9
May
2024
New ways to quickly format and organize data with tables in Google Sheets
This announcement was part of Google Cloud Next ‘24. Visit the Workspace Blog to learn more about the next wave of innovations in Workspace, including enhancements to Gemini for Google Workspace.What’s changing
We know it can be time consuming to perfo...
We know it can be time consuming to perfo...
8
May
2024
How we developed Chrome’s first AI tools
Learn more about how the new generative AI tools for Chrome browser were developed.
8
May
2024
Build better, safer SDKs with Google Play SDK Console
Posted by Yafit Becher – Product Manager
SDKs offer a wide range of benefits for app developers, but they can also impact apps in ways that aren’t always easy to identify or control. That’s why, in 2021, we launched Google Play SDK Console and in...
8
May
2024
AlphaFold 3 predicts the structure and interactions of all of life’s molecules
Our new AI model AlphaFold 3 can predict the structure and interactions of all life’s molecules with unprecedented accuracy.
8
May
2024
Easily convert data to dropdown chips in Google Sheets
What’s changingIn March, we introduced the ability to insert preset dropdown chips that are configured for common use cases like priority or review statuses in Google Sheets. Today, we’re adding a new feature that helps you quickly convert ranges of da...
7
May
2024
Improving suspension alerting for Google Meet hardware devices
What’s changingTo ensure customers with Google Meet hardware devices have sufficient notice about canceled or expired device subscriptions, we’re adding notifications in the Admin console. Depending on your subscription details and timeline, you will s...
7
May
2024
The Best Way to Quickly Build a Beautiful WordPress Website
Want to quickly build a beautiful, professional-looking site? Here's how to do it.
7
May
2024
WordPress 6.5.3 Maintenance Release
WordPress 6.5.3 is now available! This minor release features 12 bug fixes in Core and 9 bug fixes for the block editor. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement. WordPress 6.5.3 is a short-cycle release. The next major release will be version 6.6 planned […]
7
May
2024
More frequent, focused updates for Android Studio
Posted by Adarsh Fernando, Senior Product Manager, Android Studio
Three years ago, we changed how we named and versioned Android Studio to make it easier to follow updates – we changed how we numbered the versions of the IDE to more closely map t...
7
May
2024
Meet Pixel 8a: The Google AI phone at an unbeatable value
Pixel 8a is the latest A-series phone, bringing you a phone packed with Google AI at an affordable price.
7
May
2024
Decorate your background – How generative AI backgrounds work, and why you might want to use them
Microsoft Teams has always been at the forefront of innovation, and the Decorate your background feature is no exception. Released in Teams Premium in January 2024, this feature uses generative AI to create an artificial version of the user’s real back...
7
May
2024
10 Best SEO WordPress Themes and Key Features to Look For
Choosing the best SEO WordPress theme for your website isn’t just about aesthetics – the theme should also have optimal performance. A theme designed with search engine optimization (SEO) in mind can help propel your site’s ranking on the s...
7
May
2024
Using GitHub Copilot as your Coding GPS
In this series, we delve into GitHub Copilot in Visual Studio, showcasing how it aids coding. GitHub Copilot functions as a coding GPS, guiding you through software development in Visual Studio. In our new short video, Bruno Capuano shows how this smart coding assistant boosts coding efficiency and quality.
The post Using GitHub Copilot as your Coding GPS appeared first on Visual Studio Blog.
The post Using GitHub Copilot as your Coding GPS appeared first on Visual Studio Blog.
7
May
2024
Announcing live connect for Power BI report integration with OneDrive and SharePoint (Preview)
Last May, we announced the integration between Power BI and OneDrive and SharePoint (ODSP) that allows you to view Power BI reports directly in a OneDrive or SharePoint document library. Previously, this capability was limited only to reports with data...
7
May
2024
Font Freedom: Unleash Creative Typography on Your WordPress.com Site
Then: Writing code or installing plugins to use a custom font. Now: Welcome to the Font Library.
6
May
2024
Block compromised mobile devices using context-aware access
What’s changing Using context-aware access, you now have the option to automatically block access to Google Workspace data from compromised Android and iOS devices. A device may be counted as compromised if certain unusual events are detected, inc...
6
May
2024
Unimos a los educadores esta Semana de Agradecimiento a los Maestros
La Profesora Estadounidense del Año 2024 Missy Testerman, de Tennessee, comparte más sobre su historia y el compromiso de Google con el futuro de la educación.
6
May
2024
Bringing educators together this Teacher Appreciation Week
Google shares ongoing commitment to education with an essay from 2024 Teacher of the Year, Missy Testerman.
6
May
2024
A simplified experience for Workspace users to add 2-Step Verification (2SV) methods
What’s changingWe’re simplifying how users turn on 2-Step Verification (2SV), which will streamline the process, and make it easier for admins to enforce 2SV policies in their organizations. Here are some of the important changes with this c...
6
May
2024
HTTP 500 Internal Server Error: How to Fix It in WordPress
The “500 internal server error” can be a frustrating one to come across because it doesn’t actually tell you what went wrong. Also known as the “http error 500,” it could be caused by several factors, such as conflicts between WordPress plugins or them...
