Contains a simple yara rule to hunt for possible compromised KeePass config files
Use a yara rule scanner, like yara, loki or thor-lite to scan systems with this rule. The default location for the local KeePass config file is %APPDATA%\Roaming\KeePass\KeePass.config.xml.