HackTool - LaZagne Execution

Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.

Sigma rule (View on GitHub)

  1title: HackTool - LaZagne Execution
  2id: c2b86e67-b880-4eec-b045-50bc98ef4844
  3status: experimental
  4description: |
  5    Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.
  6    LaZagne has been leveraged multiple times by threat actors in order to dump credentials.    
  7references:
  8    - https://github.com/AlessandroZ/LaZagne/tree/master
  9    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
 10    - https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/
 11    - https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
 12    - https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf
 13author: Nasreddine Bencherchali, Swachchhanda Shrawan Poudel, Nextron Systems
 14date: 2024-06-24
 15modified: 2025-06-04
 16tags:
 17    - attack.credential-access
 18logsource:
 19    product: windows
 20    category: process_creation
 21detection:
 22    selection_metadata:
 23        - Image|endswith: '\lazagne.exe'
 24        - Hashes|contains:
 25              - 'IMPHASH=ba5546933531fafa869b1f86a4e2a959'
 26              - 'IMPHASH=7aa1951517b3b8d38b12f874b66196c9'
 27              - 'IMPHASH=be10bb45cef8dcc6869b921dd20884ae'
 28              - 'IMPHASH=4e3e7ce958acceeb80e70eeb7d75870e'
 29              - 'IMPHASH=fc40519af20116c903e3ff836e366e39'
 30              - 'IMPHASH=1975641ebd67bc0f49282a7b8555b7b2'
 31              - 'IMPHASH=468ad8de9dcf3ce7a0becc5916ec6adb'
 32              - 'IMPHASH=e5d81cf6a49d9472d6de8c1764efdfb4'
 33              - 'IMPHASH=b87afca7a1175b7eb49b7c1eb6d58adf'
 34    selection_img_cli:
 35        # Note: This selection can be prone to FP. An initial baseline is required
 36        Image|contains:
 37            - ':\PerfLogs\'
 38            - ':\ProgramData\'
 39            - ':\Temp\'
 40            - ':\Tmp\'
 41            - ':\Users\Public\'
 42            - ':\Windows\Temp\'
 43            - '\$Recycle.bin'
 44            - '\AppData\'
 45            - '\Desktop\'
 46            - '\Downloads\'
 47            - '\Favorites\'
 48            - '\Links\'
 49            - '\Music\'
 50            - '\Photos\'
 51            - '\Pictures\'
 52            - '\Saved Games\'
 53            - '\Searches\'
 54            - '\Users\Contacts\'
 55            - '\Users\Default\'
 56            - '\Users\Searches\'
 57            - '\Videos\'
 58            - '\Windows\addins\'
 59            - '\Windows\Fonts\'
 60            - '\Windows\IME\'
 61        CommandLine|endswith:
 62            - '.exe all'
 63            - '.exe browsers'
 64            - '.exe chats'
 65            - '.exe databases'
 66            - '.exe games'
 67            - '.exe git'
 68            - '.exe mails'
 69            - '.exe maven'
 70            - '.exe memory'
 71            - '.exe multimedia'
 72            # - '.exe php' # Might be prone to FP
 73            # - '.exe svn' # Might be prone to FP
 74            - '.exe sysadmin'
 75            - '.exe unused'
 76            - '.exe wifi'
 77            - '.exe windows'
 78    selection_cli_modules:
 79        CommandLine|contains:
 80            - 'all '
 81            - 'browsers '
 82            - 'chats '
 83            - 'databases '
 84            - 'games '
 85            - 'mails '
 86            - 'maven '
 87            - 'memory '
 88            - 'multimedia '
 89            - 'php '
 90            - 'svn '
 91            - 'sysadmin '
 92            - 'unused '
 93            - 'wifi '
 94    selection_cli_options:
 95        CommandLine|contains:
 96            - '-1Password'
 97            - '-apachedirectorystudio'
 98            - '-autologon'
 99            - '-ChromiumBased'
100            - '-coreftp'
101            - '-credfiles'
102            - '-credman'
103            - '-cyberduck'
104            - '-dbvis'
105            - '-EyeCon'
106            - '-filezilla'
107            - '-filezillaserver'
108            - '-ftpnavigator'
109            - '-galconfusion'
110            - '-gitforwindows'
111            - '-hashdump'
112            - '-iisapppool'
113            - '-IISCentralCertP'
114            - '-kalypsomedia'
115            - '-keepass'
116            - '-keepassconfig'
117            - '-lsa_secrets'
118            - '-mavenrepositories'
119            - '-memory_dump'
120            - '-Mozilla'
121            - '-mRemoteNG'
122            - '-mscache'
123            - '-opensshforwindows'
124            - '-openvpn'
125            - '-outlook'
126            - '-pidgin'
127            - '-postgresql'
128            - '-psi-im'
129            - '-puttycm'
130            - '-pypykatz'
131            - '-Rclone'
132            - '-rdpmanager'
133            - '-robomongo'
134            - '-roguestale'
135            - '-skype'
136            - '-SQLDeveloper'
137            - '-squirrel'
138            - '-tortoise'
139            - '-turba'
140            - '-UCBrowser'
141            - '-unattended'
142            - '-vault'
143            - '-vaultfiles'
144            - '-vnc'
145            - '-winscp'
146    condition: selection_metadata or selection_img_cli or all of selection_cli_*
147falsepositives:
148    - Some false positive is expected from tools with similar command line flags.
149# Note: Increase the level to "high" after an initial baseline
150level: medium

References

Related rules

to-top