← All Chokepoints CRITICAL

Infostealer Browser Credential Theft

Credential Access Collection Exfiltration T1555.003 T1539 T1041 Detection difficulty: MEDIUM Prevalence: HIGH

Infostealers systematically harvest credentials, cookies, and autofill data from browser credential databases. This is the single invariant behavior across all stealer families regardless of obfuscation or bypass technique. Hudson Rock tracks 30+ million infected computers; 1.8 billion credentials were stolen in 2025 alone, with enterprise credentials present in 14% of infections (up from 6% in early 2024). The Snowflake breach (2024) demonstrated downstream impact: UNC5537 used infostealer-harvested credentials for initial access to 160+ organizations. LummaC2 (51% of dark web credential logs before its May 2025 takedown), Stealc, RedLine, Raccoon, Vidar, AMOS, and Medusa all share the invariant: the stealer process must open browser credential files (Login Data, Cookies, logins.json) and invoke CryptUnprotectData() or NSS3 decryption. This is a kernel-observable event regardless of family or Chrome App-Bound Encryption bypass technique used.

By @iimp0ster · Updated 2026-03-15 · View source YAML

Attack Chokepoints 3 invariant stages

Each stage is an invariant condition the attacker must satisfy, regardless of tool, variant, or threat actor. Detection at any stage breaks the chain.

1 Credential Database Access
Prerequisites
  • Code execution on victim machine (via ClickFix, malvertising, cracked software, game cheats, SEO poisoning, YouTube malware, or social engineering)
  • Target must use a Chromium-based browser (Chrome, Edge, Brave, Opera, etc.) or Firefox
  • Browser credential database files must be accessible (not locked by exclusive handle; Chrome Login Data is typically not exclusively locked)
  • {"For App-Bound Encryption bypass variants"=>"Chrome must be installed (COM elevation requires GoogleChromeElevationService); OR Chrome must be running (CDP bypass); OR stealer must have code injection capability (memory injection bypass)"}
  • Outbound network access for C2 exfiltration (though some variants stage locally and exfiltrate via separate channel)
Input Stealer process is running on the victim machine
Chokepoint Must open browser credential database files (Login Data, Cookies, Local State, logins.json). These are the only locations where browser credentials are stored.
Observable Sysmon EID 11 (FileCreate; stealer copies credential DB to temp) or Windows Security EID 4663 (Object Access audit) showing a non-browser process accessing Chrome/Edge/Firefox credential files
Why unavoidable
Browser credentials only exist in these database files. The stealer must read them. There is no alternative path to the credentials.
Data Sources
  • Sysmon Event ID 10 (Process Access)
  • Sysmon Event ID 11 (File Created/Accessed)
  • Windows Security Event ID 4663 (Object Access)
View rule →
Credential database content has been read
2 Credential Decryption
Input Credential database content has been read
Chokepoint Must invoke platform decryption APIs. CryptUnprotectData() (DPAPI) for Chromium browsers, NSS3 decryption for Firefox, or an App-Bound Encryption bypass technique
Observable CryptUnprotectData calls from non-browser processes. Chrome Elevation Service COM interface activation. Chrome DevTools Protocol connections to running Chrome instances (CDP bypass).
Why unavoidable
The credentials are encrypted at rest. The stealer must decrypt them to extract usable passwords. The decryption API call is the artifact.
Data Sources
  • ETW DPAPI provider
  • Sysmon Event ID 1 (Process Creation for COM/CDP bypass processes)
  • Windows Security Event ID 4688
View rule →
Credentials have been decrypted and collected
3 Data Exfiltration
Input Credentials have been decrypted and collected
Chokepoint Must exfiltrate the harvested data to attacker infrastructure
Observable Outbound HTTP POST to low-reputation domains, Telegram bot API calls, Discord webhook POSTs from non-standard processes. Large data transfers from processes that recently accessed credential databases.
Why unavoidable
Stolen credentials are worthless if they stay on the victim machine. The exfiltration connection is the artifact.
Data Sources
  • Sysmon Event ID 3 (Network Connection)
  • Sysmon Event ID 22 (DNS Query)
  • Web proxy logs
View rule →

Variations 12 variants tracked

Tools and methods that exploit this chokepoint. The list grows. The chokepoint doesn't change.

