T1555.005 Sumo Logic CSE · Sumo

Detect Password Managers in Sumo Logic CSE

Adversaries may acquire user credentials from third-party password managers. Password managers are applications designed to store user credentials in an encrypted database, typically accessible after providing a master password. Once the database is unlocked, credentials may be copied to memory. Adversaries may extract the master password or plain-text credentials from memory, brute-force the master password, exploit vulnerabilities (e.g., CVE-2019-3610, CVE-2023-32784 KeePass), or directly exfiltrate password manager database files (.kdbx, .psafe3, .agilekeychain, .1pif) for offline cracking.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1555 Credentials from Password Stores
Sub-technique
T1555.005 Password Managers
Canonical reference
https://attack.mitre.org/techniques/T1555/005/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*)
| parse regex "(?i)Image:\s*(?P<Image>[^\r\n]+)" nodrop
| parse regex "(?i)CommandLine:\s*(?P<CommandLine>[^\r\n]+)" nodrop
| parse regex "(?i)TargetFilename:\s*(?P<TargetFile>[^\r\n]+)" nodrop
| parse regex "(?i)ParentImage:\s*(?P<ParentImage>[^\r\n]+)" nodrop
| parse regex "(?i)User:\s*(?P<UserName>[^\r\n]+)" nodrop
| parse regex "(?i)Computer:\s*(?P<ComputerName>[^\r\n]+)" nodrop
| eval PMToolMatch = if(
    matches(CommandLine, "(?i)(keethief|keepass2john|kpcli|Find-KeePassConfig|Get-KeePassDatabaseKey|KeePassHax)")
    OR matches(Image, "(?i)(keethief|keepass2john)"),
    1, 0
  )
| eval PMFileAccess = if(
    matches(TargetFile, "(?i)(\.kdbx|\.kdb|\.psafe3|\.agilekeychain|\.1pif|1Password\.sqlite|KeePass\.config\.xml|LastPass\.sqlite)")
    AND !matches(Image, "(?i)(KeePass\.exe|1Password\.exe|LastPass\.exe|Bitwarden\.exe|Dashlane\.exe|RoboForm\.exe)"),
    1, 0
  )
| eval PMMemoryDump = if(
    matches(CommandLine, "(?i)(procdump.{0,30}keepass|minidump.{0,30}keepass|comsvcs.{0,30}keepass)"),
    1, 0
  )
| eval SuspicionScore = (PMToolMatch * 3) + (PMFileAccess * 2) + (PMMemoryDump * 3)
| where SuspicionScore > 0
| fields _messageTime, ComputerName, UserName, Image, CommandLine, TargetFile, ParentImage, PMToolMatch, PMFileAccess, PMMemoryDump, SuspicionScore
| sort by SuspicionScore desc, _messageTime desc
high severity high confidence

Detects password manager credential theft in Sumo Logic by parsing Sysmon (EventCode 1 process create, EventCode 11 file create) fields via regex extraction and computing a weighted suspicion score. Scores 3 points for known attack tool names in command lines or image paths, 2 points for password database file access by unauthorized processes, and 3 points for memory dumping commands targeting KeePass.

Data Sources

Sysmon for Windows (via Sumo Logic Installed Collector)Windows Endpoint LogsSumo Logic CSE Normalized Records

Required Tables

_sourceCategory=*windows*sysmon*_sourceCategory=*endpoint*

False Positives & Tuning

  • Automated IT asset management or configuration management tools (Ansible, Chef, SCCM) that enumerate installed password managers and log process names matching the tool detection patterns during inventory runs
  • Portable or non-standard installation paths of legitimate password managers (e.g., KeePass Portable from a USB drive running as 'KeePass-2.57.exe') that don't match the exact exclusion regex and trigger PMFileAccess alerts
  • Security awareness training platforms that simulate credential theft attacks using renamed or obfuscated versions of keepass2john or keethief as part of phishing simulation campaigns
Download portable Sigma rule (.yml)

Other platforms for T1555.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Copy KeePass database file for offline cracking

    Expected signal: Sysmon Event ID 1: cmd.exe with dir searching for .kdbx files. Sysmon Event ID 11: FileCreate for the copied .kdbx file in %TEMP%. DeviceFileEvents showing file copy from original location.

  2. Test 2Extract KeePass master key with KeeThief

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'KeeThief' and 'Get-KeePassDatabaseKey'. PowerShell ScriptBlock Log Event ID 4104 with KeeThief module contents. Sysmon Event ID 10: Process Access targeting KeePass.exe.

  3. Test 3Memory dump of KeePass process with procdump

    Expected signal: Sysmon Event ID 1: procdump.exe targeting KeePass.exe. Sysmon Event ID 10: Process Access with GrantedAccess indicating memory read on KeePass.exe. Sysmon Event ID 11: FileCreate for the .dmp file.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1555.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1555Credentials from Password Stores

Related Sub-techniques

T1555.001KeychainT1555.002Securityd MemoryT1555.003Credentials from Web BrowsersT1555.004Windows Credential ManagerT1555.006Cloud Secrets Management Stores

Related Techniques

T1555Credentials from Password StoresT1212Exploitation for Credential AccessT1110.001Password GuessingT1003OS Credential DumpingT1005Data from Local SystemT1074.001Local Data Staging

Same Tactic: Credential Access

Popular Detections