2025-12-13 –, Track 3
This talk explores Microsoft Edge’s Secure Preferences file as a persistence vector. We’ll dive into how Chromium-based browsers store and protect user settings, demonstrate how these protections can be defeated, and highlight which settings can be abused to maintain access on a compromised system. Attendees will learn how to modify Edge’s start-up URL to deliver phishing content, leverage IE Mode to launch a Java applet and execute code locally without user interaction, and silently install extensions (even in environments with extension whitelisting). The talk concludes with detection and mitigation guidance for defenders.
Persistence is the process of establishing mechanisms to maintain access to a compromised system and is critical in Red Team engagements. As without it, a reboot, user logout, or unexpected disruption will cause you to lose access to the system you worked so hard to get.
With Microsoft’s push for Edge adoption, and browsers being the most-used application by both technical and non-technical users, Edge presents a unique attack surface for establishing persistence.
This talk focuses on Microsoft Edge’s Secure Preferences file, a configuration file designed to prevent unauthorized changes to sensitive browser settings using HMAC-based integrity checks. We’ll show how these checks can be defeated, allowing attackers to make modifications that Edge will accept as legitimate.
Attendees will learn how to modify Edge’s start-up behaviour for phishing, execute legacy Java applets via IE Mode, and silently install extensions (even in environments where extension installation is restricted).
The talk draws on prior abuses of Chrome’s Secure Preferences to show these ideas are not theoretical and demonstrates how defenders can detect and mitigate them. Attendees will leave with a deeper understanding of browser internals, persistence, and strategies for hardening browser environments.
Alexander Brown is an Associate Security Consultant from ReverSec who focuses on offensive security and vulnerability research. His talk draws from hands-on experience in penetration testing and real-world security assessments.