LummaC2 2022-Q4 Disrupted (May 2025) / Active (rebrand expected)
The dominant infostealer MaaS of 2024-2025, representing 51% of all dark web credential logs at peak. Delivered primarily via ClickFix (517% surge in 2025 ClickFix attacks) and malvertising. Targets 50+ Chromium-based browsers, Firefox profiles, cryptocurrency wallets, and 2FA applications. Despite law enforcement disruption, successor variants and rebrands are anticipated based on historical patterns (Raccoon v1 → v2, RedLine → successors, etc.).
Command / artifacts
Dominant stealer (51% of dark web logs at peak). Delivered primarily via ClickFix. Targets 50+ Chromium browsers, Firefox, crypto wallets, 2FA apps. Law enforcement disruption May 2025.
# Post-ClickFix delivery chain:
powershell.exe -enc <base64> → downloads LummaC2 loader
# Loader copies browser DBs:
copy "%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data" %TEMP%\lg.db
copy "%LOCALAPPDATA%\Google\Chrome\User Data\Local State" %TEMP%\ls.json
# Calls CryptUnprotectData via embedded DPAPI wrapper
# Exfils via HTTPS POST to rotating C2 domains
  • Sysmon EID 10: Non-browser process accessing Login Data / Cookies files
  • ETW: CryptUnprotectData called by non-browser process
  • Sysmon EID 3: HTTPS POST to low-reputation domain from stealer process
Same chokepoint: Stealer executes → copies Login Data/Cookies → CryptUnprotectData() → HTTPS POST exfil to C2
Source: www.cisa.gov →
Stealc 2023-Q1 Active
Emerged January 2023; lightweight MaaS stealer with modular plugin architecture. Targets Chromium browsers, Firefox, cryptocurrency wallets, and messaging apps (Discord, Telegram). Marketed on dark web forums as a "lightweight" alternative with per-target module loading to reduce detection footprint. Active through 2025-2026 across commodity and targeted campaigns.
Command / artifacts
$200/month MaaS. V2 (March 2025) added JSON C2, multi-monitor screenshots, built-in loader. Server-side credential decryption bypasses some ABE protections.
# StealC v2 — JSON-based C2, Themida-packed:
# Copies Login Data, Cookies, Local State from all Chromium profiles
# CryptUnprotectData for DPAPI decryption
# Multi-monitor screenshot capture
# HTTPS POST exfil with JSON format
  • Sysmon EID 10: Non-browser process accessing Login Data / Cookies
  • Sysmon EID 3: HTTPS POST to C2 with JSON-formatted exfil
Same chokepoint: Stealer executes → copies Login Data/Cookies → CryptUnprotectData → JSON C2 exfil
Source: www.picussecurity.com →
RedLine 2020-Q1 Disrupted (Oct 2024) / Variants Active
One of the longest-running stealer families; dominated the market from 2020-2024. Targets all Chromium browsers and Firefox; also harvests VPN credentials, FTP clients, cryptocurrency wallets, and system information. Despite takedown, RedLine-derived code and techniques persist in successor families.
Command / artifacts
Longest-running major stealer (2020-2024). 51% of all infostealer infections 2020-2023. Operation Magnus (Oct 2024) seized infrastructure.
# .NET stealer targeting all Chromium + Firefox:
# Uses SQLite library to query browser DBs directly
# Targets: Login Data, Cookies, logins.json, key4.db
# Also: VPN credentials, FTP clients, crypto wallets
# Exfils via HTTP POST to C2 panel
  • Sysmon EID 10: .NET process accessing browser credential files
  • Sysmon EID 7: System.Data.SQLite.dll loaded by non-browser process
  • Sysmon EID 3: HTTP POST exfil to C2 panel
Same chokepoint: Stealer executes → SQLite queries against Login Data → CryptUnprotectData → HTTP POST exfil
Source: www.operation-magnus.com →
Raccoon v2 2022-Q3 Active
Raccoon Stealer v1 shut down March 2022 when lead developer was arrested; v2 relaunched June 2022 with rewritten C++ codebase. Targets 60+ browsers including all major Chromium variants and Firefox. Employs DPAPI-based decryption for Chromium credentials. Continuously updated with new browser support and evasion techniques through 2025.
Command / artifacts
V1 shut down March 2022 (developer arrested). V2 C++ rewrite June 2022. Administrator sentenced to 5 years (2024). 52 million credentials linked.
# C++ rewrite (June 2022 relaunch):
# Targets 60+ browsers, DPAPI-based Chromium decryption
# Reads Login Data, Cookies, Local State from all profiles
# HTTP POST exfil with structured log format
  • Sysmon EID 10: Non-browser C++ process accessing browser credential files
  • Sysmon EID 3: HTTP POST to C2 with structured credential log
Same chokepoint: Stealer executes → reads 60+ browser credential DBs → DPAPI decryption → HTTP POST exfil
