title: Password Managers (T1555.005)
id: df00tech-t1555-005
status: experimental
description: "Adversaries may acquire user credentials from third-party password managers. Password managers are applications designed to store user credentials in an encrypted database, typically accessible after providing a master password. Once the database is unlocked, credentials may be copied to memory. Adversaries may extract the master password or plain-text credentials from memory, brute-force the master password, exploit vulnerabilities (e.g., CVE-2019-3610, CVE-2023-32784 KeePass), or directly exfiltrate password manager database files (.kdbx, .psafe3, .agilekeychain, .1pif) for offline cracking."
references:
  - https://attack.mitre.org/techniques/T1555/005/
  - https://df00tech.com/detections/T1555.005
author: df00tech
date: 2026/04/13
tags:
  - attack.t1555.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Password manager applications performing legitimate database operations (autosave, sync, backup)"
  - "Cloud sync services (Dropbox, OneDrive) syncing password manager database files"
  - IT administrators performing authorized password manager database backups
  - Password manager browser extensions accessing the database during auto-fill operations
level: critical