6
May
2024
Hostinger Review: Dissected by 3 Members of the Themeisle Team
The internet is filled with a lot of Hostinger reviews. Unfortunately, the large majority of them are not based on any sort of firsthand experience. Instead, they’re composed of regurgitated information taken from the Hostinger website mixed with some ...
6
May
2024
Google Workspace Updates Weekly Recap – May 3, 2024
New updatesThere are no new updates to share this week. Please see below for a recap of published announcements. Previous announcementsThe announcements below were published on the Workspace Updates blog earlier this week. Please refer to the orig...
3
May
2024
How to Add a Mortgage Calculator in WordPress (Step by Step)
Do you want to add a mortgage calculator in WordPress? If you have a real estate or finance website, then a mortgage calculator can help visitors see whether they can afford the properties you are promoting. This can keep people on your website for longer… Read More »
The post How to Add a Mortgage Calculator in WordPress (Step by Step) first appeared on WPBeginner.
The post How to Add a Mortgage Calculator in WordPress (Step by Step) first appeared on WPBeginner.
3
May
2024
Apply for the Google for Startups Ukraine Support Fund
Applications are now open for a $10 million Google for Startups Ukraine Support Fund
3
May
2024
The Top 5 AI-Powered Tools for WordPress Creatives
Which AI-powered tools are actually worth using?
3
May
2024
What is a Web Safe Font + 19 Best Web Safe Fonts (Beginner’s Guide)
Are you wondering what a web-safe font is and what the best web-safe fonts are to use for WordPress? Imagine pouring weeks or months into designing a beautiful website. You’ve checked all the boxes, paying attention to details like choosing the right website theme and… Read More »
The post What is a Web Safe Font + 19 Best Web Safe Fonts (Beginner’s Guide) first appeared on WPBeginner.
The post What is a Web Safe Font + 19 Best Web Safe Fonts (Beginner’s Guide) first appeared on WPBeginner.
3
May
2024
Hide tiles without video during Google Meet calls
What’s changing We’ve added the option to hide non-video tiles, so that users can avoid clutter on their screen if they are interested to only see the participants with their videos on. This option can help reduce screen clutter and focus on video...
2
May
2024
Introducing AppSheet Organizations
What’s changing We’re making it easier to manage your AppSheet users with the introduction of AppSheet Organizations. An AppSheet organization creates organization administrators with a centralized tool to manage all of the teams in the organizati...
2
May
2024
How to Add Categories and Tags to WordPress Media Library
Do you want to add categories and tags to images in your WordPress media library? Tags and categories can help you organize media files in a way that makes sense to you. This can make it easier to find images when you need them. In… Read More »
The post How to Add Categories and Tags to WordPress Media Library first appeared on WPBeginner.
The post How to Add Categories and Tags to WordPress Media Library first appeared on WPBeginner.
2
May
2024
How 4 small businesses are using Google tools to succeed
From Google Ads to Gemini, small businesses across the country use Google tools to reach customers, grow their client base and so much more.
2
May
2024
See the winners of our Single-Use Plastics Challenge
Here are the winners of our Single-Use Plastics Challenge, and how these solutions help reduce the food and beverage industry’s plastic footprint.
2
May
2024
Google Meet increases support for ultra-low latency live streaming to the first 25,000 viewers
What’s changing For Google Workspace editions that support 100,000 viewers, we’re increasing the availability of the Google Meet ultra-low latency viewing experience for live streamed meetings from the first 10,000 viewers to the first 25,000 view...
2
May
2024
4 tips on getting the most out of Pixel 8 Pro’s Video Boost
Learn more about how we developed Pixel 8 Pro’s Video Boost feature as well as tips on how to use it.
2
May
2024
What’s new for apps distributed in the European Union
Core Technology Fee (CTF)The CTF is an element of the alternative business terms in the EU that reflects the value Apple provides developers through tools, technologies, and services that enable them to build and share innovative apps. We believe anyon...
2
May
2024
Passkeys, Cross-Account Protection and new ways we’re protecting your accounts
For World Password Day, we’re sharing updates to passkeys across our products and sharing more ways we’re keeping people safe online.
2
May
2024
Your Google Account allows you to create passkeys on your phone, computer and security keys
Sriram Karra and Christiaan Brand, Google product managersLast year, Google launched passkey support for Google Accounts. Passkeys are a new industry standard that give users an easy, highly secure way to sign-in to apps and websites. Today, we announc...
2
May
2024
Available in open beta: Build AppSheet automations using Google Forms
This announcement was part of Google Cloud Next ‘24. Visit the Workspace Blog to learn more about the next wave of innovations in Workspace, including enhancements to Gemini for Google Workspace.What’s changing
AppSheet helps users automate manual work...
AppSheet helps users automate manual work...
1
May
2024
What’s New in Microsoft Teams | April 2024
If you're looking for ways to boost your productivity with Microsoft Teams, you're in the right place. In this blog post, we'll share the latest features and improvements that have rolled out in April, covering everything from chat to meetings and town...
