Using Lazagne to dump credentials

 1title: Using Lazagne to dump credentials
 2status: Experimental
 3description: Detects the use of lazagne looking into the command line execution.
 4author: \@Kostastsale, \@TheDFIRReport
 5references: 
 6  - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
 7  - https://github.com/AlessandroZ/LaZagne/blob/master/Windows/lazagne/config/execute_cmd.py
 8date: 2022/05/09
 9logsource:
10  product: windows
11  category: process_creation
12detection:
13  selection1:
14    Image|endswith: 
15      - '\cmd.exe'
16      - '\powershell.exe'
17    CommandLine|contains|all:
18      - '/c'
19      - 'reg.exe'
20      - 'save'
21    ParentCommandLine|contains:
22      - 'all'
23  selection2:
24    ParentCommandLine|contains:
25      - '-oN'
26      - '-oA'
27      - '-oJ'
28      - '-quiet'
29      - '-output'
30    CommandLine|contains:
31      - 'hklm\system'
32      - 'hklm\security'
33      - 'hklm\sam'
34  modules:
35    Image|endswith:
36      - '\lazagne.exe'
37    CommandLine|contains:
38      - 'browsers'
39      - 'chats'
40      - 'databases'
41      - 'games'
42      - 'memory'
43      - 'git'
44      - 'maven'
45      - 'sysadmin'
46      - 'php'
47      - 'svn'
48      - 'multimedia'
49  condition: (selection1 and selection2) or modules
50falsepositives:
51  - Uknown
52level: high
53tags:
54- attack.credential_access
55- attack.t1555```

References

• SEO Poisoning - A Gootloader Story

  

  In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector.The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense evasion, credential access and command and control activity.

  
  Read More

• LaZagne/Windows/lazagne/config/execute_cmd.py at master · AlessandroZ/LaZagne

  

  Credentials recovery project. Contribute to AlessandroZ/LaZagne development by creating an account on GitHub.

  
  Read More