{"id":10524,"date":"2021-04-07T09:00:00","date_gmt":"2021-04-07T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-windows-lab-4\/"},"modified":"2026-05-25T10:21:03","modified_gmt":"2026-05-25T09:21:03","slug":"attack-detection-fundamentals-2021-windows-lab-4","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-2021-windows-lab-4\/","title":{"rendered":"Attack Detection Fundamentals 2021: Windows &#8211; Lab #4"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals 2021: Windows &#8211; <span class=\"blue-text\">Lab #4<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Endpoint Security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Software Protection                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                07.04.2021                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Jaa t\u00e4m\u00e4                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-2021-windows-lab-4\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20Windows%20&#8211;%20Lab%20#4\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Jaa LinkedIniss\u00e4\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: Windows &#8211; Lab #4&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-2021-windows-lab-4\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Jaa X:ss\u00e4 (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_4e896fe557a6b2fa0c06bdbded28c035\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Alfie Champion<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Riccardo Ancarani<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Sis\u00e4ll\u00f6n navigointi            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    Valitse jakso                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-2021-windows-lab-4\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20Windows%20&#8211;%20Lab%20#4\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Jaa LinkedIniss\u00e4\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: Windows &#8211; Lab #4&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-2021-windows-lab-4\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Jaa X:ss\u00e4 (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the first part of WithSecure Consulting&#x27;s Attack Detection Fundamentals workshop series for 2021, we covered advanced defense evasion and credential access techniques targeting Windows endpoints.  This included the offensive and defensive use of API hooking, as well as the theft of cookies to enable &#x27;session hijacking&#x27;.<\/p>\n<p>A recording of the first workshop can be found <a href=\"https:\/\/www.youtube.com\/watch?v=h1OBjMx-R-M\" target=\"_blank\" rel=\"noopener\">here<\/a> and the slides are available <a href=\"https:\/\/www.f-secure.com\/content\/dam\/f-secure\/en\/consulting\/events\/collaterals\/digital\/f-secure_attack-detection-fundamentals-workshop-1-windows_2021-04-07.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a><\/p>\n<p>In our last lab, we turned our focus to some post exploitation; using API hooking to grab some plaintext credentials as our target user authenticated to a remote host with RDP.<\/p>\n<p>In this lab, we&#x27;ll keep with the post exploitation theme. We are going to steal browser cookies from a target user who has authenticated to a web service of interest (in our case we&#x27;ll use GitHub). We&#x27;ll make use of Rich Warren&#x27;s <a href=\"https:\/\/github.com\/rxwx\/chlonium\" target=\"_blank\" rel=\"noopener\">Chlonium<\/a> project to extract the master key used by Chrome to encrypt the cookies, then copy the cookie database onto our attacking host. With both of these components &#8211; the master key and the cookie database &#8211; we can import the cookies into our attacker instance of Chrome and hijack the target user&#x27;s session; accessing GitHub as them!<\/p>\n<p>By configuring SACLs on our sensitive Chrome files, we&#x27;ll explore how we might detect suspected hijacking.<\/p>\n<p>Finally, we&#x27;ll look at another feature of Chlonium that enables us to extract saved passwords from our target user&#x27;s Chrome browser, decrypting these to reveal them in plaintext.<\/p>\n<h2>References<\/h2>\n<ul>\n<li><a href=\"https:\/\/github.com\/rxwx\/chlonium\/tree\/master\/Chlonium\" target=\"_blank\" rel=\"noopener\">GitHub &#8211; Chlonium<\/a><\/li>\n<li><a href=\"https:\/\/medium.com\/@cryps1s\/detecting-windows-endpoint-compromise-with-sacls-cd748e10950\" target=\"_blank\" rel=\"noopener\">Dane Stuckey&amp;#x27;s Detecting Windows Endpoint Compromise with SACLs<\/a><\/li>\n<li><a href=\"https:\/\/www.harmj0y.net\/blog\/redteaming\/operational-guidance-for-offensive-user-dpapi-abuse\/\" target=\"_blank\" rel=\"noopener\">Harmj0y&amp;#x27;s Operational Guidance for Offensive User DPAPI Abuse<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1539\/\" target=\"_blank\" rel=\"noopener\">MITRE &#8211; Steal Web Session Cookie<\/a><\/li>\n<\/ul>\n<p>DISCLAMER: Set up of the tools and the testing environment is not covered comprehensively within this lab. We will assume basic familiarity with Windows command line and the ability of the reader to build the necessary tools.