Lazagne dumping credentials
Detects the use of lazagne using command line execution.
Sigma rule (View on GitHub)
1title: Lazagne dumping credentials
2id: ce435e85-f322-494c-b11d-7f03201e7da7
3status: experimental
4description: Detects the use of lazagne using command line execution.
5author: 'Kostastsale, TheDFIRReport'
6references:
7- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
8- https://github.com/AlessandroZ/LaZagne/blob/master/Windows/lazagne/config/execute_cmd.py
9date: 2022-05-09
10modified: 2024-02-23
11logsource:
12 product: windows
13 category: process_creation
14detection:
15 selection1:
16 Image|endswith:
17 - '\cmd.exe'
18 - '\powershell.exe'
19 CommandLine|contains|all:
20 - '/c'
21 - 'reg.exe'
22 - 'save'
23 ParentCommandLine|contains:
24 - 'all'
25 selection2:
26 ParentCommandLine|contains:
27 - '-oN'
28 - '-oA'
29 - '-oJ'
30 - '-quiet'
31 - '-output'
32 CommandLine|contains:
33 - 'hklm\system'
34 - 'hklm\security'
35 - 'hklm\sam'
36 modules:
37 Image|endswith:
38 - '\lazagne.exe'
39 CommandLine|contains:
40 - 'browsers'
41 - 'chats'
42 - 'databases'
43 - 'games'
44 - 'memory'
45 - 'git'
46 - 'maven'
47 - 'sysadmin'
48 - 'php'
49 - 'svn'
50 - 'multimedia'
51 condition: (selection1 and selection2) or modules
52falsepositives:
53 - Unknown
54level: high
55tags:
56 - attack.credential_access
57 - attack.t1555
References
-
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector.The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense evasion, credential access and command and control activity.
Read More -
Credentials recovery project. Contribute to AlessandroZ/LaZagne development by creating an account on GitHub.
Read More
Related rules
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- Suspicious Serv-U Process Pattern
- Stored Credentials in Fake Files
- HackTool - SecurityXploded Execution