Source: blog.sekoia.io →
Vidar 2.0 2025-Q4 Active
Complete rewrite of original Vidar stealer (2018) released October 2025 as pure C implementation. Introduced memory injection technique to bypass Chrome App-Bound Encryption by injecting into the chrome.exe process itself and calling decryption APIs from within the trusted process context. Represents the most technically sophisticated App-Bound bypass approach documented to date.
Command / artifacts
Complete rewrite. Memory injection into chrome.exe to call decryption from trusted context. Most sophisticated ABE bypass documented.
# Pure C rewrite (October 2025):
# Memory injection into chrome.exe for ABE bypass
# Calls decryption APIs from within trusted Chrome context
# Bypasses ABE without COM or CDP
  • Sysmon EID 10: Process access to chrome.exe with PROCESS_ALL_ACCESS
  • Sysmon EID 8: CreateRemoteThread into chrome.exe from non-browser process
Same chokepoint: Stealer injects into chrome.exe → calls decryption from trusted context → extracts credentials → exfil
Source: www.trendmicro.com →
AMOS (Atomic macOS Stealer) 2023-Q2 Active
macOS-targeting infostealer marketed on Telegram for ~$1,000/month. Targets Safari Keychain, all Chromium browsers, Firefox, MetaMask, cryptocurrency wallets, and system information. Uses osascript to prompt for administrator password, bypassing macOS protections. Demonstrates that the browser credential database chokepoint applies cross-platform. macOS browsers use platform-native keychain APIs but the file access pattern is identical.
Command / artifacts
macOS-targeting. $1,000/month MaaS on Telegram. Uses osascript for admin password prompt. Demonstrates cross-platform applicability of the credential DB access chokepoint.
# macOS execution chain:
osascript -e 'display dialog "Chrome needs your password" default answer "" with hidden answer'
# Captures admin password via fake dialog
# Accesses Safari Keychain, Chrome Login Data, Firefox logins.json
# Exfils via HTTP POST to Telegram bot
  • macOS: osascript spawning dialog for credential capture
  • File access: Non-browser process reading Chrome/Safari credential files
  • Network: HTTP POST to api.telegram.org from non-Telegram process
Same chokepoint: osascript password prompt → read Keychain/Login Data → decrypt → Telegram bot exfil
Source: www.sentinelone.com →
EDDIESTEALER 2025-Q2 Active
Identified May 2025; notable for Chrome App-Bound Encryption bypass via Chrome DevTools Protocol (CDP). Connects to a running Chrome instance in debug mode to extract cookies without needing to decrypt the database directly. Represents the third major App-Bound bypass approach (alongside COM elevation and memory injection).
Command / artifacts
Third major ABE bypass approach (after COM elevation and memory injection). Connects to Chrome in debug mode via CDP.
# Chrome DevTools Protocol (CDP) bypass:
chrome.exe --remote-debugging-port=9222
# Connects via WebSocket to CDP endpoint
# Extracts cookies via Network.getCookies without touching encrypted DB
  • Sysmon EID 1: chrome.exe launched with --remote-debugging-port
  • Sysmon EID 3: WebSocket connection to localhost:9222 from non-browser
Same chokepoint: Chrome launched in debug mode → CDP WebSocket connection → cookies extracted via CDP API → exfil
Source: thehackernews.com →
Medusa Stealer 2024-Q1 Active
Supports credential harvesting from 100+ browsers, the broadest browser coverage of any tracked stealer family. Targets all Chromium and Gecko-based browsers, Electron apps storing credentials, and password managers. MaaS subscription model on dark web forums. Demonstrates that comprehensive browser coverage is a competitive differentiator in the stealer market.
Command / artifacts
100+ browser support; broadest coverage. Also targets Electron apps and password managers. MaaS subscription model.
# Broadest coverage: 100+ browsers
# Targets Chromium, Gecko, Electron apps
# Also targets password manager databases
# Same DPAPI/NSS3 decryption pattern
  • Sysmon EID 10: Non-browser process accessing 100+ browser profile paths
  • Sysmon EID 3: Large HTTP POST exfil (high volume from broad targeting)
Same chokepoint: Stealer enumerates 100+ browser paths → copies credential DBs → DPAPI/NSS3 decryption → bulk exfil
Source: www.resecurity.com →
Chrome App-Bound Encryption Bypass (COM Elevation) 2024-Q3 Active
