A few clarification points for the "KeeThief – A Case Study in Attacking KeePass Part 2" post:
-
KeeThief doesn't require local administrator rights, only rights to access the KeePass.exe process space you're targeting.
-
KeeThief.ps1 is fully-self self-contained (no dependencies and no files dropped to disk) and PowerShell Version 2 compliant (so it will work on Windows 7+).
-
Secure desktop doesn't matter/come into play as a keylogger isn't used or needed.
-
This approach is different from KeeFarce - KeeThief recovers the plaintext master password and other key material from memory instead of calling internal methods to export the database contents.
-
The database in KeePass needs to be unlocked to extract key material - if the database is locked there are ways to periodically run KeeThief to mine KeePass when it opens (which the post covers in the "Persistently Mining KeePass" post section).
-
KeePass' triggers let you autodump creds on a database unlock or item copy without malware - see the "Exfiltration Without Malware" section.
-
We cover mitigations/defenses in the post as best we can. For config manipulation, the included KeePassConfig.ps1 lets you enumerate all triggers with: Find-KeePassconfig | Get-KeePassConfigTrigger.