Which SIEM platforms have a T1555.005 detection rule?

df00tech provides T1555.005 (Password Managers) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Password Managers (T1555.005)?

Detecting Password Managers requires the following data sources: Process: Process Creation, File: File Access, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1555.005 detection?

The T1555.005 detection is rated critical severity with high confidence.

What are common false positives for T1555.005?

Common false positives for T1555.005 include: Password manager applications performing legitimate database operations (autosave, sync, backup); Cloud sync services (Dropbox, OneDrive) syncing password manager database files; IT administrators performing authorized password manager database backups.

T1555.005 IBM QRadar · QRadar

Detect Password Managers in IBM QRadar

Adversaries may acquire user credentials from third-party password managers. Password managers are applications designed to store user credentials in an encrypted database, typically accessible after providing a master password. Once the database is unlocked, credentials may be copied to memory. Adversaries may extract the master password or plain-text credentials from memory, brute-force the master password, exploit vulnerabilities (e.g., CVE-2019-3610, CVE-2023-32784 KeePass), or directly exfiltrate password manager database files (.kdbx, .psafe3, .agilekeychain, .1pif) for offline cracking.

MITRE ATT&CK

Tactic: Credential Access
Technique: T1555 Credentials from Password Stores
Sub-technique: T1555.005 Password Managers
Canonical reference: https://attack.mitre.org/techniques/T1555/005/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(devicetime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip,
  username,
  LOGSOURCENAME(logsourceid) AS LogSource,
  QIDNAME(qid) AS EventName,
  payload,
  CASE
    WHEN payload ILIKE '%keethief%'
      OR payload ILIKE '%keepass2john%'
      OR payload ILIKE '%kpcli%'
      OR payload ILIKE '%Find-KeePassConfig%'
      OR payload ILIKE '%Get-KeePassDatabaseKey%'
      OR payload ILIKE '%KeePassHax%' THEN 3
    ELSE 0
  END +
  CASE
    WHEN (payload ILIKE '%.kdbx%'
      OR payload ILIKE '%.kdb%'
      OR payload ILIKE '%.psafe3%'
      OR payload ILIKE '%.agilekeychain%'
      OR payload ILIKE '%.1pif%'
      OR payload ILIKE '%1Password.sqlite%'
      OR payload ILIKE '%LastPass.sqlite%')
      AND NOT (payload ILIKE '%KeePass.exe%'
        OR payload ILIKE '%1Password.exe%'
        OR payload ILIKE '%LastPass.exe%'
        OR payload ILIKE '%Bitwarden.exe%'
        OR payload ILIKE '%Dashlane.exe%') THEN 2
    ELSE 0
  END +
  CASE
    WHEN payload ILIKE '%procdump%keepass%'
      OR payload ILIKE '%minidump%keepass%'
      OR payload ILIKE '%comsvcs%keepass%' THEN 3
    ELSE 0
  END AS SuspicionScore
FROM events
WHERE LOGSOURCETYPENAME(logsourceid) IN (
  'Microsoft Windows Security Event Log',
  'Sysmon for Windows'
)
  AND devicetime > NOW() - 1 DAYS
  AND (
    payload ILIKE '%keethief%'
    OR payload ILIKE '%keepass2john%'
    OR payload ILIKE '%kpcli%'
    OR payload ILIKE '%Find-KeePassConfig%'
    OR payload ILIKE '%Get-KeePassDatabaseKey%'
    OR payload ILIKE '%KeePassHax%'
    OR payload ILIKE '%.kdbx%'
    OR payload ILIKE '%.psafe3%'
    OR payload ILIKE '%.agilekeychain%'
    OR payload ILIKE '%.1pif%'
    OR payload ILIKE '%1Password.sqlite%'
    OR payload ILIKE '%LastPass.sqlite%'
    OR payload ILIKE '%procdump%keepass%'
    OR payload ILIKE '%minidump%keepass%'
    OR payload ILIKE '%comsvcs%keepass%'
  )
ORDER BY SuspicionScore DESC, devicetime DESC

high severity medium confidence

Detects password manager credential theft in IBM QRadar by searching raw event payloads from Windows Security and Sysmon log sources for known attack tool names, password database file extensions accessed by unauthorized processes, and memory dumping commands targeting KeePass. Assigns a weighted suspicion score (attack tool = 3, file access = 2, memory dump = 3) to prioritize high-confidence events.

Data Sources

Microsoft Windows Security Event Log (QRadar DSM)Sysmon for Windows (QRadar DSM)QRadar WinCollect Agent

Required Tables

events

False Positives & Tuning

QRadar payload ILIKE matching is broad — legitimate file operations on paths containing '.kdbx' or similar strings embedded in longer paths (e.g., archive logs referencing backup filenames) may generate low-score hits
IT asset inventory scripts that enumerate installed software and log password manager executable names (KeePass.exe, Bitwarden.exe) in script output captured by WinCollect
DLP or endpoint security tools that log file access events for monitored file types (including .kdbx) as part of normal policy enforcement, where the tool name doesn't match the exclusion list

Download portable Sigma rule (.yml)

Other platforms for T1555.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Copy KeePass database file for offline cracking
Expected signal: Sysmon Event ID 1: cmd.exe with dir searching for .kdbx files. Sysmon Event ID 11: FileCreate for the copied .kdbx file in %TEMP%. DeviceFileEvents showing file copy from original location.
Test 2Extract KeePass master key with KeeThief
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'KeeThief' and 'Get-KeePassDatabaseKey'. PowerShell ScriptBlock Log Event ID 4104 with KeeThief module contents. Sysmon Event ID 10: Process Access targeting KeePass.exe.
Test 3Memory dump of KeePass process with procdump
Expected signal: Sysmon Event ID 1: procdump.exe targeting KeePass.exe. Sysmon Event ID 10: Process Access with GrantedAccess indicating memory read on KeePass.exe. Sysmon Event ID 11: FileCreate for the .dmp file.

Last updated: 2026-04-13 Research depth: deep

References (6)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1555.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Password Managers in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1555.005

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Credential Access

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1555.005

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Credential Access

Popular Detections

Get new detections in your inbox