Using Lazagne to dump credentials
Detects the use of lazagne looking into the command line execution.
Sigma rule (View on GitHub)
1title: Using Lazagne to dump credentials
2id: 29419560-7c08-46d4-bb2c-531ed2ea0383
3status: Experimental
4description: Detects the use of lazagne looking into the command line execution.
5author: \@Kostastsale, \@TheDFIRReport
6references:
7 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
8 - https://github.com/AlessandroZ/LaZagne/blob/master/Windows/lazagne/config/execute_cmd.py
9date: 2022/05/09
10logsource:
11 product: windows
12 category: process_creation
13detection:
14 selection1:
15 Image|endswith:
16 - '\cmd.exe'
17 - '\powershell.exe'
18 CommandLine|contains|all:
19 - '/c'
20 - 'reg.exe'
21 - 'save'
22 ParentCommandLine|contains:
23 - 'all'
24 selection2:
25 ParentCommandLine|contains:
26 - '-oN'
27 - '-oA'
28 - '-oJ'
29 - '-quiet'
30 - '-output'
31 CommandLine|contains:
32 - 'hklm\system'
33 - 'hklm\security'
34 - 'hklm\sam'
35 modules:
36 Image|endswith:
37 - '\lazagne.exe'
38 CommandLine|contains:
39 - 'browsers'
40 - 'chats'
41 - 'databases'
42 - 'games'
43 - 'memory'
44 - 'git'
45 - 'maven'
46 - 'sysadmin'
47 - 'php'
48 - 'svn'
49 - 'multimedia'
50 condition: (selection1 and selection2) or modules
51falsepositives:
52 - Uknown
53level: high
54tags:
55- attack.credential_access
56- attack.t1555```
References
-
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral moveme…
Read More -
Credentials recovery project. Contribute to AlessandroZ/LaZagne development by creating an account on GitHub.
Read More
Related rules
- Lazagne dumping credentials
- Stored Credentials in Fake Files
- Kerberoasting Activity - Initial query
- LAPS Credential Dumping Spoofing and Domain Controller Impersonation
- Kerberos .kirbi Ticket Files