T1555.005 Google Chronicle · YARA-L

Detect Password Managers in Google Chronicle

Adversaries may acquire user credentials from third-party password managers. Password managers are applications designed to store user credentials in an encrypted database, typically accessible after providing a master password. Once the database is unlocked, credentials may be copied to memory. Adversaries may extract the master password or plain-text credentials from memory, brute-force the master password, exploit vulnerabilities (e.g., CVE-2019-3610, CVE-2023-32784 KeePass), or directly exfiltrate password manager database files (.kdbx, .psafe3, .agilekeychain, .1pif) for offline cracking.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1555 Credentials from Password Stores
Sub-technique
T1555.005 Password Managers
Canonical reference
https://attack.mitre.org/techniques/T1555/005/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule T1555_005_Password_Manager_Credential_Theft {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects password manager credential theft via known attack tools, unauthorized database file access, or memory dumping of password manager processes"
    reference = "https://attack.mitre.org/techniques/T1555/005/"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1555.005"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-13"

  events:
    (
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        (
          re.regex($e.target.process.command_line, `(?i)(keethief|keepass2john|kpcli|Find-KeePassConfig|Get-KeePassDatabaseKey|KeePassHax)`) or
          re.regex($e.target.process.file.full_path, `(?i)(\\keethief|\\keepass2john)`) or
          re.regex($e.target.process.command_line, `(?i)(procdump.{0,40}keepass|minidump.{0,40}keepass|comsvcs.{0,40}keepass)`)
        )
      ) or
      (
        $e.metadata.event_type = "FILE_READ" and
        re.regex($e.target.file.full_path, `(?i)(\.(kdbx|kdb|psafe3|agilekeychain|1pif)$|1Password\.sqlite|KeePass\.config\.xml|LastPass\.sqlite)`) and
        not re.regex($e.principal.process.file.full_path, `(?i)(KeePass\.exe|1Password\.exe|LastPass\.exe|Bitwarden\.exe|Dashlane\.exe|RoboForm\.exe)`)
      )
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule that detects password manager credential theft using UDM normalized fields. Matches PROCESS_LAUNCH events where the command line or binary path contains known credential theft tool names (keethief, keepass2john, kpcli) or memory dumping commands targeting KeePass, and FILE_READ events targeting password database file extensions (.kdbx, .kdb, .psafe3, .agilekeychain, .1pif) or known database filenames initiated by processes not in the legitimate password manager whitelist.

Data Sources

Google Chronicle UDM (Unified Data Model)Chronicle Ingestion API — Windows EDR feedsChronicle Forwarder — Sysmon, CrowdStrike, SentinelOne

Required Tables

UDM Events (event_type: PROCESS_LAUNCH, FILE_READ)

False Positives & Tuning

  • Password manager auto-sync or cloud backup agents running under service account identities whose executable paths differ from the standard installation paths used in the exclusion regex (e.g., enterprise-deployed Bitwarden with a custom path)
  • Forensic or eDiscovery tools that open .kdbx or .psafe3 files for evidence collection during authorized investigations where the forensic tool binary is not in the exclusion list
  • Development or QA environments where password manager databases are used as test fixtures and accessed by test runner processes (pytest, Jest, etc.) that do not match the legitimate application whitelist
Download portable Sigma rule (.yml)

Other platforms for T1555.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Copy KeePass database file for offline cracking

    Expected signal: Sysmon Event ID 1: cmd.exe with dir searching for .kdbx files. Sysmon Event ID 11: FileCreate for the copied .kdbx file in %TEMP%. DeviceFileEvents showing file copy from original location.

  2. Test 2Extract KeePass master key with KeeThief

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'KeeThief' and 'Get-KeePassDatabaseKey'. PowerShell ScriptBlock Log Event ID 4104 with KeeThief module contents. Sysmon Event ID 10: Process Access targeting KeePass.exe.

  3. Test 3Memory dump of KeePass process with procdump

    Expected signal: Sysmon Event ID 1: procdump.exe targeting KeePass.exe. Sysmon Event ID 10: Process Access with GrantedAccess indicating memory read on KeePass.exe. Sysmon Event ID 11: FileCreate for the .dmp file.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1555.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1555Credentials from Password Stores

Related Sub-techniques

T1555.001KeychainT1555.002Securityd MemoryT1555.003Credentials from Web BrowsersT1555.004Windows Credential ManagerT1555.006Cloud Secrets Management Stores

Related Techniques

T1555Credentials from Password StoresT1212Exploitation for Credential AccessT1110.001Password GuessingT1003OS Credential DumpingT1005Data from Local SystemT1074.001Local Data Staging

Same Tactic: Credential Access

Popular Detections