Remote Thread Created In KeePass.EXE
Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
Sigma rule (View on GitHub)
1title: Remote Thread Created In KeePass.EXE
2id: 77564cc2-7382-438b-a7f6-395c2ae53b9a
3status: test
4description: Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
5references:
6 - https://www.cisa.gov/uscert/ncas/alerts/aa20-259a
7 - https://github.com/denandz/KeeFarce
8 - https://github.com/GhostPack/KeeThief
9author: Timon Hackenjos
10date: 2022-04-22
11modified: 2023-05-05
12tags:
13 - attack.credential-access
14 - attack.t1555.005
15logsource:
16 product: windows
17 category: create_remote_thread
18detection:
19 selection:
20 TargetImage|endswith: '\KeePass.exe'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
Summary This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques. This...
Read More -
-
Methods for attacking KeePass 2.X databases, including extracting of encryption key material from memory. - GhostPack/KeeThief
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU
- APT31 Judgement Panda Activity