Lazagne dumping credentials

calendar Feb 23, 2024 · attack.credential_access attack.t1555  ·
Share on: linkedin copy

Detects the use of lazagne using command line execution.

Sigma rule (View on GitHub)

 1title: Lazagne dumping credentials
 2id: ce435e85-f322-494c-b11d-7f03201e7da7
 3status: experimental
 4description: Detects the use of lazagne using  command line execution.
 5author: 'Kostastsale, TheDFIRReport'
 6references:
 7- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
 8- https://github.com/AlessandroZ/LaZagne/blob/master/Windows/lazagne/config/execute_cmd.py
 9date: 2022-05-09
10modified: 2024-02-23
11logsource:
12  product: windows
13  category: process_creation
14detection:
15  selection1:
16    Image|endswith:
17      - '\cmd.exe'
18      - '\powershell.exe'
19    CommandLine|contains|all:
20      - '/c'
21      - 'reg.exe'
22      - 'save'
23    ParentCommandLine|contains:
24      - 'all'
25  selection2:
26    ParentCommandLine|contains:
27      - '-oN'
28      - '-oA'
29      - '-oJ'
30      - '-quiet'
31      - '-output'
32    CommandLine|contains:
33      - 'hklm\system'
34      - 'hklm\security'
35      - 'hklm\sam'
36  modules:
37    Image|endswith:
38      - '\lazagne.exe'
39    CommandLine|contains:
40      - 'browsers'
41      - 'chats'
42      - 'databases'
43      - 'games'
44      - 'memory'
45      - 'git'
46      - 'maven'
47      - 'sysadmin'
48      - 'php'
49      - 'svn'
50      - 'multimedia'
51  condition: (selection1 and selection2) or modules
52falsepositives:
53  - Unknown
54level: high
55tags:
56  - attack.credential_access
57  - attack.t1555

References

Related rules

to-top