Preventing Browser from BeEF Exploitation

There are Yara rules submitted by SANS ISC to detect BeEF, and these could be repurposed by yarashop for the network layer as a early-warning detection system. The author shows how to utilize Volatility to read into a memory capture and look for BeEF-related signatures and communications -- https://isc.sans.edu/diary/When+Hunting+BeEF%2C+Yara+rules+%28Part+2%29/20505

In order to remove a Javascript hook, such as BeEF, you would typically only need to clear reopening pages/tabs, history, and cache before restarting all browser processes. However, in some persistent BeEF scenarios, you will also need to consider other offline browser stores, such as HTML5 offline cache.

You are right to want to look for BeEF, but you will also want to dig a little deeper. It is easy to obfuscate Javascript and can be difficult to modify your detectors to catch these obfuscations. Other Javascript-hooking packages, such as XSSF, Scanbox.js, or the metasploit-framework's auxiliary/gather/browser_info module can be utilized instead of BeEF.

Emerging Threats, recently acquired by Proofpoint, has a set of Snort rules -- https://rules.emergingthreats.net/open/snort-2.9.0/rules/ -- many of which cover BeEF, XSS, Scanbox, et al. You will especially want to check out the emerging-trojan.rules and emerging-web_client.rules files. There are specific entries for BeEF and Scanbox, as well as generic ones to catch active XSS from the client (i.e., browser) perspective.

Here are two articles that discuss how threat communitiies are converging on these Javascript-hooking technologies -- https://www.helpnetsecurity.com/2016/04/28/attackers-use-open-source/ -- http://www.securityweek.com/attackers-increasingly-abuse-open-source-security-tools