1
May
2024
Google Ads API Resource Usage Policy Update
What's changing?
We are updating the Google Ads API resource usage policy to throttle GoogleAdsService.Search and GoogleAdsService.SearchStream query patterns that consume excessive amounts of API resources. If a particular query pattern is throttl...
We are updating the Google Ads API resource usage policy to throttle GoogleAdsService.Search and GoogleAdsService.SearchStream query patterns that consume excessive amounts of API resources. If a particular query pattern is throttl...
1
May
2024
Get ready for Google I/O: Program lineup revealed
Posted by Timothy Jordan – Director, Developer Relations and Open Source
Developers, get ready! Google I/O is just around the corner, kicking off live from Mountain View with the Google keynote on Tuesday, May 14 at 10 am PT, followed by the De...
1
May
2024
Our ongoing efforts to support mental health
May is Mental Health Awareness Month in the U.S. Here’s a look at how Google continues to support people in times of need.
1
May
2024
Evolving Health on Android: Migrating from Google Fit APIs to Android Health
Posted by Chris Wilk – Senior Product Manager, Android Health
At Google, we're committed to empowering developers to create innovative health and fitness experiences on Android. Over the past few years, we've been investing heavily in establishi...
1
May
2024
May is for .dev-elopers
We’re celebrating five years since the launch of the .dev top-level domain with five exciting .dev websites and a special offer from our registrar partners.
1
May
2024
4 new ways to enjoy reading with Google Play Books
Google Play Books celebrates reading with no-charge ebooks and digital stickers for kids, a new “Upcoming” section and audiobook previews on YouTube.
1
May
2024
A new Mother’s Day gift experience on Google Search
We’re making it easier to find Mother’s Day gifts with a new shopping experience.
1
May
2024
Configure managed iOS apps for your users using Google Mobile Device Management
What’s changing Directly from the Admin console, admins can remotely set custom configs for managed iOS apps on end-user devices for their enterprise using Google Mobile Device Management. Managed configurations are applied using XML property list...
1
May
2024
Gemini in Android Studio and more: Android Studio Jellyfish is Stable!
Posted by Paris Hsu – Product Manager, Android Studio
Android Studio Jellyfish (2023.3.1) is making waves with its official stable release! 🪼🌊 Dive into cutting-edge AI features like Gemini in Android Studio, seamless Google services integrations...
30
Apr
2024
Detecting browser data theft using Windows Event Logs
Posted by Will Harris, Chrome Security Team
Chromium's sandboxed process model defends well from malicious web content, but there are limits to how well the application can protect itself from malware already on the computer. Cookies and other credentials remain a high value target for attackers, and we are trying to tackle this ongoing threat in multiple ways, including working on web standards like
DBSC
that will help disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value.
Where it is not possible to prevent the theft of credentials and cookies by malware, the next best thing is making the attack more observable by antivirus, endpoint detection agents, or enterprise administrators with basic log analysis tools.
This blog describes one set of signals for use by system administrators or endpoint detection agents that should reliably flag any access to the browser’s protected data from another application on the system. By increasing the likelihood of an attack being detected, this changes the calculus for those attackers who might have a strong desire to remain stealthy, and might cause them to rethink carrying out these types of attacks against our users.
Background
Chromium based browsers on Windows use the DPAPI (Data Protection API) to secure local secrets such as cookies, password etc. against theft. DPAPI protection is based on a key derived from the user's login credential and is designed to protect against unauthorized access to secrets from other users on the system, or when the system is powered off. Because the DPAPI secret is bound to the logged in user, it cannot protect against local malware attacks — malware executing as the user or at a higher privilege level can just call the same APIs as the browser to obtain the DPAPI secret.
Since 2013, Chromium has been applying the CRYPTPROTECT_AUDIT flag to DPAPI calls to request that an audit log be generated when decryption occurs, as well as tagging the data as being owned by the browser. Because all of Chromium's encrypted data storage is backed by a DPAPI-secured key, any application that wishes to decrypt this data, including malware, should always reliably generate a clearly observable event log, which can be used to detect these types of attacks.
There are three main steps involved in taking advantage of this log:
Enable logging on the computer running Google Chrome, or any other Chromium based browser.
Export the event logs to your backend system.
Create detection logic to detect theft.
This blog will also show how the logging works in practice by testing it against a python password stealer.
Step 1: Enable logging on the system
DPAPI events are logged into two places in the system. Firstly, there is the
4693 event that can be logged into the Security Log. This event can be enabled by turning on "Audit DPAPI Activity" and the steps to do this are described
here, the policy itself sits deep within Security Settings -> Advanced Audit Policy Configuration -> Detailed Tracking.
