How to Detect Browser Data Theft Using Windows Event Logs

Chromium’s sandbox protects against malicious web content but not existing malware and to address this, Google is developing web standards like DBSC to render stolen cookies valueless. 

When prevention fails, Google proposes new signals to improve detection of unauthorized access to browser data by other applications and by making these attacks more observable, it aims to deter attackers who rely on stealth and encourage them to abandon these tactics.  

Chromium browsers on Windows leverage DPAPI, which uses the user’s login credentials for encryption, to protect sensitive data like passwords, while this method is vulnerable to malware running under the same user account. 

To address this, since 2013, Chromium has incorporated the CRYPTPROTECT_AUDIT flag with DPAPI calls, which triggers audit log creation whenever decryption occurs, along with data ownership tags indicating browser origin. By analyzing these logs, security systems can detect unauthorized decryption attempts, potentially revealing malware activity. 

To enable logging of DPAPI events, turn on “Audit DPAPI Activity” within Security Settings -> Advanced Audit Policy Configuration -> Detailed Tracking, which generates event ID 4693 which includes details like user and computer involved, but lacks crucial information like the specific process and data being accessed. 

4693 event 

It is because the event logs the process ID of lsass.exe, the system’s key management process, instead of the actual application requesting access, and also there’s no data field describing the accessed secret. 

A new event type, DPAPIDefInformationEvent with id 16385, was added to Microsoft-Windows-Crypto-DPAPI stream to identify the process making the DPAPI call, which is however only emitted to the debug channel by default and needs to be enabled in Event Viewer. 

Enabling directly in PowerShell

To enable debug channel logging, a powershell script is provided, and Audit Process Creation should also be enabled to map process ids to process names. Implement a process to automatically collect specific Windows event logs from all workstations. 

Target events include security log event ID 4688, signifying new process creation and event ID 16385 from the Microsoft-Windows-Crypto-DPAPI/Debug log, indicating DPAPI operations (likely enabled in a previous step), which should be forwarded to the organization’s central logging system for further analysis. 

Detecting unauthorized applications calling DPAPI to decrypt browser secrets, monitor Windows Security events for process creation (Event ID 4688) and DPAPI access (Event ID 16385). Build a map of process IDs to process names using the 4688 events. 

4688 event 

When a 16385 event is triggered, identify the running process by its ID, and if the process ID doesn’t match an authorized application (e.g., Chrome process name), an alert should be issued for potential theft. 

The system monitors events (4688 and 16385) to detect unauthorized DPAPI decryption attempts, and by analyzing OperationType (SPCryptUnprotect), DataDescription (browser name), and CallerProcessID, the system can identify legitimate decryptions by browsers (e.g., Chrome process ID 97964) and differentiate them from unauthorized access. 

According to Google to achieve this, a map of processes identified through 4688 events is used to check if CallerProcessID in 16385 events corresponds to a valid process, flagging mismatches as potential security risks. 

16385 event

Security event logs reveal a suspicious sequence as a Python script “steal_passwords.py” executed by “python3.exe” triggered a “SPCryptUnprotect” operation to decrypt “Google Chrome” data, which indicates an attempt to steal Chrome passwords and the close timestamps of the script execution (4688 event) and decryption attempt (16385 event) further suggest malicious intent.  

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here