HackTool - LaZagne Execution
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
Sigma rule (View on GitHub)
1title: HackTool - LaZagne Execution
2id: c2b86e67-b880-4eec-b045-50bc98ef4844
3status: experimental
4description: |
5 Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.
6 LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
7references:
8 - https://github.com/AlessandroZ/LaZagne/tree/master
9 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
10 - https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/
11 - https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
12 - https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2024-06-24
15modified: 2024-08-16
16tags:
17 - attack.credential-access
18logsource:
19 product: windows
20 category: process_creation
21detection:
22 selection_img:
23 Image|endswith: '\lazagne.exe'
24 selection_clionly:
25 # Note: This selection can be prone to FP. An initial baseline is required
26 Image|contains:
27 - ':\PerfLogs\'
28 - ':\ProgramData\'
29 - ':\Temp\'
30 - ':\Tmp\'
31 - ':\Windows\Temp\'
32 - '\AppData\'
33 - '\Downloads\'
34 - '\Users\Public\'
35 CommandLine|endswith:
36 - '.exe all'
37 - '.exe browsers'
38 - '.exe chats'
39 - '.exe databases'
40 - '.exe games'
41 - '.exe git'
42 - '.exe mails'
43 - '.exe maven'
44 - '.exe memory'
45 - '.exe multimedia'
46 # - '.exe php' # Might be prone to FP
47 # - '.exe svn' # Might be prone to FP
48 - '.exe sysadmin'
49 - '.exe unused'
50 - '.exe wifi'
51 - '.exe windows'
52 selection_cli_modules:
53 CommandLine|contains:
54 - 'all '
55 - 'browsers '
56 - 'chats '
57 - 'databases '
58 - 'games '
59 - 'git '
60 - 'mails '
61 - 'maven '
62 - 'memory '
63 - 'multimedia '
64 - 'php '
65 - 'svn '
66 - 'sysadmin '
67 - 'unused '
68 - 'wifi '
69 - 'windows '
70 selection_cli_options:
71 CommandLine|contains:
72 - '-oA'
73 - '-oJ'
74 - '-oN'
75 - '-output'
76 - '-password'
77 - -1Password
78 - '-apachedirectorystudio'
79 - '-autologon'
80 - '-ChromiumBased'
81 - '-composer'
82 - '-coreftp'
83 - '-credfiles'
84 - '-credman'
85 - '-cyberduck'
86 - '-dbvis'
87 - '-EyeCon'
88 - '-filezilla'
89 - '-filezillaserver'
90 - '-ftpnavigator'
91 - '-galconfusion'
92 - '-gitforwindows'
93 - '-hashdump'
94 - '-iisapppool'
95 - '-IISCentralCertP'
96 - '-kalypsomedia'
97 - '-keepass'
98 - '-keepassconfig'
99 - '-lsa_secrets'
100 - '-mavenrepositories'
101 - '-memory_dump'
102 - '-Mozilla'
103 - '-mRemoteNG'
104 - '-mscache'
105 - '-opensshforwindows'
106 - '-openvpn'
107 - '-outlook'
108 - '-pidgin'
109 - '-postgresql'
110 - '-psi-im'
111 - '-puttycm'
112 - '-pypykatz'
113 - '-Rclone'
114 - '-rdpmanager'
115 - '-robomongo'
116 - '-roguestale'
117 - '-skype'
118 - '-SQLDeveloper'
119 - '-squirrel'
120 - '-tortoise'
121 - '-turba'
122 - '-UCBrowser'
123 - '-unattended'
124 - '-vault'
125 - '-vaultfiles'
126 - '-vnc'
127 - '-windows'
128 - '-winscp'
129 - '-wsl'
130 condition: selection_img or selection_clionly or (selection_cli_modules and selection_cli_options)
131falsepositives:
132 - Some false positive is expected from tools with similar command line flags.
133# Note: Increase the level to "high" after an initial baseline
134level: medium
References
-
Credentials recovery project. Contribute to AlessandroZ/LaZagne development by creating an account on GitHub.
Read More -
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral moveme…
Read More -
Mandiant has observed a new ALPHV (aka BlackCat ransomware) ransomware affiliate, tracked as UNC4466, target publicly exposed Veritas Backup Exec installations, vulnerable to CVE-2021-27876, CVE-20...
Read More -
In this report we focus on tactics, techniques, and procedures (TTPs) of the DeftTorero (aka Lebanese Cedar or Volatile Cedar) threat actor, which targets Middle East countries.
Read More -
%PDF-1.4 1 0 obj << /Title (þÿMuddying the Water: Targeted Attacks in the Middle East) /Creator (þÿwkhtmltopdf 0.12.1) /Producer (þÿQt 4.8.6) /CreationDate (D:20171116164506+08'00') >> endobj 3 0 o...
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU
- APT31 Judgement Panda Activity