HackTool - LaZagne Execution
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
Sigma rule (View on GitHub)
1title: HackTool - LaZagne Execution
2id: c2b86e67-b880-4eec-b045-50bc98ef4844
3status: experimental
4description: |
5 Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.
6 LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
7references:
8 - https://github.com/AlessandroZ/LaZagne/tree/master
9 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
10 - https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/
11 - https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
12 - https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf
13author: Nasreddine Bencherchali, Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2024-06-24
15modified: 2025-10-07
16tags:
17 - attack.credential-access
18logsource:
19 product: windows
20 category: process_creation
21detection:
22 selection_img_metadata:
23 Image|endswith: '\lazagne.exe'
24 selection_img_cli:
25 # Note: This selection can be prone to FP. An initial baseline is required
26 Image|contains:
27 - ':\PerfLogs\'
28 - ':\ProgramData\'
29 - ':\Temp\'
30 - ':\Tmp\'
31 - ':\Users\Public\'
32 - ':\Windows\Temp\'
33 - '\$Recycle.bin'
34 - '\AppData\'
35 - '\Desktop\'
36 - '\Downloads\'
37 - '\Favorites\'
38 - '\Links\'
39 - '\Music\'
40 - '\Photos\'
41 - '\Pictures\'
42 - '\Saved Games\'
43 - '\Searches\'
44 - '\Users\Contacts\'
45 - '\Users\Default\'
46 - '\Users\Searches\'
47 - '\Videos\'
48 - '\Windows\addins\'
49 - '\Windows\Fonts\'
50 - '\Windows\IME\'
51 CommandLine|endswith:
52 - '.exe all'
53 - '.exe browsers'
54 - '.exe chats'
55 - '.exe databases'
56 - '.exe games'
57 - '.exe git'
58 - '.exe mails'
59 - '.exe maven'
60 - '.exe memory'
61 - '.exe multimedia'
62 # - '.exe php' # Might be prone to FP
63 # - '.exe svn' # Might be prone to FP
64 - '.exe sysadmin'
65 - '.exe unused'
66 - '.exe wifi'
67 - '.exe windows'
68 selection_cli_modules:
69 CommandLine|contains:
70 - ' all '
71 - ' browsers '
72 - ' chats '
73 - ' databases '
74 - ' games '
75 - ' mails '
76 - ' maven '
77 - ' memory '
78 - ' multimedia '
79 - ' php '
80 - ' svn '
81 - ' sysadmin '
82 - ' unused '
83 - ' wifi '
84 selection_cli_options:
85 CommandLine|contains:
86 - '-1Password'
87 - '-apachedirectorystudio'
88 - '-autologon'
89 - '-ChromiumBased'
90 - '-coreftp'
91 - '-credfiles'
92 - '-credman'
93 - '-cyberduck'
94 - '-dbvis'
95 - '-EyeCon'
96 - '-filezilla'
97 - '-filezillaserver'
98 - '-ftpnavigator'
99 - '-galconfusion'
100 - '-gitforwindows'
101 - '-hashdump'
102 - '-iisapppool'
103 - '-IISCentralCertP'
104 - '-kalypsomedia'
105 - '-keepass'
106 - '-keepassconfig'
107 - '-lsa_secrets'
108 - '-mavenrepositories'
109 - '-memory_dump'
110 - '-Mozilla'
111 - '-mRemoteNG'
112 - '-mscache'
113 - '-opensshforwindows'
114 - '-openvpn'
115 - '-outlook'
116 - '-pidgin'
117 - '-postgresql'
118 - '-psi-im'
119 - '-puttycm'
120 - '-pypykatz'
121 - '-Rclone'
122 - '-rdpmanager'
123 - '-robomongo'
124 - '-roguestale'
125 - '-skype'
126 - '-SQLDeveloper'
127 - '-squirrel'
128 - '-tortoise'
129 - '-turba'
130 - '-UCBrowser'
131 - '-unattended'
132 - '-vault'
133 - '-vaultfiles'
134 - '-vnc'
135 - '-winscp'
136 condition: 1 of selection_img_* or all of selection_cli_*
137falsepositives:
138 - Some false positive is expected from tools with similar command line flags.
139# Note: Increase the level to "high" after an initial baseline
140level: medium
References
-
Credentials recovery project. Contribute to AlessandroZ/LaZagne development by creating an account on GitHub.
Read More -
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral moveme…
Read More -
Mandiant has observed a new ALPHV (aka BlackCat ransomware) ransomware affiliate, tracked as UNC4466, target publicly exposed Veritas Backup Exec installations, vulnerable to CVE-2021-27876, CVE-20...
Read More -
In this report we focus on tactics, techniques, and procedures (TTPs) of the DeftTorero (aka Lebanese Cedar or Volatile Cedar) threat actor, which targets Middle East countries.
Read More -
%PDF-1.4 1 0 obj << /Title (þÿMuddying the Water: Targeted Attacks in the Middle East) /Creator (þÿwkhtmltopdf 0.12.1) /Producer (þÿQt 4.8.6) /CreationDate (D:20171116164506+08'00') >> endobj 3 0 o...
Read More
Related rules
- Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit
- Potential PowerShell Console History Access Attempt via History File
- No Suitable Encryption Key Found For Generating Kerberos Ticket
- Capture Credentials with Rpcping.exe
- Copying Sensitive Files with Credential Data