Detect Password Managers in Splunk
Adversaries may acquire user credentials from third-party password managers. Password managers are applications designed to store user credentials in an encrypted database, typically accessible after providing a master password. Once the database is unlocked, credentials may be copied to memory. Adversaries may extract the master password or plain-text credentials from memory, brute-force the master password, exploit vulnerabilities (e.g., CVE-2019-3610, CVE-2023-32784 KeePass), or directly exfiltrate password manager database files (.kdbx, .psafe3, .agilekeychain, .1pif) for offline cracking.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1555 Credentials from Password Stores
- Sub-technique
- T1555.005 Password Managers
- Canonical reference
- https://attack.mitre.org/techniques/T1555/005/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=11)
| eval CommandLine=coalesce(CommandLine, "")
| eval TargetFile=coalesce(TargetFilename, "")
| eval PMToolMatch=if(match(CommandLine, "(?i)(keethief|keepass2john|kpcli|Find-KeePassConfig|Get-KeePassDatabaseKey|KeePassHax)") OR match(Image, "(?i)(keethief|keepass2john)"), 1, 0)
| eval PMFileAccess=if(match(TargetFile, "(?i)(\.kdbx|\.kdb|\.psafe3|\.agilekeychain|\.1pif|1Password\.sqlite|LastPass\.sqlite)") AND NOT match(Image, "(?i)(KeePass|1Password|LastPass|Bitwarden|Dashlane)"), 1, 0)
| eval PMMemoryDump=if(match(CommandLine, "(?i)(procdump.*keepass|minidump.*keepass|comsvcs.*keepass)"), 1, 0)
| eval SuspicionScore=PMToolMatch*3 + PMFileAccess*2 + PMMemoryDump*3
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, TargetFile, ParentImage, PMToolMatch, PMFileAccess, PMMemoryDump, SuspicionScore
| sort - _timeDetects password manager credential theft via Sysmon process creation and file creation events. Identifies dedicated extraction tools, non-password-manager processes accessing database files, and memory dump attempts targeting password manager processes. Scoring weights offensive tools and memory dumps highest.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Password manager applications performing legitimate operations
- Cloud sync services syncing .kdbx files
- IT administrators performing authorized password database backups
- Password manager CLI tools used by DevOps teams
Other platforms for T1555.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Copy KeePass database file for offline cracking
Expected signal: Sysmon Event ID 1: cmd.exe with dir searching for .kdbx files. Sysmon Event ID 11: FileCreate for the copied .kdbx file in %TEMP%. DeviceFileEvents showing file copy from original location.
- Test 2Extract KeePass master key with KeeThief
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'KeeThief' and 'Get-KeePassDatabaseKey'. PowerShell ScriptBlock Log Event ID 4104 with KeeThief module contents. Sysmon Event ID 10: Process Access targeting KeePass.exe.
- Test 3Memory dump of KeePass process with procdump
Expected signal: Sysmon Event ID 1: procdump.exe targeting KeePass.exe. Sysmon Event ID 10: Process Access with GrantedAccess indicating memory read on KeePass.exe. Sysmon Event ID 11: FileCreate for the .dmp file.
References (6)
- https://attack.mitre.org/techniques/T1555/005/
- https://github.com/GhostPack/KeeThief
- https://www.ise.io/casestudies/password-manager-hacking/
- https://nvd.nist.gov/vuln/detail/CVE-2023-32784
- https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.005/T1555.005.md
Unlock Pro Content
Get the full detection package for T1555.005 including response playbook, investigation guide, and atomic red team tests.