent process trees turns this public-research IOC into a tenant-scoped hunt. GoldMelody's behavioral pattern is pure IAB: extensive reconnaissance, no lateral movement observed across a dozen-plus victim organizations. The staging directory creation is often the only durable artifact.
2. ScreenConnect/AnyDesk relay-domain mismatch. A custom question that compares observed RMM relay domains against the org's known IT-vendor allowlist surfaces an attacker-enrolled agent directly. The skeleton template uses What processes have been observed communicating with this URL's domain according to Microsoft Defender for Endpoint? or What network connections have been observed from this CrowdStrike Falcon device? as the data source, with the allowlist supplied as an investigation argument. The ClickOnce staging path (AppData\Local\Apps\2.0) and a Windows service registered with a UID-based name (the attacker's tenant configuration) are secondary artifacts to check when the relay-domain query returns a hit. The dual-RAT deployment pattern (AsyncRAT plus a custom PowerShell RAT) is a tertiary confirmation that the agent is attacker-controlled rather than a legitimate IT deployment.
3. Splunk-anchored authentication anomalies. Command Zero supports a splunk module but ships no native templates against it, by design, since every Splunk deployment indexes events differently. The right approach is a tenant-specific SPL query for failed-then-successful authentication from a new ASN, wrapped in the Command Zero question framework so it composes with the Falcon, Defender, and Flashpoint questions above. The specific pattern to hunt is IAB credential validation: a brief failed authentication followed immediately by a successful one from the same IP, which is the fingerprint of an attacker testing purchased credentials before listing the access. This is distinct from normal user lockout patterns in timing and IP reputation.
Custom questions are authored as YAML against the same template schema as shipped content. The result is a tenant-private question that participates in the same facet chains and investigation flows as the public library.
Working the clock
The 19-day average is somewhat misleading. It's a mean dragged up by slow buyers. The two-day floor is what matters operationally, and some IABs have started bundling lateral movement scripts so the buyer can move immediately. Intel 471 observed at least one case where a ransomware group claimed a victim the same day the IAB posted the listing. The pre-sale recon window, which used to be the analyst's best opportunity, is compressing.
There is also a forum intelligence layer that most SOC workflows do not reach. IAB listings on Exploit, XSS, and the newer DarkForums often contain the access type, the network segment described, a revenue estimate used to price the listing, and sometimes the initial access vector. If your org's credentials are in a stealer log that an IAB is using to build a listing, that listing may go up days before your telemetry shows any anomaly. Threat intelligence coverage of these forums is an investigation accelerant in this specific scenario: finding the listing gives you the timeline and the vector before you have found the artifact.
For SOCs running CrowdStrike, Cortex XSOAR, and Splunk in parallel, the hours spent switching consoles and re-querying context are not a workflow annoyance. They are a meaningful fraction of a shrinking response window. Getting those hours back is what Command Zero is doing in this specific scenario.
