Anti-Forensics
Account Misuse
Clear Browser Artifacts
Clear Email Artifacts
Code Contribution Obfuscation and Misrepresentation
Decrease Privileges
Delayed Execution Triggers
Delete User Account
Deletion of Volume Shadow Copy
Disk Wiping
File Deletion
File Encryption
Hide Artifacts
Hiding or Destroying Command History
Log Deletion
Log Modification
Message Deletion
Message Modification
Modify Windows Registry
Network Obfuscation
Physical Destruction of Storage Media
Physical Removal of Disk Storage
Stalling
Steganography
System Shutdown
System Time Modification
Timestomping
Tripwires
Uninstalling Software
Virtualization
- ID: AF029.003
- Created: 20th October 2025
- Updated: 20th October 2025
- Platforms: Oracle Cloud Infrastructure (OCI)Google Cloud Platform (GCP)Microsoft AzureAmazon Web Services (AWS)AndroidiOSWindowsLinuxMacOS
- Contributor: Ryan Bellows
Use of Browser-Based VPN Extensions
The subject installs and activates browser-based VPN or proxy extensions (such as Hola VPN, Browsec, or ZenMate) to anonymize specific web activity while avoiding host-level detection or access restrictions. These lightweight tools require no administrative privileges and often evade traditional endpoint controls, allowing subjects to selectively obscure browsing sessions, bypass content filtering, or access external services undetected.
Unlike full-system VPN clients, browser-based VPNs operate at the application layer, making them more difficult to inventory, log, or control using conventional network or endpoint defenses. Their use complicates investigative visibility into user intent, session content, and destination domains, particularly when paired with HTTPS encryption or private browsing modes. This technique represents a form of network anti-forensics intended to obscure subject behavior with minimal system footprint or oversight.