Here is what the 4693 event looks like:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{...}" />
 <EventID>4693</EventID>
 <Version>0</Version>
 <Level>0</Level>
 <Task>13314</Task>
 <Opcode>0</Opcode>
 <Keywords>0x8020000000000000</Keywords>
 <TimeCreated SystemTime="2015-08-22T06:25:14.589407700Z" />
 <EventRecordID>175809</EventRecordID>
 <Correlation />
 <Execution ProcessID="520" ThreadID="1340" />
 <Channel>Security</Channel>
 <Computer>DC01.contoso.local</Computer>
 <Security />
 </System>
 <EventData>
 <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
 <Data Name="SubjectUserName">dadmin</Data>
 <Data Name="SubjectDomainName">CONTOSO</Data>
 <Data Name="SubjectLogonId">0x30d7c</Data>
 <Data Name="MasterKeyId">0445c766-75f0-4de7-82ad-d9d97aad59f6</Data>
 <Data Name="RecoveryReason">0x5c005c</Data>
 <Data Name="RecoveryServer">DC01.contoso.local</Data>
 <Data Name="RecoveryKeyId" />
 <Data Name="FailureId">0x380000</Data>
 </EventData>
</Event>
The issue with the 4693 event is that while it is generated if there is DPAPI activity on the system, it unfortunately does not contain information about which process was performing the DPAPI activity, nor does it contain information about which particular secret is being accessed. This is because the
Execution ProcessID
field in the event will always be the process id of lsass.exe because it is this process that manages the encryption keys for the system, and there is no entry for the description of the data.
It was for this reason that, in recent versions of Windows a new event type was added to help identify the process making the DPAPI call directly. This event was added to the
Microsoft-Windows-Crypto-DPAPI
stream which manifests in the Event Log in the Applications and Services Logs > Microsoft > Windows > Crypto-DPAPI part of the Event Viewer tree.
The new event is called
DPAPIDefInformationEvent
and has id 16385, but unfortunately is only emitted to the Debug channel and by default this is not persisted to an Event Log, unless Debug channel logging is enabled. This can be accomplished by enabling it directly in powershell:
$log = `
 New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration `
 Microsoft-Windows-Crypto-DPAPI/Debug
$log.IsEnabled = $True
$log.SaveChanges()

Once this log is enabled then you should start to see 16385 events generated, and these will contain the real process ids of applications performing DPAPI operations. Note that 16385 events are emitted by the operating system even for data not flagged with CRYPTPROTECT_AUDIT, but to identify the data as owned by the browser, the data description is essential. 16385 events are described later.
You will also want to enable
Audit Process Creation in order to be able to know a current mapping of process ids to process names — more details on that later. You might want to also consider enabling logging of
full command lines.
Step 2: Collect the events
The events you want to collect are:
From Security log:
4688: "A new process was created."
From Microsoft-Windows-Crypto-DPAPI/Debug log: (enabled above)
16385: "DPAPIDefInformationEvent"
These should be collected from all workstations, and persisted into your enterprise logging system for analysis.
Step 3: Write detection logic to detect theft.
With these two events is it now possible to detect when an unauthorized application calls into DPAPI to try and decrypt browser secrets.
The general approach is to generate a map of process ids to active processes using the 4688 events, then every time a 16385 event is generated, it is possible to identify the currently running process, and alert if the process does not match an authorized application such as Google Chrome. You might find your enterprise logging software can already keep track of which process ids map to which process names, so feel free to just use that existing functionality.
Let's dive deeper into the events.
A 4688 event looks like this - e.g. here is Chrome browser launching from explorer:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{...}" />
 <EventID>4688</EventID>
 <Version>2</Version>
 <Level>0</Level>
 <Task>13312</Task>
 <Opcode>0</Opcode>
 <Keywords>0x8020000000000000</Keywords>
 <TimeCreated SystemTime="2024-03-28T20:06:41.9254105Z" />
 <EventRecordID>78258343</EventRecordID>
 <Correlation />
 <Execution ProcessID="4" ThreadID="54256" />
 <Channel>Security</Channel>
 <Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
 <Security />
 </System>
 <EventData>
 <Data Name="SubjectUserSid">S-1-5-18</Data>
 <Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
 <Data Name="SubjectDomainName">CONTOSO</Data>
 <Data Name="SubjectLogonId">0xe8c85cc</Data>
 <Data Name="NewProcessId">0x17eac</Data>
 <Data Name="NewProcessName">C:\Program Files\Google\Chrome\Application\chrome.exe</Data>
 <Data Name="TokenElevationType">%%1938</Data>
 <Data Name="ProcessId">0x16d8</Data>
 <Data Name="CommandLine">"C:\Program Files\Google\Chrome\Application\chrome.exe" </Data>
 <Data Name="TargetUserSid">S-1-0-0</Data>
 <Data Name="TargetUserName">-</Data>
 <Data Name="TargetDomainName">-</Data>
 <Data Name="TargetLogonId">0x0</Data>
 <Data Name="ParentProcessName">C:\Windows\explorer.exe</Data>
 <Data Name="MandatoryLabel">S-1-16-8192</Data>
 </EventData>
</Event>

The important part here is the
NewProcessId, in hex
0x17eac
which is
97964.
