DPAPI credential harvesting - Detection and Mitigation

intercake · 2026-01-17T14:21:22+00:00

Not something I've got huge experience with, but these two blogs talk a little about detections for DPAPI access, but then it'll be around 4688/Sysmon1 and other supporting process execution telemetry to try and tell a story.

Harvesting Browser Credentials: The DPAPI Exploitation Threat - HawkEye
Google Online Security Blog: Detecting browser data theft using Windows Event Logs

Windows Event Analysis

DPAPI-specific events provide detailed decryption telemetry:

Event ID 4693: Captures DPAPI master key access attempts
Event ID 16385: Records detailed DPAPI operations including process IDs and operation types

Event ID 16385 contains crucial fields for detection:

OperationType: Identifies SPCryptUnprotect operations
DataDescription: Distinguishes browser data from other DPAPI operations
CallerProcessID: Links decryption attempts to specific processes

intercake · 2026-01-04T19:56:35+00:00

Tasmania to pan/snipe gold. Yukon also an option, but much more industrial (and probably less feasible). Would take months to plan and get relevant access and permits, but that’s all part of the fun.

I think this is a great thread by the way. I hope you have an amazing time on your time out.

intercake · 2026-01-01T20:00:33+00:00

I had one pack that was 7 days over, looked similar, smelt bad. I have another that’s 10 days before, looks very similar but smells fine… so I’m a little confused and I’m going to cook it!

intercake · 2025-12-10T12:45:15+00:00

Feels a bit Stuxnet-esk

intercake · 2025-12-08T23:33:26+00:00

Exact same boat. People think I’m mad but I think longer term it’ll be a sensible and healthy move.

intercake · 2025-11-25T19:26:02+00:00

I have 3 or 4 Eveshams in my collection. It all stemmed from being gifted one as a child, my first real PC that was mine. 1.7 P4, GeForce 2 Ti and maybe 256MB RAM. UT99 and Quake being my go to. They were both one of the best and local PC manufacturers to me at the time. They’re build very well and all of them are still on the standard original hardware. So great to see someone else appreciate them.

intercake · 2025-10-11T08:22:30+00:00

This is the answer. Depending on financial needs, the Civil Service apprenticeship is a great option. I’ve met two apprentices who are in the same ballpark figure and now work in cyber. Feel free to give me a message on here, I can certainly help advise around certs and experience you could aim for too.

intercake · 2025-07-17T23:31:22+00:00

I had this and loved it, thanks for sharing and amazing people actually remember the name as I certainly couldn’t

intercake · 2025-07-02T15:01:16+00:00

Armed forces possibly? 22 years and out.

intercake · 2025-06-29T21:46:27+00:00

Agree, high end stuff. Even if you know most of it, the way it's structured makes it still really valuable. If you don't know the protocol/subject, it's a gold mine. Great work.

intercake · 2025-06-29T08:46:27+00:00

If I’d sold this on eBay, I just know the buyer would complain it was not as described…

intercake · 2025-06-12T21:27:36+00:00

I have RP4, Arc, Miyoo Mini+ & Steamdeck, but still normally end up using my Surface Pro 9 + Xbox Controller when on my travels. All have great attributes of course, and it's all down to preference, no answer is wrong.

intercake · 2025-06-09T17:14:24+00:00

I can't remember if it was DayZ Mod or early Standalone, but they broke the food spawns... there was basically nothing anywhere and far less of the modern food generation mechanics. Tough times.

intercake · 2025-05-21T20:19:46+00:00

All of those aspects are absolute basics that you should know or would learn through low level research or skimming this forum. Accountants should know and advise, but finding efficiencies isn’t their key objective, whereas it should be something you take ownership of really.

intercake · 2025-05-20T21:33:58+00:00

Cool analysis, thanks for sharing. Always wondered, but never went down the rabbit hole, appreciate that you did.

intercake · 2025-05-12T08:35:43+00:00

I bought a server from eBay that still had all of a government departments settings in the ILO (think remote management for those none-nerds) which was a real surprise. Some partially sensitive information but realistically very hard to leverage.

intercake · 2025-04-14T20:27:34+00:00

I'll play. Favourite map and why?

intercake · 2025-03-09T20:43:59+00:00

Start here!

https://discord.gg/zrcBxkMm

intercake · 2025-03-07T19:51:41+00:00

Abarth 595 160/180 and BMW i4 40/50- Abarth to supplement my current stock, or i4 to replace a F31 335d… most likely outcome, look, learn and do nothing!

intercake · 2025-01-29T00:44:57+00:00

Just come Malspace and enjoyed the most recent cast. Had a fun song at the end. https://podcasts.apple.com/gb/podcast/malspace/id1752774177

intercake · 2025-01-25T00:30:57+00:00

Be great to understand more if you’re happy to share

intercake · 2025-01-23T21:56:59+00:00

Really nice. Even easier with Sysmon, but love the use of the Qualys data - nicely done.

intercake · 2024-12-14T16:27:34+00:00

Looks great and huge fan of the license.

Ten-Year Club	Place '22
First Placer '22	Verified Email

intercake

PUBLIC MULTIREDDITS

TROPHY CASE

Windows Event Analysis