T1555.005 Elastic Security · Elastic

Detect Password Managers in Elastic Security

Adversaries may acquire user credentials from third-party password managers. Password managers are applications designed to store user credentials in an encrypted database, typically accessible after providing a master password. Once the database is unlocked, credentials may be copied to memory. Adversaries may extract the master password or plain-text credentials from memory, brute-force the master password, exploit vulnerabilities (e.g., CVE-2019-3610, CVE-2023-32784 KeePass), or directly exfiltrate password manager database files (.kdbx, .psafe3, .agilekeychain, .1pif) for offline cracking.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1555 Credentials from Password Stores
Sub-technique
T1555.005 Password Managers
Canonical reference
https://attack.mitre.org/techniques/T1555/005/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where event.category in ("process", "file") and
(
  (
    event.category == "process" and
    (
      process.name : ("keethief", "keepass2john", "kpcli") or
      process.command_line : ("*keethief*", "*keepass2john*", "*kpcli*", "*Find-KeePassConfig*", "*Get-KeePassDatabaseKey*", "*KeePassHax*") or
      process.command_line : ("*procdump*keepass*", "*minidump*keepass*", "*comsvcs*keepass*")
    )
  ) or
  (
    event.category == "file" and
    (
      file.path : ("*.kdbx", "*.kdb", "*.psafe3", "*.agilekeychain", "*.1pif", "*1Password.sqlite*", "*KeePass.config.xml*", "*LastPass.sqlite*") and
      not process.name : ("KeePass.exe", "1Password.exe", "LastPass.exe", "Bitwarden.exe", "Dashlane.exe", "RoboForm.exe")
    )
  )
)
high severity high confidence

Detects password manager credential theft via known attack tools (keethief, keepass2john, kpcli, Find-KeePassConfig, Get-KeePassDatabaseKey, KeePassHax), unauthorized access to password database files (.kdbx, .kdb, .psafe3, .agilekeychain, .1pif, 1Password.sqlite, LastPass.sqlite) by non-password-manager processes, and memory dumping commands targeting KeePass (procdump/minidump/comsvcs). Maps to T1555.005 — Credential Access via Password Managers.

Data Sources

Elastic Endpoint Security (EDR)Sysmon via Elastic AgentWindows Security Event Logs via Winlogbeat

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*logs-system.security-*

False Positives & Tuning

  • Legitimate password manager applications (KeePass, 1Password, LastPass, Bitwarden, Dashlane) accessing their own database files during normal read/write operations — excluded by process name filter but portable or renamed executables may bypass this
  • Security teams running authorized penetration tests using keepass2john or keethief against test credentials in approved red team engagements without a suppression rule in place
  • File synchronization utilities (Dropbox, OneDrive, rsync agents) copying password database files (.kdbx, .psafe3) during scheduled backup operations where the sync process is not in the exclusion list
Download portable Sigma rule (.yml)

Other platforms for T1555.005

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Copy KeePass database file for offline cracking

    Expected signal: Sysmon Event ID 1: cmd.exe with dir searching for .kdbx files. Sysmon Event ID 11: FileCreate for the copied .kdbx file in %TEMP%. DeviceFileEvents showing file copy from original location.

  2. Test 2Extract KeePass master key with KeeThief

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'KeeThief' and 'Get-KeePassDatabaseKey'. PowerShell ScriptBlock Log Event ID 4104 with KeeThief module contents. Sysmon Event ID 10: Process Access targeting KeePass.exe.

  3. Test 3Memory dump of KeePass process with procdump

    Expected signal: Sysmon Event ID 1: procdump.exe targeting KeePass.exe. Sysmon Event ID 10: Process Access with GrantedAccess indicating memory read on KeePass.exe. Sysmon Event ID 11: FileCreate for the .dmp file.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1555.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1555Credentials from Password Stores

Related Sub-techniques

T1555.001KeychainT1555.002Securityd MemoryT1555.003Credentials from Web BrowsersT1555.004Windows Credential ManagerT1555.006Cloud Secrets Management Stores

Related Techniques

T1555Credentials from Password StoresT1212Exploitation for Credential AccessT1110.001Password GuessingT1003OS Credential DumpingT1005Data from Local SystemT1074.001Local Data Staging

Same Tactic: Credential Access

Popular Detections