Detect Password Managers in Microsoft Sentinel
Adversaries may acquire user credentials from third-party password managers. Password managers are applications designed to store user credentials in an encrypted database, typically accessible after providing a master password. Once the database is unlocked, credentials may be copied to memory. Adversaries may extract the master password or plain-text credentials from memory, brute-force the master password, exploit vulnerabilities (e.g., CVE-2019-3610, CVE-2023-32784 KeePass), or directly exfiltrate password manager database files (.kdbx, .psafe3, .agilekeychain, .1pif) for offline cracking.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1555 Credentials from Password Stores
- Sub-technique
- T1555.005 Password Managers
- Canonical reference
- https://attack.mitre.org/techniques/T1555/005/
KQL Detection Query
let PMTools = dynamic(["keethief", "keepass2john", "kpcli", "Find-KeePassConfig", "Get-KeePassDatabaseKey", "KeePassHax"]);
let PMFiles = dynamic([".kdbx", ".kdb", ".psafe3", ".agilekeychain", ".1pif", "1Password.sqlite", "KeePass.config.xml", "LastPass.sqlite"]);
let PMProcesses = dynamic(["KeePass.exe", "1Password.exe", "LastPass.exe", "Bitwarden.exe", "Dashlane.exe", "RoboForm.exe"]);
union DeviceProcessEvents, DeviceFileEvents
| where Timestamp > ago(24h)
| extend CmdLine = coalesce(ProcessCommandLine, "")
| extend FilePath = coalesce(FolderPath, "")
| where CmdLine has_any (PMTools)
or FileName has_any (PMTools)
or (FilePath has_any (PMFiles) and InitiatingProcessFileName !in~ (PMProcesses))
| project Timestamp, DeviceName, AccountName, FileName,
CmdLine, FilePath, InitiatingProcessFileName
| sort by Timestamp descDetects credential theft from password managers by monitoring for known extraction tools (KeeThief, keepass2john, Find-KeePassConfig), direct file access to password manager databases (.kdbx, .psafe3, .agilekeychain) by non-password-manager processes, and PowerShell-based credential extraction scripts. Covers techniques used by TrickBot, Fox Kitten, Storm-0501, LAPSUS$, and Scattered Spider.
Data Sources
Required Tables
False Positives & Tuning
- Password manager applications performing legitimate database operations (autosave, sync, backup)
- Cloud sync services (Dropbox, OneDrive) syncing password manager database files
- IT administrators performing authorized password manager database backups
- Password manager browser extensions accessing the database during auto-fill operations
Other platforms for T1555.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Copy KeePass database file for offline cracking
Expected signal: Sysmon Event ID 1: cmd.exe with dir searching for .kdbx files. Sysmon Event ID 11: FileCreate for the copied .kdbx file in %TEMP%. DeviceFileEvents showing file copy from original location.
- Test 2Extract KeePass master key with KeeThief
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'KeeThief' and 'Get-KeePassDatabaseKey'. PowerShell ScriptBlock Log Event ID 4104 with KeeThief module contents. Sysmon Event ID 10: Process Access targeting KeePass.exe.
- Test 3Memory dump of KeePass process with procdump
Expected signal: Sysmon Event ID 1: procdump.exe targeting KeePass.exe. Sysmon Event ID 10: Process Access with GrantedAccess indicating memory read on KeePass.exe. Sysmon Event ID 11: FileCreate for the .dmp file.
References (6)
- https://attack.mitre.org/techniques/T1555/005/
- https://github.com/GhostPack/KeeThief
- https://www.ise.io/casestudies/password-manager-hacking/
- https://nvd.nist.gov/vuln/detail/CVE-2023-32784
- https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.005/T1555.005.md
Unlock Pro Content
Get the full detection package for T1555.005 including response playbook, investigation guide, and atomic red team tests.