steal KeePass passwords using KeeFarce

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: steal KeePass passwords using KeeFarce
    namespace: collection/password-manager
    authors:
      - "@Ana06"
    scopes:
      static: file
      dynamic: file
    att&ck:
      - Credential Access::Credentials from Password Stores::Password Managers [T1555.005]
    references:
      - https://github.com/denandz/KeeFarce
      - https://keepass.info/help/kb/sec_issues.html
    examples:
      - 1e609dffd12a59ea5d5c9b3055939b1f
  features:
    - and:
      - match: inject dll
      - string: /KeePass/i
      - optional:
        - substring: "Bootstrap"
        - substring: "KeeFarce"

last edited: 2023-11-24 10:34:28