A 16385 event looks like this:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
 <Provider Name="Microsoft-Windows-Crypto-DPAPI" Guid="{...}" />
 <EventID>16385</EventID>
 <Version>0</Version>
 <Level>4</Level>
 <Task>64</Task>
 <Opcode>0</Opcode>
 <Keywords>0x2000000000000040</Keywords>
 <TimeCreated SystemTime="2024-03-28T20:06:42.1772585Z" />
 <EventRecordID>826993</EventRecordID>
 <Correlation ActivityID="{777bf68d-7757-0028-b5f6-7b775777da01}" />
 <Execution ProcessID="1392" ThreadID="57108" />
 <Channel>Microsoft-Windows-Crypto-DPAPI/Debug</Channel>
 <Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
 <Security UserID="S-1-5-18" />
 </System>
 <EventData>
 <Data Name="OperationType">SPCryptUnprotect</Data>
 <Data Name="DataDescription">Google Chrome</Data>
 <Data Name="MasterKeyGUID">{4df0861b-07ea-49f4-9a09-1d66fd1131c3}</Data>
 <Data Name="Flags">0</Data>
 <Data Name="ProtectionFlags">16</Data>
 <Data Name="ReturnValue">0</Data>
 <Data Name="CallerProcessStartKey">32651097299526713</Data>
 <Data Name="CallerProcessID">97964</Data>
 <Data Name="CallerProcessCreationTime">133561300019253302</Data>
 <Data Name="PlainTextDataSize">32</Data>
 </EventData>
</Event>

The important parts here are the
OperationType, the
DataDescription
and the
CallerProcessID.
For DPAPI decrypts, the
OperationType
will be SPCryptUnprotect.
Each Chromium based browser will tag its data with the product name, e.g. Google Chrome, or Microsoft Edge depending on the owner of the data. This will always appear in the
DataDescription
field, so it is possible to distinguish browser data from other DPAPI secured data.
Finally, the
CallerProcessID
will map to the process performing the decryption. In this case, it is 97964 which matches the process ID seen in the 4688 event above, showing that this was likely Google Chrome decrypting its own data! Bear in mind that since these logs only contain the path to the executable, for a full assurance that this is actually Chrome (and not malware pretending to be Chrome, or malware injecting into Chrome), additional protections such as removing administrator access, and application allowlisting could also be used to give a higher assurance of this signal. In recent versions of Chrome or Edge, you might also see logs of decryptions happening in the elevation_service.exe process, which is another legitimate part of the browser's data storage.
To detect unauthorized DPAPI access, you will want to generate a running map of all processes using 4688 events, then look for 16385 events that have a CallerProcessID that does not match a valid caller – Let's try that now.
Testing with a python password stealer
We can test that this works with a public script to decrypt passwords taken from
a public blog. It generates two events, as expected:
Here is the 16385 event, showing that a process is decrypting the "Google Chrome" key.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
 < ... >
 <EventID>16385</EventID>
 < ... >
 <TimeCreated SystemTime="2024-03-28T20:28:13.7891561Z" />
 < ... >
 </System>
 <EventData>
 <Data Name="OperationType">SPCryptUnprotect</Data>
 <Data Name="DataDescription">Google Chrome</Data>
 < ... >
 <Data Name="CallerProcessID">68768</Data>
 <Data Name="CallerProcessCreationTime">133561312936527018</Data>
 <Data Name="PlainTextDataSize">32</Data>
 </EventData>
</Event>
Since the data description being decrypted was "Google Chrome" we know this is an attempt to read Chrome secrets, but to determine the process behind 68768 (0x10ca0), we need to correlate this with a 4688 event.
Here is the corresponding 4688 event from the Security Log (a process start for python3.exe) with the matching process id:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
 < ... >
 <EventID>4688</EventID>
 < ... >
 <TimeCreated SystemTime="2024-03-28T20:28:13.6527871Z" />
 < ... >
 </System>
 <EventData>
 < ... >
 <Data Name="NewProcessId">0x10ca0</Data>
 <Data Name="NewProcessName">C:\python3\bin\python3.exe</Data>
 <Data Name="TokenElevationType">%%1938</Data>
 <Data Name="ProcessId">0xca58</Data>
 <Data Name="CommandLine">"c:\python3\bin\python3.exe" steal_passwords.py</Data>
 < ... >
 <Data Name="ParentProcessName">C:\Windows\System32\cmd.exe</Data>
 </EventData>
</Event>
In this case, the process id matches the python3 executable running a potentially malicious script, so we know this is likely very suspicious behavior, and should trigger an alert immediately! Bear in mind process ids on Windows are not unique so you will want to make sure you use the 4688 event with the timestamp closest, but earlier than, the 16385 event.
Summary
This blog has described a technique for strong detection of cookie and credential theft. We hope that all defenders find this post useful. Thanks to Microsoft for adding the DPAPIDefInformationEvent log type, without which this would not be possible.
Chromium's sandboxed process model defends well from malicious web content, but there are limits to how well the application can protect itself from malware already on the computer. Cookies and other credentials remain a high value target for attackers, and we are trying to tackle this ongoing threat in multiple ways, including working on web standards like
DBSC
that will help disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value.
Where it is not possible to prevent the theft of credentials and cookies by malware, the next best thing is making the attack more observable by antivirus, endpoint detection agents, or enterprise administrators with basic log analysis tools.
