T1555.005 CrowdStrike LogScale · LogScale

Detect Password Managers in CrowdStrike LogScale

Adversaries may acquire user credentials from third-party password managers. Password managers are applications designed to store user credentials in an encrypted database, typically accessible after providing a master password. Once the database is unlocked, credentials may be copied to memory. Adversaries may extract the master password or plain-text credentials from memory, brute-force the master password, exploit vulnerabilities (e.g., CVE-2019-3610, CVE-2023-32784 KeePass), or directly exfiltrate password manager database files (.kdbx, .psafe3, .agilekeychain, .1pif) for offline cracking.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1555 Credentials from Password Stores
Sub-technique
T1555.005 Password Managers
Canonical reference
https://attack.mitre.org/techniques/T1555/005/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Branch 1: Attack tool execution or memory dumping via process events
#event_simpleName = /ProcessRollup2|SyntheticProcessRollup2/
| CommandLine = /(?i)(keethief|keepass2john|kpcli|Find-KeePassConfig|Get-KeePassDatabaseKey|KeePassHax|procdump.{0,40}keepass|minidump.{0,40}keepass|comsvcs.{0,40}keepass)/
| eval DetectionType = case(
    CommandLine = /(?i)(keethief|keepass2john|kpcli|Find-KeePassConfig|Get-KeePassDatabaseKey|KeePassHax)/, "PMToolExecution",
    CommandLine = /(?i)(procdump.{0,40}keepass|minidump.{0,40}keepass|comsvcs.{0,40}keepass)/, "PMMemoryDump",
    true(), "Other"
  )
| eval SuspicionScore = 3
| table([timestamp, ComputerName, UserName, CommandLine, FileName, ParentBaseFileName, DetectionType, SuspicionScore])

| union {
  // Branch 2: Unauthorized access to password database files
  #event_simpleName = /PeImageLoad/
  | ImageFileName = /(?i)(\.(kdbx|kdb|psafe3|agilekeychain|1pif)$|1Password\.sqlite|KeePass\.config\.xml|LastPass\.sqlite)/
  | ImageFileName != /(?i)(KeePass\.exe|1Password\.exe|LastPass\.exe|Bitwarden\.exe|Dashlane\.exe|RoboForm\.exe)/
  | eval DetectionType = "UnauthorizedPMFileAccess"
  | eval SuspicionScore = 2
  | table([timestamp, ComputerName, UserName, CommandLine, ImageFileName, ParentBaseFileName, DetectionType, SuspicionScore])
}

| sort(SuspicionScore, order=desc)
| sort(timestamp, order=desc)
high severity medium confidence

CrowdStrike LogScale (Falcon) detection using a union of two telemetry branches. Branch 1 matches ProcessRollup2 and SyntheticProcessRollup2 events where the command line contains known password manager attack tool names or memory dumping commands targeting KeePass (SuspicionScore=3). Branch 2 matches PeImageLoad events where the loaded file path matches password database extensions or known database filenames but the initiating process is not a legitimate password manager (SuspicionScore=2). Results are sorted by score and recency.

Data Sources

CrowdStrike Falcon EDR — Process TelemetryCrowdStrike Falcon EDR — File/Image Load TelemetryCrowdStrike Falcon Complete or Horizon

Required Tables

ProcessRollup2SyntheticProcessRollup2PeImageLoad

False Positives & Tuning

  • Authorized red team or penetration testing operations where the Falcon sensor is deployed on test systems in the same CID as production — suppression groups or exclusion policies should be applied for known test hosts before deployment
  • IT administrators using kpcli (the KeePass command-line client for Linux/Windows) for legitimate scripted credential retrieval in approved automation workflows documented in change management
  • CrowdStrike sensor updates or Falcon platform components that load PE images during signature updates may generate PeImageLoad events on paths that incidentally match the database file regex pattern if custom vaults are stored in monitored directories
Download portable Sigma rule (.yml)

Other platforms for T1555.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Copy KeePass database file for offline cracking

    Expected signal: Sysmon Event ID 1: cmd.exe with dir searching for .kdbx files. Sysmon Event ID 11: FileCreate for the copied .kdbx file in %TEMP%. DeviceFileEvents showing file copy from original location.

  2. Test 2Extract KeePass master key with KeeThief

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'KeeThief' and 'Get-KeePassDatabaseKey'. PowerShell ScriptBlock Log Event ID 4104 with KeeThief module contents. Sysmon Event ID 10: Process Access targeting KeePass.exe.

  3. Test 3Memory dump of KeePass process with procdump

    Expected signal: Sysmon Event ID 1: procdump.exe targeting KeePass.exe. Sysmon Event ID 10: Process Access with GrantedAccess indicating memory read on KeePass.exe. Sysmon Event ID 11: FileCreate for the .dmp file.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1555.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1555Credentials from Password Stores

Related Sub-techniques

T1555.001KeychainT1555.002Securityd MemoryT1555.003Credentials from Web BrowsersT1555.004Windows Credential ManagerT1555.006Cloud Secrets Management Stores

Related Techniques

T1555Credentials from Password StoresT1212Exploitation for Credential AccessT1110.001Password GuessingT1003OS Credential DumpingT1005Data from Local SystemT1074.001Local Data Staging

Same Tactic: Credential Access

Popular Detections