First documented bypass of Chrome App-Bound Encryption (introduced July 30, 2024), achieved approximately 45 days after ABE launch (September 2024). Technique: elevate via GoogleChromeElevationService COM interface to call decryption in a trusted context. Multiple families rapidly adopted this approach; Google patched but new bypasses emerged within weeks, demonstrating the cat-and-mouse pattern in App-Bound Encryption defense.
Command / artifacts
First bypass of Chrome App-Bound Encryption. Adopted by multiple stealer families within weeks. Google patched but new bypasses emerged rapidly.
# Embedded in stealer code — no standalone CLI:
# Elevates via GoogleChromeElevationService COM interface
# to call app-bound decryption in trusted process context
# Achieved ~45 days after ABE launch (July 2024)
  • Windows System: COM activation of GoogleChromeElevationService
  • Source process is NOT chrome.exe (the anomaly)
  • Sysmon EID 1: Chrome Elevation Service spawned by unusual parent
Same chokepoint: Stealer → COM activation of Chrome Elevation Service → decryption in trusted context → credential exfil
Source: security.googleblog.com →
North Korean APT Infostealer Operations 2024-Q1 Active
North Korean threat actors (LAZARUS GROUP / HIDDEN COBRA) incorporated infostealer deployment into their tradecraft for financial operations. Connected to the February 2025 ByBit cryptocurrency exchange heist ($1.5B, the largest cryptocurrency theft in history). Hudson Rock 2026 trend report highlights the "infostealer-to-APT pipeline" where stealer credentials enable nation-state initial access without traditional spearphishing. Demonstrates infostealers as strategic intelligence-gathering tools, not just commodity theft.
Command / artifacts
LAZARUS GROUP incorporated commodity infostealers for financial operations. Stealer credentials enable initial access to crypto exchanges.
# NK groups use commodity stealers + custom tools:
# Deployed via trojanized crypto/DeFi apps
# Credential theft feeds financial operations
# ByBit heist ($1.5B, Feb 2025) used stealer credentials
  • Same as commodity stealer artifacts. Login Data access, DPAPI calls.
  • Additional: Crypto wallet file access (wallet.dat, keystore files)
Same chokepoint: Commodity stealer deployed → credentials harvested → NK APT uses for financial target access
Source: www.infostealers.com →
Contagious Interview (OtterCookie / North Korean Fake Job Interview Stealer) 2024-Q3 Active
North Korean actors deliver OtterCookie JavaScript backdoor via fake developer job interviews, using malicious NPM packages or VS Code task configurations to achieve code execution and steal crypto keys and credentials. Evolved with heavy obfuscation since October 2025.
Command / artifacts
NK actors deliver OtterCookie via fake job interviews using malicious NPM packages or VS Code tasks. JavaScript-based backdoor.
# Delivery via fake developer job interview:
node.exe malicious_package/index.js
# OtterCookie JS backdoor steals crypto keys, browser creds, SSH keys
# Heavy obfuscation since October 2025
  • Sysmon EID 1: node.exe executing from npm cache or project directory
  • Sysmon EID 10: node.exe accessing browser credential files
  • File access: SSH key files, crypto wallet files accessed by node.exe
Same chokepoint: Malicious NPM package → node.exe executes OtterCookie → credential/key theft → C2 exfil
Source: unit42.paloaltonetworks.com →
Storm-2561 Fake VPN Client Stealer 2025-Q2 Active
Storm-2561 uses SEO poisoning to lure users searching for enterprise VPN software (Pulse Secure, Fortinet, Ivanti, Cisco) to spoofed download sites redirecting to GitHub-hosted ZIP files containing MSI installers. The trojanized installer side-loads malicious DLLs signed by 'Taiyuan Lihua Near Information Technology Co., Ltd.' to harvest VPN credentials and browser credentials, then exfiltrates them. By 2026-Q1 the campaign expanded targeting to additional enterprise VPN clients, shifting lures toward corporate users rather than consumer software seekers.
Command / artifacts
Storm-2561 uses SEO poisoning targeting enterprise VPN searches. Trojanized MSI with side-loaded DLL signed by compromised Chinese certificate.
# SEO poisoning → spoofed VPN download site → GitHub ZIP:
msiexec /i fake_vpn_installer.msi
# Side-loaded DLL signed by "Taiyuan Lihua" harvests VPN + browser creds
  • Sysmon EID 1: msiexec.exe installing MSI from Downloads/Temp
  • Sysmon EID 7: DLL loaded with Taiyuan Lihua signature
  • Sysmon EID 10: Process accessing VPN credential stores + browser files
Same chokepoint: SEO poisoning → MSI install → side-loaded DLL → VPN + browser credential theft → exfil
Source: www.microsoft.com →