This blog describes one set of signals for use by system administrators or endpoint detection agents that should reliably flag any access to the browser’s protected data from another application on the system. By increasing the likelihood of an attack being detected, this changes the calculus for those attackers who might have a strong desire to remain stealthy, and might cause them to rethink carrying out these types of attacks against our users.
Background
Chromium based browsers on Windows use the DPAPI (Data Protection API) to secure local secrets such as cookies, password etc. against theft. DPAPI protection is based on a key derived from the user's login credential and is designed to protect against unauthorized access to secrets from other users on the system, or when the system is powered off. Because the DPAPI secret is bound to the logged in user, it cannot protect against local malware attacks — malware executing as the user or at a higher privilege level can just call the same APIs as the browser to obtain the DPAPI secret.
Since 2013, Chromium has been applying the CRYPTPROTECT_AUDIT flag to DPAPI calls to request that an audit log be generated when decryption occurs, as well as tagging the data as being owned by the browser. Because all of Chromium's encrypted data storage is backed by a DPAPI-secured key, any application that wishes to decrypt this data, including malware, should always reliably generate a clearly observable event log, which can be used to detect these types of attacks.
There are three main steps involved in taking advantage of this log:
Enable logging on the computer running Google Chrome, or any other Chromium based browser.
Export the event logs to your backend system.
Create detection logic to detect theft.
This blog will also show how the logging works in practice by testing it against a python password stealer.
Step 1: Enable logging on the system
DPAPI events are logged into two places in the system. Firstly, there is the
4693 event that can be logged into the Security Log. This event can be enabled by turning on "Audit DPAPI Activity" and the steps to do this are described
here, the policy itself sits deep within Security Settings -> Advanced Audit Policy Configuration -> Detailed Tracking.
Here is what the 4693 event looks like:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{...}" />
 <EventID>4693</EventID>
 <Version>0</Version>
 <Level>0</Level>
 <Task>13314</Task>
 <Opcode>0</Opcode>
 <Keywords>0x8020000000000000</Keywords>
 <TimeCreated SystemTime="2015-08-22T06:25:14.589407700Z" />
 <EventRecordID>175809</EventRecordID>
 <Correlation />
 <Execution ProcessID="520" ThreadID="1340" />
 <Channel>Security</Channel>
 <Computer>DC01.contoso.local</Computer>
 <Security />
 </System>
 <EventData>
 <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
 <Data Name="SubjectUserName">dadmin</Data>
 <Data Name="SubjectDomainName">CONTOSO</Data>
 <Data Name="SubjectLogonId">0x30d7c</Data>
 <Data Name="MasterKeyId">0445c766-75f0-4de7-82ad-d9d97aad59f6</Data>
 <Data Name="RecoveryReason">0x5c005c</Data>
 <Data Name="RecoveryServer">DC01.contoso.local</Data>
 <Data Name="RecoveryKeyId" />
 <Data Name="FailureId">0x380000</Data>
 </EventData>
</Event>
The issue with the 4693 event is that while it is generated if there is DPAPI activity on the system, it unfortunately does not contain information about which process was performing the DPAPI activity, nor does it contain information about which particular secret is being accessed. This is because the
Execution ProcessID
field in the event will always be the process id of lsass.exe because it is this process that manages the encryption keys for the system, and there is no entry for the description of the data.
It was for this reason that, in recent versions of Windows a new event type was added to help identify the process making the DPAPI call directly. This event was added to the
Microsoft-Windows-Crypto-DPAPI
stream which manifests in the Event Log in the Applications and Services Logs > Microsoft > Windows > Crypto-DPAPI part of the Event Viewer tree.
The new event is called
DPAPIDefInformationEvent
and has id 16385, but unfortunately is only emitted to the Debug channel and by default this is not persisted to an Event Log, unless Debug channel logging is enabled. This can be accomplished by enabling it directly in powershell:
$log = `
 New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration `
 Microsoft-Windows-Crypto-DPAPI/Debug
$log.IsEnabled = $True
$log.SaveChanges()

Once this log is enabled then you should start to see 16385 events generated, and these will contain the real process ids of applications performing DPAPI operations. Note that 16385 events are emitted by the operating system even for data not flagged with CRYPTPROTECT_AUDIT, but to identify the data as owned by the browser, the data description is essential. 16385 events are described later.
You will also want to enable
Audit Process Creation in order to be able to know a current mapping of process ids to process names — more details on that later. You might want to also consider enabling logging of
full command lines.
Step 2: Collect the events
The events you want to collect are:
From Security log:
4688: "A new process was created."
From Microsoft-Windows-Crypto-DPAPI/Debug log: (enabled above)
16385: "DPAPIDefInformationEvent"
These should be collected from all workstations, and persisted into your enterprise logging system for analysis.
Step 3: Write detection logic to detect theft.
With these two events is it now possible to detect when an unauthorized application calls into DPAPI to try and decrypt browser secrets.
The general approach is to generate a map of process ids to active processes using the 4688 events, then every time a 16385 event is generated, it is possible to identify the currently running process, and alert if the process does not match an authorized application such as Google Chrome. You might find your enterprise logging software can already keep track of which process ids map to which process names, so feel free to just use that existing functionality.
