T1555.005 Password Managers Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let PMTools = dynamic(["keethief", "keepass2john", "kpcli", "Find-KeePassConfig", "Get-KeePassDatabaseKey", "KeePassHax"]);
let PMFiles = dynamic([".kdbx", ".kdb", ".psafe3", ".agilekeychain", ".1pif", "1Password.sqlite", "KeePass.config.xml", "LastPass.sqlite"]);
let PMProcesses = dynamic(["KeePass.exe", "1Password.exe", "LastPass.exe", "Bitwarden.exe", "Dashlane.exe", "RoboForm.exe"]);
union DeviceProcessEvents, DeviceFileEvents
| where Timestamp > ago(24h)
| extend CmdLine = coalesce(ProcessCommandLine, "")
| extend FilePath = coalesce(FolderPath, "")
| where CmdLine has_any (PMTools)
    or FileName has_any (PMTools)
    or (FilePath has_any (PMFiles) and InitiatingProcessFileName !in~ (PMProcesses))
| project Timestamp, DeviceName, AccountName, FileName,
         CmdLine, FilePath, InitiatingProcessFileName
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation File: File Access Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Password manager applications performing legitimate database operations (autosave, sync, backup)
Cloud sync services (Dropbox, OneDrive) syncing password manager database files
IT administrators performing authorized password manager database backups
Password manager browser extensions accessing the database during auto-fill operations

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=11)
| eval CommandLine=coalesce(CommandLine, "")
| eval TargetFile=coalesce(TargetFilename, "")
| eval PMToolMatch=if(match(CommandLine, "(?i)(keethief|keepass2john|kpcli|Find-KeePassConfig|Get-KeePassDatabaseKey|KeePassHax)") OR match(Image, "(?i)(keethief|keepass2john)"), 1, 0)
| eval PMFileAccess=if(match(TargetFile, "(?i)(\.kdbx|\.kdb|\.psafe3|\.agilekeychain|\.1pif|1Password\.sqlite|LastPass\.sqlite)") AND NOT match(Image, "(?i)(KeePass|1Password|LastPass|Bitwarden|Dashlane)"), 1, 0)
| eval PMMemoryDump=if(match(CommandLine, "(?i)(procdump.*keepass|minidump.*keepass|comsvcs.*keepass)"), 1, 0)
| eval SuspicionScore=PMToolMatch*3 + PMFileAccess*2 + PMMemoryDump*3
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, TargetFile, ParentImage, PMToolMatch, PMFileAccess, PMMemoryDump, SuspicionScore
| sort - _time

critical severity high confidence

Data Sources

Process: Process Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Password manager applications performing legitimate operations
Cloud sync services syncing .kdbx files
IT administrators performing authorized password database backups
Password manager CLI tools used by DevOps teams

Elastic Security (EQL)

eql

any where event.category in ("process", "file") and
(
  (
    event.category == "process" and
    (
      process.name : ("keethief", "keepass2john", "kpcli") or
      process.command_line : ("*keethief*", "*keepass2john*", "*kpcli*", "*Find-KeePassConfig*", "*Get-KeePassDatabaseKey*", "*KeePassHax*") or
      process.command_line : ("*procdump*keepass*", "*minidump*keepass*", "*comsvcs*keepass*")
    )
  ) or
  (
    event.category == "file" and
    (
      file.path : ("*.kdbx", "*.kdb", "*.psafe3", "*.agilekeychain", "*.1pif", "*1Password.sqlite*", "*KeePass.config.xml*", "*LastPass.sqlite*") and
      not process.name : ("KeePass.exe", "1Password.exe", "LastPass.exe", "Bitwarden.exe", "Dashlane.exe", "RoboForm.exe")
    )
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security (EDR) Sysmon via Elastic Agent Windows Security Event Logs via Winlogbeat

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-system.security-*

False Positives

Legitimate password manager applications (KeePass, 1Password, LastPass, Bitwarden, Dashlane) accessing their own database files during normal read/write operations — excluded by process name filter but portable or renamed executables may bypass this
Security teams running authorized penetration tests using keepass2john or keethief against test credentials in approved red team engagements without a suppression rule in place
File synchronization utilities (Dropbox, OneDrive, rsync agents) copying password database files (.kdbx, .psafe3) during scheduled backup operations where the sync process is not in the exclusion list

