HackTool - LaZagne Execution
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
Sigma rule (View on GitHub)
1title: HackTool - LaZagne Execution
2id: c2b86e67-b880-4eec-b045-50bc98ef4844
3status: experimental
4description: |
5 Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.
6 LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
7references:
8 - https://github.com/AlessandroZ/LaZagne/tree/master
9 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
10 - https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/
11 - https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
12 - https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf
13author: Nasreddine Bencherchali, Swachchhanda Shrawan Poudel, Nextron Systems
14date: 2024-06-24
15modified: 2025-06-04
16tags:
17 - attack.credential-access
18logsource:
19 product: windows
20 category: process_creation
21detection:
22 selection_metadata:
23 - Image|endswith: '\lazagne.exe'
24 - Hashes|contains:
25 - 'IMPHASH=ba5546933531fafa869b1f86a4e2a959'
26 - 'IMPHASH=7aa1951517b3b8d38b12f874b66196c9'
27 - 'IMPHASH=be10bb45cef8dcc6869b921dd20884ae'
28 - 'IMPHASH=4e3e7ce958acceeb80e70eeb7d75870e'
29 - 'IMPHASH=fc40519af20116c903e3ff836e366e39'
30 - 'IMPHASH=1975641ebd67bc0f49282a7b8555b7b2'
31 - 'IMPHASH=468ad8de9dcf3ce7a0becc5916ec6adb'
32 - 'IMPHASH=e5d81cf6a49d9472d6de8c1764efdfb4'
33 - 'IMPHASH=b87afca7a1175b7eb49b7c1eb6d58adf'
34 selection_img_cli:
35 # Note: This selection can be prone to FP. An initial baseline is required
36 Image|contains:
37 - ':\PerfLogs\'
38 - ':\ProgramData\'
39 - ':\Temp\'
40 - ':\Tmp\'
41 - ':\Users\Public\'
42 - ':\Windows\Temp\'
43 - '\$Recycle.bin'
44 - '\AppData\'
45 - '\Desktop\'
46 - '\Downloads\'
47 - '\Favorites\'
48 - '\Links\'
49 - '\Music\'
50 - '\Photos\'
51 - '\Pictures\'
52 - '\Saved Games\'
53 - '\Searches\'
54 - '\Users\Contacts\'
55 - '\Users\Default\'
56 - '\Users\Searches\'
57 - '\Videos\'
58 - '\Windows\addins\'
59 - '\Windows\Fonts\'
60 - '\Windows\IME\'
61 CommandLine|endswith:
62 - '.exe all'
63 - '.exe browsers'
64 - '.exe chats'
65 - '.exe databases'
66 - '.exe games'
67 - '.exe git'
68 - '.exe mails'
69 - '.exe maven'
70 - '.exe memory'
71 - '.exe multimedia'
72 # - '.exe php' # Might be prone to FP
73 # - '.exe svn' # Might be prone to FP
74 - '.exe sysadmin'
75 - '.exe unused'
76 - '.exe wifi'
77 - '.exe windows'
78 selection_cli_modules:
79 CommandLine|contains:
80 - 'all '
81 - 'browsers '
82 - 'chats '
83 - 'databases '
84 - 'games '
85 - 'mails '
86 - 'maven '
87 - 'memory '
88 - 'multimedia '
89 - 'php '
90 - 'svn '
91 - 'sysadmin '
92 - 'unused '
93 - 'wifi '
94 selection_cli_options:
95 CommandLine|contains:
96 - '-1Password'
97 - '-apachedirectorystudio'
98 - '-autologon'
99 - '-ChromiumBased'
100 - '-coreftp'
101 - '-credfiles'
102 - '-credman'
103 - '-cyberduck'
104 - '-dbvis'
105 - '-EyeCon'
106 - '-filezilla'
107 - '-filezillaserver'
108 - '-ftpnavigator'
109 - '-galconfusion'
110 - '-gitforwindows'
111 - '-hashdump'
112 - '-iisapppool'
113 - '-IISCentralCertP'
114 - '-kalypsomedia'
115 - '-keepass'
116 - '-keepassconfig'
117 - '-lsa_secrets'
118 - '-mavenrepositories'
119 - '-memory_dump'
120 - '-Mozilla'
121 - '-mRemoteNG'
122 - '-mscache'
123 - '-opensshforwindows'
124 - '-openvpn'
125 - '-outlook'
126 - '-pidgin'
127 - '-postgresql'
128 - '-psi-im'
129 - '-puttycm'
130 - '-pypykatz'
131 - '-Rclone'
132 - '-rdpmanager'
133 - '-robomongo'
134 - '-roguestale'
135 - '-skype'
136 - '-SQLDeveloper'
137 - '-squirrel'
138 - '-tortoise'
139 - '-turba'
140 - '-UCBrowser'
141 - '-unattended'
142 - '-vault'
143 - '-vaultfiles'
144 - '-vnc'
145 - '-winscp'
146 condition: selection_metadata or selection_img_cli or all of selection_cli_*
147falsepositives:
148 - Some false positive is expected from tools with similar command line flags.
149# Note: Increase the level to "high" after an initial baseline
150level: medium
References
Related rules
- Bitbucket User Login Failure Via SSH
- DPAPI Backup Keys And Certificate Export Activity IOC
- HackTool - Impacket Tools Execution
- Hacktool Execution - Imphash
- Interesting Service Enumeration Via Sc.EXE