Lazagne dumping credentials
Detects the use of lazagne using command line execution.
Sigma rule (View on GitHub)
1title: Lazagne dumping credentials
2id: ce435e85-f322-494c-b11d-7f03201e7da7
3status: experimental
4description: Detects the use of lazagne using command line execution.
5author: 'Kostastsale, TheDFIRReport'
6references:
7 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
8 - https://github.com/AlessandroZ/LaZagne/blob/master/Windows/lazagne/config/execute_cmd.py
9date: 2022-05-09
10modified: 2024-02-23
11logsource:
12 product: windows
13 category: process_creation
14detection:
15 selection1:
16 Image|endswith:
17 - '\cmd.exe'
18 - '\powershell.exe'
19 CommandLine|contains|all:
20 - '/c'
21 - 'reg.exe'
22 - 'save'
23 ParentCommandLine|contains: 'all'
24 selection2:
25 ParentCommandLine|contains:
26 - '-oN'
27 - '-oA'
28 - '-oJ'
29 - '-quiet'
30 - '-output'
31 CommandLine|contains:
32 - 'hklm\system'
33 - 'hklm\security'
34 - 'hklm\sam'
35 modules:
36 Image|endswith: '\lazagne.exe'
37 CommandLine|contains:
38 - 'browsers'
39 - 'chats'
40 - 'databases'
41 - 'games'
42 - 'memory'
43 - 'git'
44 - 'maven'
45 - 'sysadmin'
46 - 'php'
47 - 'svn'
48 - 'multimedia'
49 condition: (selection1 and selection2) or modules
50falsepositives:
51 - Unknown
52level: high
53tags:
54 - attack.credential-access
55 - attack.t1555
References
-
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral moveme…
Read More -
Credentials recovery project. Contribute to AlessandroZ/LaZagne development by creating an account on GitHub.
Read More
Related rules
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- Dump Credentials from Windows Credential Manager With PowerShell
- Enumerate Credentials from Windows Credential Manager With PowerShell
- HackTool - SecurityXploded Execution