<\/p>\n<h2>Required Tools<\/h2>\n<ul>\n<li>2x Windows VMs (both with Google Chrome installed &#8211; tested with version 89.0.4389.82)<\/li>\n<li>A compiled version of Chlonium (UI and command-line tool). We&#x27;ve provided a pre-compiled version modified for Chrome 89.0.4389.82 <a href=\"https:\/\/github.com\/ajpc500\/chlonium\/tree\/master\/binaries\" target=\"_blank\" rel=\"noopener\">here<\/a><\/li>\n<\/ul>\n<h2>Walkthrough<\/h2>\n<h3>Setup<\/h3>\n<p>Firstly on our target host, we&#x27;ll need to authenticate as a legitimate user to our web service of choice (so we have a session to steal!). For our purposes, we&#x27;ll use GitHub, but you might want to experiment with other services.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/logged-into-github1.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>To keep things simple for our lab, we&#x27;re going to use Chlonium from our target host as a simple executable, so make sure that is present on the host (the chlonium.exe binary only, we&#x27;ll need the chloniumUI.exe on our attacker host later). It&#x27;s worth nothing that, as a .NET assembly, there are many ways in which Chlonium could be used in a more life-like offensive scenario. As an example, it could be run entirely in-memory, as supported by many popular C2 frameworks, e.g. using Cobalt Strike&#x27;s &#x27;execute-assembly&#x27; function. We&#x27;ll also touch on an alternative means of executing this attack later on.<\/p>\n<p>As we saw in the workshop, there are two files of particular interest for our attack technique.<\/p>\n<ul>\n<li>%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\User Data\\Local State<\/li>\n<li>%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies<\/li>\n<\/ul>\n<p>The first of these contains our master key, and the second, our cookie database. We need both elements to decrypt the cookies, before they can be re-imported on our attacker host. As such, we&#x27;ll use the following script (run as admin) to place a SACL on both files, producing a log entry when either file is read (script adapted from Dane Stuckey&#x27;s great post <a href=\"https:\/\/medium.com\/@cryps1s\/detecting-windows-endpoint-compromise-with-sacls-cd748e10950\" target=\"_blank\" rel=\"noopener\">here<\/a>).<\/p>\n<pre><code class=\"language-bash\"># SACL Primitive for File Reads \/ Directory Traversals \/ Ownership Changes\n$AuditUser = &quot;Everyone&quot;\n$AuditRules = &quot;ReadData, TakeOwnership&quot;\n$InheritType = &quot;None&quot;\n$PropagationFlags = &quot;None&quot;\n$AuditType = &quot;Success&quot;\n$FileReadSuccessAudit = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,$AuditRules,$InheritType, $PropagationFlags,$AuditType)\n$FilePaths = @(\n&quot;$ENV:USERPROFILE\\AppData\\Local\\Google\\Chrome\\User Data\\Local State&quot;,\n&quot;$ENV:USERPROFILE\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies&quot;\n)\n\nForEach-Object -InputObject $FilePaths -Process {\n# Get the ACL with Audit ACEs\n$Acl = Get-Acl $_ -Audit\n\n# Set the ACE\n$Acl.SetAuditRule($FileReadSuccessAudit)\n\n# Apply the ACL\n$Acl | Set-Acl | Out-Null\n}<\/code><\/pre>\n<p>For our Object Read events (ID 4663) to surface in the Windows Event Log, we&#x27;ll need to enable the Object Access logging. As we&#x27;re just applying this to our target lab host (as opposed to say, a full corporate environment), we can apply this with local Group Policy, navigating to the following location:<\/p>\n<pre><code class=\"language-bash\">Computer Configuration -&gt; Windows Settings -&gt; Security Settings -&gt; Advanced Audit Policy Configuration -&gt; System Audit Policies - Local Group Policy Object -&gt; Object Access -&gt; Audit File<\/code><\/pre>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/setting-file-system-audit.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>For our purposes, we&#x27;ll enable both successful and failed access attempts.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/setting-file-system-audit-suc-and-fail2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>With our SACL set on the &#x27;Cookies&#x27; and &#x27;Local State&#x27; files, and our File System Audit settings enabled, we can open &#x27;Event Viewer&#x27; and hopefully view our Event ID 4663s in the &#x27;Security&#x27; log!<\/p>\n<h3>Retrieving Session Material from Target Host<\/h3>\n<p>Firstly, let&#x27;s retrieve the master key from the &#x27;Local State&#x27; file. For our Google Chrome browser, we can use the default settings of Chlonium and just run it as below. As discussed in the workshop, Chrome makes use of DPAPI to protect the credential material stored in the Local State file. As we&#x27;re running under the context of our target user, we can simply run Chlonium to transparently decrypt this key and exfiltrate it from the host.