Detection Strategy

Rules organized by the chokepoint stage they detect. Each stage has one or more rules at different maturity levels.

1 Credential Database Access
2 Credential Decryption
3 Data Exfiltration

Raw Log Samples 5 samples

Real-world log events produced by this technique and which Sigma rules they trigger.

EID 11 Sysmon Non-browser process copies Chrome Login Data to temp directory (credential harvesting)
EventID: 11 (FileCreate) UtcTime: 2024-09-14 03:17:42.381 ProcessGuid: {a1b2c3d4-1234-5678-abcd-ef0123456789} ProcessId: 4832 Image: C:\Users\jsmith\AppData\Local\Temp\ChromeUpdate.exe TargetFilename: C:\Users\jsmith\AppData\Local\Temp\lg.db CreationUtcTime: 2024-09-14 03:17:42.381 # Key signal: Non-browser process (ChromeUpdate.exe from Temp) creating a copy # of a browser credential database file. The filename lg.db is a common stealer # convention for Login Data copies.
EID 4663 Windows Event Log Audit file access. Non-browser process reads the Login Data credential database.
EventID: 4663 (An attempt was made to access an object) TimeCreated: 2024-09-14T03:17:42.5183920Z Channel: Security SubjectUserSid: S-1-5-21-3623811015-3361044348-30300820-1013 SubjectUserName: jsmith SubjectDomainName: CORP SubjectLogonId: 0x7169cb ObjectServer: Security ObjectType: File ObjectName: C:\Users\jsmith\AppData\Local\Google\Chrome\User Data\Default\Login Data HandleId: 0x1d4 ProcessId: 0x12e0 ProcessName: C:\Users\jsmith\AppData\Local\Temp\ChromeUpdate.exe AccessList: %%4416 (ReadData / ListDirectory) AccessMask: 0x1
EID 11 Sysmon Stealer copies Login Data to TEMP directory to avoid Chrome file lock
EventID: 11 (FileCreate) UtcTime: 2024-09-14 03:17:42.612 ProcessGuid: {a1b2c3d4-1234-5678-abcd-ef0123456789} ProcessId: 4832 Image: C:\Users\jsmith\AppData\Local\Temp\ChromeUpdate.exe TargetFilename: C:\Users\jsmith\AppData\Local\Temp\~tmp_creds_8a3f.db CreationUtcTime: 2024-09-14 03:17:42.612
EID 8 Sysmon CryptUnprotectData API call observed via Sysmon API monitoring. DPAPI decryption of harvested credentials.
EventID: 8 (CreateRemoteThread), or via API monitoring: UtcTime: 2024-09-14 03:17:43.108 ProcessGuid: {a1b2c3d4-1234-5678-abcd-ef0123456789} ProcessId: 4832 Image: C:\Users\jsmith\AppData\Local\Temp\ChromeUpdate.exe API: CryptUnprotectData Module: C:\Windows\System32\crypt32.dll # Note: CryptUnprotectData is called seconds after Login Data file access. # Temporal correlation (EID 10 + CryptUnprotectData within 60s) is the Hunt rule signal.
EID 3 Sysmon Outbound C2 exfiltration connection immediately following credential decryption
EventID: 3 (NetworkConnect) UtcTime: 2024-09-14 03:17:44.883 ProcessGuid: {a1b2c3d4-1234-5678-abcd-ef0123456789} ProcessId: 4832 Image: C:\Users\jsmith\AppData\Local\Temp\ChromeUpdate.exe User: CORP\jsmith Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 10.10.1.45 SourceHostname: CORP-WS-042 SourcePort: 51342 DestinationIsIpv6: false DestinationIp: 185.220.101.47 DestinationHostname: - DestinationPort: 443 # Non-browser process making HTTPS connection within seconds of credential DB access # is the Analyst rule's final signal. High confidence, low FP.