Let's dive deeper into the events.
A 4688 event looks like this - e.g. here is Chrome browser launching from explorer:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{...}" />
 <EventID>4688</EventID>
 <Version>2</Version>
 <Level>0</Level>
 <Task>13312</Task>
 <Opcode>0</Opcode>
 <Keywords>0x8020000000000000</Keywords>
 <TimeCreated SystemTime="2024-03-28T20:06:41.9254105Z" />
 <EventRecordID>78258343</EventRecordID>
 <Correlation />
 <Execution ProcessID="4" ThreadID="54256" />
 <Channel>Security</Channel>
 <Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
 <Security />
 </System>
 <EventData>
 <Data Name="SubjectUserSid">S-1-5-18</Data>
 <Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
 <Data Name="SubjectDomainName">CONTOSO</Data>
 <Data Name="SubjectLogonId">0xe8c85cc</Data>
 <Data Name="NewProcessId">0x17eac</Data>
 <Data Name="NewProcessName">C:\Program Files\Google\Chrome\Application\chrome.exe</Data>
 <Data Name="TokenElevationType">%%1938</Data>
 <Data Name="ProcessId">0x16d8</Data>
 <Data Name="CommandLine">"C:\Program Files\Google\Chrome\Application\chrome.exe" </Data>
 <Data Name="TargetUserSid">S-1-0-0</Data>
 <Data Name="TargetUserName">-</Data>
 <Data Name="TargetDomainName">-</Data>
 <Data Name="TargetLogonId">0x0</Data>
 <Data Name="ParentProcessName">C:\Windows\explorer.exe</Data>
 <Data Name="MandatoryLabel">S-1-16-8192</Data>
 </EventData>
</Event>

The important part here is the
NewProcessId, in hex
0x17eac
which is
97964.
A 16385 event looks like this:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
 <Provider Name="Microsoft-Windows-Crypto-DPAPI" Guid="{...}" />
 <EventID>16385</EventID>
 <Version>0</Version>
 <Level>4</Level>
 <Task>64</Task>
 <Opcode>0</Opcode>
 <Keywords>0x2000000000000040</Keywords>
 <TimeCreated SystemTime="2024-03-28T20:06:42.1772585Z" />
 <EventRecordID>826993</EventRecordID>
 <Correlation ActivityID="{777bf68d-7757-0028-b5f6-7b775777da01}" />
 <Execution ProcessID="1392" ThreadID="57108" />
 <Channel>Microsoft-Windows-Crypto-DPAPI/Debug</Channel>
 <Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
 <Security UserID="S-1-5-18" />
 </System>
 <EventData>
 <Data Name="OperationType">SPCryptUnprotect</Data>
 <Data Name="DataDescription">Google Chrome</Data>
 <Data Name="MasterKeyGUID">{4df0861b-07ea-49f4-9a09-1d66fd1131c3}</Data>
 <Data Name="Flags">0</Data>
 <Data Name="ProtectionFlags">16</Data>
 <Data Name="ReturnValue">0</Data>
 <Data Name="CallerProcessStartKey">32651097299526713</Data>
 <Data Name="CallerProcessID">97964</Data>
 <Data Name="CallerProcessCreationTime">133561300019253302</Data>
 <Data Name="PlainTextDataSize">32</Data>
 </EventData>
</Event>

The important parts here are the
OperationType, the
DataDescription
and the
CallerProcessID.
For DPAPI decrypts, the
OperationType
will be SPCryptUnprotect.
Each Chromium based browser will tag its data with the product name, e.g. Google Chrome, or Microsoft Edge depending on the owner of the data. This will always appear in the
DataDescription
field, so it is possible to distinguish browser data from other DPAPI secured data.
Finally, the
CallerProcessID
will map to the process performing the decryption. In this case, it is 97964 which matches the process ID seen in the 4688 event above, showing that this was likely Google Chrome decrypting its own data! Bear in mind that since these logs only contain the path to the executable, for a full assurance that this is actually Chrome (and not malware pretending to be Chrome, or malware injecting into Chrome), additional protections such as removing administrator access, and application allowlisting could also be used to give a higher assurance of this signal. In recent versions of Chrome or Edge, you might also see logs of decryptions happening in the elevation_service.exe process, which is another legitimate part of the browser's data storage.
To detect unauthorized DPAPI access, you will want to generate a running map of all processes using 4688 events, then look for 16385 events that have a CallerProcessID that does not match a valid caller – Let's try that now.
Testing with a python password stealer
We can test that this works with a public script to decrypt passwords taken from
a public blog. It generates two events, as expected:
Here is the 16385 event, showing that a process is decrypting the "Google Chrome" key.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
 < ... >
 <EventID>16385</EventID>
 < ... >
 <TimeCreated SystemTime="2024-03-28T20:28:13.7891561Z" />
 < ... >
 </System>
 <EventData>
 <Data Name="OperationType">SPCryptUnprotect</Data>
 <Data Name="DataDescription">Google Chrome</Data>
 < ... >
 <Data Name="CallerProcessID">68768</Data>
 <Data Name="CallerProcessCreationTime">133561312936527018</Data>
 <Data Name="PlainTextDataSize">32</Data>
 </EventData>
</Event>
Since the data description being decrypted was "Google Chrome" we know this is an attempt to read Chrome secrets, but to determine the process behind 68768 (0x10ca0), we need to correlate this with a 4688 event.