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip,
  username,
  LOGSOURCENAME(logsourceid) AS LogSource,
  QIDNAME(qid) AS EventName,
  payload,
  CASE
    WHEN payload ILIKE '%keethief%'
      OR payload ILIKE '%keepass2john%'
      OR payload ILIKE '%kpcli%'
      OR payload ILIKE '%Find-KeePassConfig%'
      OR payload ILIKE '%Get-KeePassDatabaseKey%'
      OR payload ILIKE '%KeePassHax%' THEN 3
    ELSE 0
  END +
  CASE
    WHEN (payload ILIKE '%.kdbx%'
      OR payload ILIKE '%.kdb%'
      OR payload ILIKE '%.psafe3%'
      OR payload ILIKE '%.agilekeychain%'
      OR payload ILIKE '%.1pif%'
      OR payload ILIKE '%1Password.sqlite%'
      OR payload ILIKE '%LastPass.sqlite%')
      AND NOT (payload ILIKE '%KeePass.exe%'
        OR payload ILIKE '%1Password.exe%'
        OR payload ILIKE '%LastPass.exe%'
        OR payload ILIKE '%Bitwarden.exe%'
        OR payload ILIKE '%Dashlane.exe%') THEN 2
    ELSE 0
  END +
  CASE
    WHEN payload ILIKE '%procdump%keepass%'
      OR payload ILIKE '%minidump%keepass%'
      OR payload ILIKE '%comsvcs%keepass%' THEN 3
    ELSE 0
  END AS SuspicionScore
FROM events
WHERE LOGSOURCETYPENAME(logsourceid) IN (
  'Microsoft Windows Security Event Log',
  'Sysmon for Windows'
)
  AND devicetime > NOW() - 1 DAYS
  AND (
    payload ILIKE '%keethief%'
    OR payload ILIKE '%keepass2john%'
    OR payload ILIKE '%kpcli%'
    OR payload ILIKE '%Find-KeePassConfig%'
    OR payload ILIKE '%Get-KeePassDatabaseKey%'
    OR payload ILIKE '%KeePassHax%'
    OR payload ILIKE '%.kdbx%'
    OR payload ILIKE '%.psafe3%'
    OR payload ILIKE '%.agilekeychain%'
    OR payload ILIKE '%.1pif%'
    OR payload ILIKE '%1Password.sqlite%'
    OR payload ILIKE '%LastPass.sqlite%'
    OR payload ILIKE '%procdump%keepass%'
    OR payload ILIKE '%minidump%keepass%'
    OR payload ILIKE '%comsvcs%keepass%'
  )
ORDER BY SuspicionScore DESC, devicetime DESC

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Sysmon for Windows (QRadar DSM) QRadar WinCollect Agent

Required Tables

events

False Positives

QRadar payload ILIKE matching is broad — legitimate file operations on paths containing '.kdbx' or similar strings embedded in longer paths (e.g., archive logs referencing backup filenames) may generate low-score hits
IT asset inventory scripts that enumerate installed software and log password manager executable names (KeePass.exe, Bitwarden.exe) in script output captured by WinCollect
DLP or endpoint security tools that log file access events for monitored file types (including .kdbx) as part of normal policy enforcement, where the tool name doesn't match the exclusion list

Sumo Logic CSE

sql

(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*)
| parse regex "(?i)Image:\s*(?P<Image>[^\r\n]+)" nodrop
| parse regex "(?i)CommandLine:\s*(?P<CommandLine>[^\r\n]+)" nodrop
| parse regex "(?i)TargetFilename:\s*(?P<TargetFile>[^\r\n]+)" nodrop
| parse regex "(?i)ParentImage:\s*(?P<ParentImage>[^\r\n]+)" nodrop
| parse regex "(?i)User:\s*(?P<UserName>[^\r\n]+)" nodrop
| parse regex "(?i)Computer:\s*(?P<ComputerName>[^\r\n]+)" nodrop
| eval PMToolMatch = if(
    matches(CommandLine, "(?i)(keethief|keepass2john|kpcli|Find-KeePassConfig|Get-KeePassDatabaseKey|KeePassHax)")
    OR matches(Image, "(?i)(keethief|keepass2john)"),
    1, 0
  )
| eval PMFileAccess = if(
    matches(TargetFile, "(?i)(\.kdbx|\.kdb|\.psafe3|\.agilekeychain|\.1pif|1Password\.sqlite|KeePass\.config\.xml|LastPass\.sqlite)")
    AND !matches(Image, "(?i)(KeePass\.exe|1Password\.exe|LastPass\.exe|Bitwarden\.exe|Dashlane\.exe|RoboForm\.exe)"),
    1, 0
  )
| eval PMMemoryDump = if(
    matches(CommandLine, "(?i)(procdump.{0,30}keepass|minidump.{0,30}keepass|comsvcs.{0,30}keepass)"),
    1, 0
  )
| eval SuspicionScore = (PMToolMatch * 3) + (PMFileAccess * 2) + (PMMemoryDump * 3)
| where SuspicionScore > 0
| fields _messageTime, ComputerName, UserName, Image, CommandLine, TargetFile, ParentImage, PMToolMatch, PMFileAccess, PMMemoryDump, SuspicionScore
| sort by SuspicionScore desc, _messageTime desc

high severity high confidence

Data Sources

Sysmon for Windows (via Sumo Logic Installed Collector) Windows Endpoint Logs Sumo Logic CSE Normalized Records