Emulation

ATT&CK: T1555.003 Simulates infostealer browser credential access patterns for detection validation powershell ▶
Lab use only. Run in an isolated lab VM only. Creates temporary files and outbound network activity.
POWERSHELL
GitHub → Download 
#Requires -Version 5.1
# MITRE ATT&CK: T1555.003 — Credentials from Web Browsers
# Simulates non-browser process access to Chrome Login Data, DPAPI decryption call, and outbound connection.

[CmdletBinding()]
param(
    [switch]$SkipNetwork,
    [switch]$CleanupOnly
)

Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'

$ChromeLoginDataPath = Join-Path $env:LOCALAPPDATA `
    'Google\Chrome\User Data\Default\Login Data'
$TempCopy   = Join-Path $env:TEMP "~cred_emu_$(Get-Random).db"
$C2Endpoint = 'https://example.com'   # benign destination — change to your lab listener

function Write-Step ([string]$Message) {
    Write-Host "[*] $Message" -ForegroundColor Cyan
}
function Write-Ok ([string]$Message) {
    Write-Host "[+] $Message" -ForegroundColor Green
}
function Write-Warn ([string]$Message) {
    Write-Host "[!] $Message" -ForegroundColor Yellow
}

function Remove-Artefacts {
    if (Test-Path $TempCopy) {
        Remove-Item -Path $TempCopy -Force -ErrorAction SilentlyContinue
        Write-Ok "Removed temp file: $TempCopy"
    }
}

if ($CleanupOnly) {
    Remove-Artefacts
    exit 0
}

Write-Host ""
Write-Host "=== Browser Credential Theft Emulation ===" -ForegroundColor Magenta
Write-Host "    T1555.003 | Detection Chokepoints Project" -ForegroundColor DarkGray
Write-Host ""

if (-not (Test-Path $ChromeLoginDataPath)) {
    Write-Warn "Chrome Login Data not found at: $ChromeLoginDataPath"
    Write-Warn "Chrome must be installed and have been launched at least once."
    Write-Warn "Falling back to synthetic file for file-access telemetry only."
    $ChromeLoginDataPath = $null
}

Write-Step "Step 1/3 — Opening browser credential store (file access telemetry)"
Write-Verbose "  Target: $ChromeLoginDataPath"

if ($ChromeLoginDataPath) {
    try {
        # Open the file read-only to trigger file-access audit events.
        # Chrome locks Login Data while running; we copy first (also an Analyst indicator).
        $fs = [System.IO.File]::Open(
            $ChromeLoginDataPath,
            [System.IO.FileMode]::Open,
            [System.IO.FileAccess]::Read,
            [System.IO.FileShare]::ReadWrite
        )
        $buf = New-Object byte[] 4
        [void]$fs.Read($buf, 0, 4)   # read SQLite magic bytes only — no credential parsing
        $fs.Close()
        Write-Ok "File access completed (read 4 bytes — SQLite header only, no credentials parsed)"
    }
    catch [System.IO.IOException] {
        # Chrome is running and has an exclusive lock — copy approach instead
        Write-Warn "Chrome is running (file locked). Using file copy to trigger EID 11."
        Copy-Item -Path $ChromeLoginDataPath -Destination $TempCopy -ErrorAction SilentlyContinue
        Write-Ok "Copied Login Data to: $TempCopy"
    }
} else {
    # Synthetic fallback: create a dummy file in TEMP to generate EID 11
    [System.IO.File]::WriteAllText($TempCopy, "SQLite format 3`0")
    Write-Ok "Created synthetic credential file at: $TempCopy"
}

Start-Sleep -Milliseconds 500

Write-Step "Step 2/3 — Calling CryptUnprotectData (DPAPI decryption telemetry)"

Add-Type -TypeDefinition @'
using System;
using System.Runtime.InteropServices;
using System.Text;

public class Dpapi {
    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
    public struct DATA_BLOB {
        public int cbData;
        public IntPtr pbData;
    }