Here is the corresponding 4688 event from the Security Log (a process start for python3.exe) with the matching process id:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
 < ... >
 <EventID>4688</EventID>
 < ... >
 <TimeCreated SystemTime="2024-03-28T20:28:13.6527871Z" />
 < ... >
 </System>
 <EventData>
 < ... >
 <Data Name="NewProcessId">0x10ca0</Data>
 <Data Name="NewProcessName">C:\python3\bin\python3.exe</Data>
 <Data Name="TokenElevationType">%%1938</Data>
 <Data Name="ProcessId">0xca58</Data>
 <Data Name="CommandLine">"c:\python3\bin\python3.exe" steal_passwords.py</Data>
 < ... >
 <Data Name="ParentProcessName">C:\Windows\System32\cmd.exe</Data>
 </EventData>
</Event>
In this case, the process id matches the python3 executable running a potentially malicious script, so we know this is likely very suspicious behavior, and should trigger an alert immediately! Bear in mind process ids on Windows are not unique so you will want to make sure you use the 4688 event with the timestamp closest, but earlier than, the 16385 event.
Summary
This blog has described a technique for strong detection of cookie and credential theft. We hope that all defenders find this post useful. Thanks to Microsoft for adding the DPAPIDefInformationEvent log type, without which this would not be possible.
30
Apr
2024
Updated keyboard shortcuts and first-letters navigation now available on Google Drive web
What’s changing Google Drive is designed to work with keyboards, screen readers, braille devices, screen magnification, and more. Today, we’re excited to improve the accessibility of Google Drive by enabling first-letters navigation. First-le...
30
Apr
2024
April 2024 update to Display & Video 360 API
Today we’re announcing the April 2024 update to the Display & Video 360 API. This update includes:
Support for additional key performance indicator (KPI) types.
Targeting support for new AppPlatform and Exchange values.
The addition of a new YouTub...
29
Apr
2024
Discover why over 20 million PSTN users trust Microsoft Teams Phone
Good things happen when you integrate smart, reliable calling into the flow of work. The flexible and intelligent capabilities of Teams Phone empower your team to create rich engagements, increase productivity, and save time.
Plus, you can rest easy kn...
Plus, you can rest easy kn...
29
Apr
2024
Jetpack Compose compiler moving to the Kotlin repository
Posted by Ben Trengrove - Developer Relations Engineer, Nick Butcher - Product Manager for Jetpack Compose
We are excited to announce that with the upcoming release of Kotlin 2.0, the Jetpack Compose compiler will move to the Kotlin repository....
29
Apr
2024
How we fought bad apps and bad actors in 2023
Posted by Steve Kafka and Khawaja Shams (Android Security and Privacy Team), and Mohet Saxena (Play Trust and Safety)
A safe and trusted Google Play experience is our top priority. We leverage our SAFE (see below) principles to provide the framework ...
A safe and trusted Google Play experience is our top priority. We leverage our SAFE (see below) principles to provide the framework ...
29
Apr
2024
WP Briefing: Episode 78: Guided Growth: Cultivating Contributors Through Mentorship
Explore the transformative world of the WordPress Contributor Mentorship Program with guest host Angela Jin and special guest and sponsored contributor Hari Shanker. Whether you're a long-time WordPress enthusiast or new to the scene, this episode is packed with insights, stories, and tips to help you engage more deeply with one of the most passionate open source communities.
29
Apr
2024
Google Workspace Updates Weekly Recap – April 26, 2024
3 New updatesUnless otherwise indicated, the features below are available to all Google Workspace customers, and are fully launched or in the process of rolling out. Rollouts should take no more than 15 business days to complete if launching to both&nb...
26
Apr
2024
Reminder: Privacy requirement for app submissions starts May 1
The App Store was created to be a safe place for users to discover and get millions of apps all around the world. Over the years, we‘ve built many critical privacy and security features that help protect users and give them transparency and control — f...
26
Apr
2024
Accelerating incident response using generative AI
Lambert Rosique and Jan Keller, Security Workflow Automation, and Diana Kramer, Alexandra Bowen and Andrew Cho, Privacy and Security Incident ResponseIntroductionAs security professionals, we're constantly looking for ways to reduce risk and improve ou...
26
Apr
2024
Workspace Data Protection rules are now available for Gmail in Beta
What’s changing Launching first to beta, we’re introducing data loss prevention rules for Gmail. Data protection rules help admins and security experts build a stronger framework around sensitive data to prevent personal or proprietary information...
26
Apr
2024
Get notified about application load failures for your Google Meet Hardware devices
What’s changing As part of an ongoing series of improvements for managing Google Meet hardware devices, we recently announced that we would begin capturing application load failures across Meet hardware devices. Beginning today, you can now opt-in...
26
Apr
2024