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/using-chlonium2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Then we can copy the &#x27;Cookies&#x27; database from the target host. In our case, we&#x27;re just saving it to a shared drive between our attacker and target VMs, but in a real-life scenario, this would likely be downloaded through an existing C2 channel.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/exfil-cookies.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>Importing Session Material on Attacker Host<\/h3>\n<p>On our attacker host, we can use Chlonium&#x27;s UI component to import the cookies into our attacker Chrome session. We provide the master key we retrieved, and the &#x27;Cookies&#x27; database.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/using-chlonium-ui.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Clicking the &#x27;Import&#x27; button, if all goes well, we should receive a message box confirming successful import.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/successfully-imported-cookies.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Now with our cookies imported, browsing to GitHub with Chrome on our attacker host, we should be taken straight to our compromised user&#x27;s GitHub account!<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/logged-into-github-on-attacker-host1.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>Retrieving Saved Passwords from Chrome<\/h3>\n<p>Chlonium can also be used to decrypt the passwords that have been saved in Chrome. Conveniently, these passwords are encrypted with the same master key we&#x27;ve already retrieved, and the only additional material we need from the victim host is the following file.<\/p>\n<ul>\n<li>%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data<\/li>\n<\/ul>\n<p>For our lab, confirm that the target web service credentials are saved in Chrome.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/confirm-saved-password1.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Now, we can retrieve the &#x27;Login Data&#x27; file and, as before, we&#x27;ll simply save it to a shared drive.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/copying-login-data-from-victim.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>With our master key from before, we can provide the &#x27;Login Data&#x27; file to the Chlonium UI, in lieu of our previous &#x27;Cookies&#x27; file. Rather than import these saved credentials into our attacker Chrome browser, we&#x27;ll just export them to a text file to view them in plaintext.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/using-login-data-with-chlonium.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Clicking the &#x27;Export to Text File&#x27; option and saving to a suitable location, we should hopefully be presented with an &#x27;Exported!&#x27; message box confirming the successfully decryption of our saved passwords!<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/successfully-exported-logins.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Viewing the exported text file, we can see our plaintext password!<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/logins-txt-file.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>Alternative Implementations<\/h3>\n<p>As outlined in Harmj0y&#x27;s <a href=\"https:\/\/www.harmj0y.net\/blog\/redteaming\/operational-guidance-for-offensive-user-dpapi-abuse\/\" target=\"_blank\" rel=\"noopener\">blog<\/a>, there are several options for abusing DPAPI for extracting our Chrome cookies.<\/p>\n<p>Benjamin Delpy&#x27;s Mimikatz includes functionality for extracting cookies and master keys, as well as (as we well know) many other things. It is left as an exercise to the reader to experiment with Cookie theft using Mimikatz and how the detection opportunities we&#x27;ve explored in this lab might differ.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/mimikatz.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h2>Detecting the Attack<\/h2>\n<p>Viewing our ID 4663 events in the &#x27;Security&#x27; log in Event Viewer, we can see entries for both our &#x27;Local State&#x27; file (containing the master key we retrieved using &#x27;Chlonium.exe&#x27;), and our &#x27;Cookies&#x27; file.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/local-state-access-4663.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/cookies-access-4663.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Note the information presented in these log entries &#8211; we can see the user that initiated the file read, the file that was accessed, and the process used.<\/p>\n<p>This presents us a good opportunity to detect cookie theft through identifying anomalous processes accessing sensitive files. One thing to bear in mind, both as an operator and as a defender, is the limitations of this specific SACL-centric detection. Should an attacker inject malicious code into the Chrome process to retrieve the sensitive material, the activity could pass without scrutiny, in the event that the Chrome process is filtered out of any developed detection.