etc.). Additionally, SharpDPAPI (https://github.com/GhostPack/ | Ethical Hackers Vol. 2

etc.). Additionally, SharpDPAPI (https://github.com/GhostPack/SharpDPAPI#statekeys) will allow you to decrypt the Chromium state key file if you have DPAPI state keys, current password, or domain backup key - allowing you to dump cookies remotely over SMB! When carrying out Red Teaming, I sometimes need to dump a user's cookies multiple times over a sustained period (e.g. daily/weekly). Using a .NET assembly, Reflective DLL or other in-memory execution technique to extract individual cookies from the cookie file directly on the target system is unneccesary and exposes the operator to increased risk of detection. Instead you can simply dump the state key once, and copy the Cookies database file off whenever you need fresh cookies, without requiring additional execution. Demo See here (https://vimeo.com/452632559?quality=1080p) for a video demo. Password Import/Export ChloniumUI also supports password import and export. To use this feature, simply supply the Login Data database path instead of the Cookies db, along with the state key, and select the browser you wish to import them into (for export this doesn't matter). This allows you to either export passwords in plaintext to a file, or import them into your browser. As with cookies, you can import Chrome passwords into Edge, Edge passwords into Vivaldi etc. Offline Statekey Decryption Chlonium supports offline state key decryption (https://www.kitploit.com/search/label/Decryption) whereby you can decrypt the users statekey offline if you have all of the following files: The Local State file from: C:\Users\\AppData\Local\\User Data\Local State The DPAPI masterkey files from: C:\Users\\AppData\Roaming\Microsoft\Protect\\ and one of the following: Domain backup key .pvk file (e.g. from NTDS.dit) Domain backup key in base64 (e.g. from Mimikatz/SharpDPAPI LsaRetrievePrivateData API method) The user's password Now simply provide these values under the "Offline statekey decryption" tab, and Chlonium will attempt to decrypt the encrypted statekey by first decrypting the DPAPI masterkeys (using the backup key or password), and then using these keys to decrypt the statekey. Once the statekey is decrypted, this can be used in the "Import or Export Database" tab to retrieve cookies/passwords. Usage Note: When using the user's password to decrypt the DPAPI masterkey, Chlonium will first attempt to extract the user's SID from the BK- file from within the DPAPI masterkey folder. If this fails (or if the file does not exist), it will try to get the SID from the DPAPI masterkey folder name instead (which by default will be named after the user's SID). If you have renamed the folder, or do not have a copy of the BK file, you will not be able to decrypt the masterkey using a password. This feature makes use of the excellent SharpChrome (https://github.com/GhostPack/SharpDPAPI/tree/master/SharpChrome) and SharpDPAPI (https://github.com/GhostPack/SharpDPAPI) projects by @harmj0y. Full credit goes to the original authors of SharpDPAPI. Detection Set a SACL on the Chrome Local State and Cookies files (as well as other sensitive files such as Login Data and History). Look for suspicious (e.g. non browser related) processes opening any of these files. Take a look at this great blog post (https://medium.com/@cryps1s/detecting-windows-endpoint-compromise-with-sacls-cd748e10950) from @cryps1s about setting up SACLs for detection. For AV vendors that use a file system filter driver, consider blocking non browser-related processes from opening these files. e.g. PowerShell (https://www.kitploit.com/search/label/PowerShell) opening the Cookies file. References https://github.com/gentilkiwi/mimikatz/wiki/module-~-dpapi https://github.com/djhohnstein/SharpChromium https://github.com/GhostPack/SharpDPAPI https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/