HackTool - LaZagne Execution

Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.

Sigma rule (View on GitHub)

  1title: HackTool - LaZagne Execution
  2id: c2b86e67-b880-4eec-b045-50bc98ef4844
  3status: experimental
  4description: |
  5    Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.
  6    LaZagne has been leveraged multiple times by threat actors in order to dump credentials.    
  7references:
  8    - https://github.com/AlessandroZ/LaZagne/tree/master
  9    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
 10    - https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/
 11    - https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
 12    - https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf
 13author: Nasreddine Bencherchali (Nextron Systems)
 14date: 2024/06/24
 15tags:
 16    - attack.credential_access
 17logsource:
 18    product: windows
 19    service: windows
 20    category: process_creation
 21detection:
 22    selection_img:
 23        Image|endswith: '\lazagne.exe'
 24    selection_clionly:
 25        # Note: This selection can be prone to FP. An initial baseline is required
 26        Image|contains:
 27            - ':\PerfLogs\'
 28            - ':\ProgramData\'
 29            - ':\Temp\'
 30            - ':\Tmp\'
 31            - ':\Windows\Temp\'
 32            - '\AppData\'
 33            - '\Downloads\'
 34            - '\Users\Public\'
 35        CommandLine|endswith:
 36            - '.exe all'
 37            - '.exe browsers'
 38            - '.exe chats'
 39            - '.exe databases'
 40            - '.exe games'
 41            - '.exe git'
 42            - '.exe mails'
 43            - '.exe maven'
 44            - '.exe memory'
 45            - '.exe multimedia'
 46            # - '.exe php' # Might be prone to FP
 47            # - '.exe svn' # Might be prone to FP
 48            - '.exe sysadmin'
 49            - '.exe unused'
 50            - '.exe wifi'
 51            - '.exe windows'
 52    selection_cli_modules:
 53        CommandLine|contains:
 54            - 'all '
 55            - 'browsers '
 56            - 'chats '
 57            - 'databases '
 58            - 'games '
 59            - 'git '
 60            - 'mails '
 61            - 'maven '
 62            - 'memory '
 63            - 'multimedia '
 64            - 'php '
 65            - 'svn '
 66            - 'sysadmin '
 67            - 'unused '
 68            - 'wifi '
 69            - 'windows '
 70    selection_cli_options:
 71        CommandLine|contains:
 72            - '-oA'
 73            - '-oJ'
 74            - '-oN'
 75            - '-output'
 76            - '-password'
 77            - -1Password
 78            - '-apachedirectorystudio'
 79            - '-autologon'
 80            - '-ChromiumBased'
 81            - '-composer'
 82            - '-coreftp'
 83            - '-credfiles'
 84            - '-credman'
 85            - '-cyberduck'
 86            - '-dbvis'
 87            - '-EyeCon'
 88            - '-filezilla'
 89            - '-filezillaserver'
 90            - '-ftpnavigator'
 91            - '-galconfusion'
 92            - '-gitforwindows'
 93            - '-hashdump'
 94            - '-iisapppool'
 95            - '-IISCentralCertP'
 96            - '-kalypsomedia'
 97            - '-keepass'
 98            - '-keepassconfig'
 99            - '-lsa_secrets'
100            - '-mavenrepositories'
101            - '-memory_dump'
102            - '-Mozilla'
103            - '-mRemoteNG'
104            - '-mscache'
105            - '-opensshforwindows'
106            - '-openvpn'
107            - '-outlook'
108            - '-pidgin'
109            - '-postgresql'
110            - '-psi-im'
111            - '-puttycm'
112            - '-pypykatz'
113            - '-Rclone'
114            - '-rdpmanager'
115            - '-robomongo'
116            - '-roguestale'
117            - '-skype'
118            - '-SQLDeveloper'
119            - '-squirrel'
120            - '-tortoise'
121            - '-turba'
122            - '-UCBrowser'
123            - '-unattended'
124            - '-vault'
125            - '-vaultfiles'
126            - '-vnc'
127            - '-windows'
128            - '-winscp'
129            - '-wsl'
130    condition: selection_img or selection_clionly or (selection_cli_modules and selection_cli_options)
131falsepositives:
132    - Some false positive is expected from tools with similar command line flags.
133# Note: Increase the level to "high" after an initial baseline
134level: medium

References

Related rules

to-top