<\/p>\n<p>As an exercise for the reader, can you apply a SACL to the &#x27;Login Data&#x27; file and detect processes attempting to retrieve saved passwords from our target Chrome instance?<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/login-data-access-4663.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>One other detection opportunity that might be worth considering here is from the target web service&#x27;s perspective. If a user were to access a given service from their IP address, compromising their cookie database and master key, we might start making similar requests to the web service from a different, attacker-controlled IP address.<\/p>\n<p>With the necessary telemetry provided from the web service, we could potentially map back a given authenticated user session to its source IP addresses, investigating instances of &#x27;impossible travel&#x27;, for example. This of course has varying degrees of feasibility based on the log source quality for the web service in question.<\/p>\n<h2>Conclusion<\/h2>\n<p>Having compromised a user&#x27;s endpoint, session hijacking presents a potent technique for attackers seeking to access their web services; particularly those otherwise protected with Multi-Factor Authentication (MFA).<\/p>\n<p>As we&#x27;ve seen, System Access Control Lists (SACLs) provide us with the opportunity to log attempted access to the sensitive files needed to perform a session hijack (at least in the manner we&#x27;ve seen in this lab). As you can probably imagine, the utility of SACLs extends far beyond our lab example, and could be applied to all manner of sensitive files (and registry keys!) to detect suspicious activity. This could include:<\/p>\n<ul>\n<li>Canary files (i.e. files placed specifically to be picked up by an attacker&#x27;s initial host-based reconnaissance activities).<\/li>\n<li>Password vaults.<\/li>\n<li>SSH keys.<\/li>\n<li>Cloud Provider Access Keys.<\/li>\n<\/ul>\n<p>Invariably, the volume of telemetry that a given SACL produces is dictated by the object we apply it to, as well as the type of behaviour we choose to log. We applied an &#x27;object read&#x27; SACL in our example; in another scenario, we might want to use an &#x27;object write&#x27; SACL instead, ensuring telemetry is only produced when changes are made to the file.<\/p>\n<p>And there we have it, that&#x27;s a wrap on the first workshop of our 2021 Attack Detection Fundamentals series. See you for the next one!<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-2021-windows-lab-4\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20Windows%20&#8211;%20Lab%20#4\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Jaa LinkedIniss\u00e4\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: Windows &#8211; Lab #4&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-2021-windows-lab-4\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Jaa X:ss\u00e4 (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">On 4th August 2023, WithSecure Detection and Response Team (DRT) received an alert regarding spoofed process injection with abnormal memory characteristics on a host belonging to a WithSecure Countercept MDR customer.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/darkgate-rises\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/reverse-engineering-a-lumma-infection\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/machine-learning-driven-malware-analysis\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>In this lab, we&#8217;ll keep with the post exploitation theme. We are going to steal browser cookies from a target user who has authenticated to a web service of interest (in our case we&#8217;ll use GitHub). <\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[302,326,303],"labs_content_type":[305],"class_list":["post-10524","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-endpoint-security","category-software-protection"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Endpoint Security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals 2021: Windows &#8211; Lab #4<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">In this lab, we&#039;ll keep with the post exploitation theme. We are going to steal browser cookies from a target user who has authenticated to a web service of interest (in our case we&#039;ll use GitHub). <\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-2021-windows-lab-4\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/lab_item\/10524","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/media?parent=10524"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/categories?post=10524"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/labs_content_type?post=10524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}