    [DllImport("crypt32.dll", SetLastError = true, CharSet = CharSet.Auto)]
    public static extern bool CryptUnprotectData(
        ref DATA_BLOB pDataIn,
        StringBuilder szDataDescr,
        IntPtr pOptionalEntropy,
        IntPtr pvReserved,
        IntPtr pPromptStruct,
        int dwFlags,
        ref DATA_BLOB pDataOut);

    public static bool TestDpapi() {
        // Encrypt a benign string, then decrypt — exercises the CryptUnprotectData API path
        byte[] plain = Encoding.UTF8.GetBytes("detection-chokepoints-emulation-test");
        byte[] encrypted = System.Security.Cryptography.ProtectedData.Protect(
            plain, null, System.Security.Cryptography.DataProtectionScope.CurrentUser);

        DATA_BLOB inBlob  = new DATA_BLOB();
        DATA_BLOB outBlob = new DATA_BLOB();
        inBlob.cbData = encrypted.Length;
        inBlob.pbData = Marshal.AllocHGlobal(encrypted.Length);
        Marshal.Copy(encrypted, 0, inBlob.pbData, encrypted.Length);

        bool result = CryptUnprotectData(ref inBlob, null, IntPtr.Zero,
                                          IntPtr.Zero, IntPtr.Zero, 0, ref outBlob);
        Marshal.FreeHGlobal(inBlob.pbData);
        if (result) Marshal.FreeHGlobal(outBlob.pbData);
        return result;
    }
}
'@ -ReferencedAssemblies 'System.Security'

try {
    $result = [Dpapi]::TestDpapi()
    if ($result) {
        Write-Ok "CryptUnprotectData called successfully (benign test data decrypted)"
    } else {
        Write-Warn "CryptUnprotectData returned false — API monitoring telemetry may still fire"
    }
} catch {
    Write-Warn "DPAPI call skipped: $_"
}

Start-Sleep -Milliseconds 500

if (-not $SkipNetwork) {
    Write-Step "Step 3/3 — Making outbound connection (network exfiltration telemetry)"
    Write-Verbose "  Destination: $C2Endpoint"

    try {
        $response = Invoke-WebRequest -Uri $C2Endpoint -Method HEAD `
            -TimeoutSec 10 -UseBasicParsing -ErrorAction Stop
        Write-Ok "Network connection completed (HTTP $($response.StatusCode) from $C2Endpoint)"
    } catch {
        Write-Warn "Network request failed (connection telemetry may still have been generated): $_"
    }
} else {
    Write-Warn "Step 3 skipped (-SkipNetwork flag set)"
}

Write-Host ""
Write-Step "Cleaning up artefacts"
Remove-Artefacts

Write-Host ""
Write-Host "=== Emulation Complete ===" -ForegroundColor Magenta
Write-Host ""
Write-Host "Expected detections:" -ForegroundColor White
Write-Host "  [Research]  Sysmon EID 10/11 or WEL EID 4663 — non-browser file access" -ForegroundColor DarkCyan
Write-Host "  [Hunt]      EID 10 + CryptUnprotectData within 60 seconds"               -ForegroundColor DarkYellow
Write-Host "  [Analyst]   EID 10/11 + Sysmon EID 3 (outbound connection)"              -ForegroundColor DarkGreen
Write-Host ""
Write-Host "If no alerts fired, verify:" -ForegroundColor DarkGray
Write-Host "  - Sysmon is running with a config that captures EID 3/8/10/11"
Write-Host "  - Object Access auditing is enabled (auditpol) for EID 4663"
Write-Host "  - Sigma rules are deployed and log sources are ingested"
Write-Host ""

OSINT Pivots

VirusTotal Intelligence behavior_files:"Login Data" behavior_files:"Local State" positives:0
Requires VT Intelligence subscription. Finds samples that access both Login Data and Local State files (combined access is a strong infostealer behavioral indicator) while currently evading AV detection. These are the most dangerous variants in active circulation.
Shodan http.html:"stealer" http.html:"logs" http.html:"panel"
Finds exposed infostealer C2 panels, often left accessible due to poor OpSec by stealer operators. Log panels with "logs" and "panel" in the HTML indicate active infrastructure. Useful for tracking active campaign infrastructure and reporting to law enforcement or domain registrars.
URLScan page.title:"Join meeting" NOT domain:zoom.us NOT domain:teams.microsoft.com NOT domain:meet.google.com NOT domain:webex.com NOT domain:gotomeeting.com
Finds fake meeting join pages impersonating Zoom, Teams, Google Meet, and Webex on non-legitimate domains. Common stealer delivery pretext. Fake meeting links drop infostealers. Swap title for other pretexts: "Sign in - Slack" (Slack), "Microsoft Teams" (Teams), "Download Zoom" (fake installers).