Detecting browser data theft using Windows Event Logs
Google Security
APRIL 30, 2024
Since 2013, Chromium has been applying the CRYPTPROTECT_AUDIT flag to DPAPI calls to request that an audit log be generated when decryption occurs, as well as tagging the data as being owned by the browser. Finally, the CallerProcessID will map to the process performing the decryption. 16385 events are described later.
Let's personalize your content