Detection of suspicious access to password manager processes (KeePass, 1Password, LastPass, Bitwarden) through abnormal process injection, memory reads, or command-line usage of vault-related DLLs. Correlates process creation with OS API calls and file access to vault databases (.kdbx, .opvault, .ldb).
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| File Metadata (DC0059) | WinEventLog:Sysmon | EventCode=15 |
| Field | Description |
|---|---|
| PasswordManagerBinaries | List of monitored binaries and file formats for password managers in use (e.g., KeePass, 1Password, Bitwarden, LastPass). |
| TimeWindow | Window to correlate process creation, API access, and file reads indicative of credential extraction. |
| UserContext | Filter for administrative accounts vs. expected users of password managers. |
Suspicious access to password manager vaults (KeePassXC, gnome-keyring, pass) via memory scraping or unauthorized file reads. Detects unusual command execution involving gdb/strace attached to password manager processes.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | open/read on ~/.local/share/keepassxc/* OR ~/.password-store/* |
| Process Access (DC0035) | auditd:SYSCALL | ptrace |
| Field | Description |
|---|---|
| VaultFilePaths | Linux paths to monitor for vault database files (KeePassXC, pass, gnome-keyring). |
| TimeWindow | Correlation interval to detect multiple suspicious access events. |
Detection of password manager database access (1Password .opvault, LastPass caches, KeePass .kdbx) outside expected parent processes. Identifies memory scraping attempts via suspicious API calls or tools attaching to password manager processes.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | security OR injection attempts into 1Password OR LastPass |
| File Access (DC0055) | macos:unifiedlog | *.opvault OR *.ldb OR *.kdbx |
| Process Access (DC0035) | macos:osquery | unexpected memory inspection |
| Field | Description |
|---|---|
| VaultFileExtensions | Password manager file extensions (.opvault, .kdbx, .ldb) to monitor for anomalous access. |
| ParentProcessWhitelist | Expected parent processes that normally access password manager files, for filtering false positives. |