Detecting browser data theft using Windows Event Logs

Chromium's sandbox protects against malicious web content, but not malware already on the system that can steal credentials and cookies. To improve detection of such attacks, Chromium logs access to protected data in the event logs, providing valuable signals for system administrators and endpoint detection agents. The 4693 event logs DPAPI activity but lacks process and data information. To address this, the 16385 event was added, providing the process ID of the application accessing the data. To use this feature, enable logging for both events and "Audit Process Creation" in Windows. The 16385 event includes the operation type (SPCryptUnprotect), data description (e.g., Google Chrome), and caller process ID. By matching the caller process ID with active processes (tracked using 4688 events), defenders can detect unauthorized access to browser data. Testing with a Python password stealer demonstrates how the events provide evidence of suspicious behavior. The 16385 event shows an attempt to decrypt the "Google Chrome" key, while the 4688 event reveals the process ID of the Python executable running the script. This technique provides strong detection of credential theft, alerting defenders to potential attacks and helping to deter attackers seeking to remain stealthy.