Required Tables

_sourceCategory=*windows*sysmon* _sourceCategory=*endpoint*

False Positives

Automated IT asset management or configuration management tools (Ansible, Chef, SCCM) that enumerate installed password managers and log process names matching the tool detection patterns during inventory runs
Portable or non-standard installation paths of legitimate password managers (e.g., KeePass Portable from a USB drive running as 'KeePass-2.57.exe') that don't match the exact exclusion regex and trigger PMFileAccess alerts
Security awareness training platforms that simulate credential theft attacks using renamed or obfuscated versions of keepass2john or keethief as part of phishing simulation campaigns

Google Chronicle / SecOps

yaral

rule T1555_005_Password_Manager_Credential_Theft {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects password manager credential theft via known attack tools, unauthorized database file access, or memory dumping of password manager processes"
    reference = "https://attack.mitre.org/techniques/T1555/005/"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1555.005"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-13"

  events:
    (
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        (
          re.regex($e.target.process.command_line, `(?i)(keethief|keepass2john|kpcli|Find-KeePassConfig|Get-KeePassDatabaseKey|KeePassHax)`) or
          re.regex($e.target.process.file.full_path, `(?i)(\\keethief|\\keepass2john)`) or
          re.regex($e.target.process.command_line, `(?i)(procdump.{0,40}keepass|minidump.{0,40}keepass|comsvcs.{0,40}keepass)`)
        )
      ) or
      (
        $e.metadata.event_type = "FILE_READ" and
        re.regex($e.target.file.full_path, `(?i)(\.(kdbx|kdb|psafe3|agilekeychain|1pif)$|1Password\.sqlite|KeePass\.config\.xml|LastPass\.sqlite)`) and
        not re.regex($e.principal.process.file.full_path, `(?i)(KeePass\.exe|1Password\.exe|LastPass\.exe|Bitwarden\.exe|Dashlane\.exe|RoboForm\.exe)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Chronicle Ingestion API — Windows EDR feeds Chronicle Forwarder — Sysmon, CrowdStrike, SentinelOne

Required Tables

UDM Events (event_type: PROCESS_LAUNCH, FILE_READ)

False Positives

Password manager auto-sync or cloud backup agents running under service account identities whose executable paths differ from the standard installation paths used in the exclusion regex (e.g., enterprise-deployed Bitwarden with a custom path)
Forensic or eDiscovery tools that open .kdbx or .psafe3 files for evidence collection during authorized investigations where the forensic tool binary is not in the exclusion list
Development or QA environments where password manager databases are used as test fixtures and accessed by test runner processes (pytest, Jest, etc.) that do not match the legitimate application whitelist

CrowdStrike LogScale (CQL)

cql

// Branch 1: Attack tool execution or memory dumping via process events
#event_simpleName = /ProcessRollup2|SyntheticProcessRollup2/
| CommandLine = /(?i)(keethief|keepass2john|kpcli|Find-KeePassConfig|Get-KeePassDatabaseKey|KeePassHax|procdump.{0,40}keepass|minidump.{0,40}keepass|comsvcs.{0,40}keepass)/
| eval DetectionType = case(
    CommandLine = /(?i)(keethief|keepass2john|kpcli|Find-KeePassConfig|Get-KeePassDatabaseKey|KeePassHax)/, "PMToolExecution",
    CommandLine = /(?i)(procdump.{0,40}keepass|minidump.{0,40}keepass|comsvcs.{0,40}keepass)/, "PMMemoryDump",
    true(), "Other"
  )
| eval SuspicionScore = 3
| table([timestamp, ComputerName, UserName, CommandLine, FileName, ParentBaseFileName, DetectionType, SuspicionScore])

| union {
  // Branch 2: Unauthorized access to password database files
  #event_simpleName = /PeImageLoad/
  | ImageFileName = /(?i)(\.(kdbx|kdb|psafe3|agilekeychain|1pif)$|1Password\.sqlite|KeePass\.config\.xml|LastPass\.sqlite)/
  | ImageFileName != /(?i)(KeePass\.exe|1Password\.exe|LastPass\.exe|Bitwarden\.exe|Dashlane\.exe|RoboForm\.exe)/
  | eval DetectionType = "UnauthorizedPMFileAccess"
  | eval SuspicionScore = 2
  | table([timestamp, ComputerName, UserName, CommandLine, ImageFileName, ParentBaseFileName, DetectionType, SuspicionScore])
}

| sort(SuspicionScore, order=desc)
| sort(timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR — Process Telemetry CrowdStrike Falcon EDR — File/Image Load Telemetry CrowdStrike Falcon Complete or Horizon

Required Tables

ProcessRollup2 SyntheticProcessRollup2 PeImageLoad

False Positives

Authorized red team or penetration testing operations where the Falcon sensor is deployed on test systems in the same CID as production — suppression groups or exclusion policies should be applied for known test hosts before deployment
IT administrators using kpcli (the KeePass command-line client for Linux/Windows) for legitimate scripted credential retrieval in approved automation workflows documented in change management
CrowdStrike sensor updates or Falcon platform components that load PE images during signature updates may generate PeImageLoad events on paths that incidentally match the database file regex pattern if custom vaults are stored in monitored directories

Password Managers

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections