KeePass is one of the most commonly used password managers in modern enterprises, with the KeePass databases of particular administrators at times protecting the literal “keys to the kingdom”. This talk will cover a number of ways to “attack” an administrator’s KeePass database operationally. We will detail our open-source project KeeThief, which allows for the decryption of KeePass key material from unlocked databases without relying upon a keylogger and is indifferent to KeePass’ “secure desktop” protection. For unlocked databases, we will show methods for triggering KeeThief at the perfect time, extracting out everything you need to decrypt a database and pilfer credentials off-system. We’ll also cover a way to exfiltrate all database contents without any malware or code injection, and will conclude with demos that show how to pilfer KeePass databases with all current protections enabled.