Using Lazagne to dump credentials
Detects the use of lazagne looking into the command line execution.
Sigma rule (View on GitHub)
1title: Using Lazagne to dump credentials
2status: Experimental
3description: Detects the use of lazagne looking into the command line execution.
4author: \@Kostastsale, \@TheDFIRReport
5references:
6 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
7 - https://github.com/AlessandroZ/LaZagne/blob/master/Windows/lazagne/config/execute_cmd.py
8date: 2022/05/09
9logsource:
10 product: windows
11 category: process_creation
12detection:
13 selection1:
14 Image|endswith:
15 - '\cmd.exe'
16 - '\powershell.exe'
17 CommandLine|contains|all:
18 - '/c'
19 - 'reg.exe'
20 - 'save'
21 ParentCommandLine|contains:
22 - 'all'
23 selection2:
24 ParentCommandLine|contains:
25 - '-oN'
26 - '-oA'
27 - '-oJ'
28 - '-quiet'
29 - '-output'
30 CommandLine|contains:
31 - 'hklm\system'
32 - 'hklm\security'
33 - 'hklm\sam'
34 modules:
35 Image|endswith:
36 - '\lazagne.exe'
37 CommandLine|contains:
38 - 'browsers'
39 - 'chats'
40 - 'databases'
41 - 'games'
42 - 'memory'
43 - 'git'
44 - 'maven'
45 - 'sysadmin'
46 - 'php'
47 - 'svn'
48 - 'multimedia'
49 condition: (selection1 and selection2) or modules
50falsepositives:
51 - Uknown
52level: high
53tags:
54- attack.credential_access
55- attack.t1555```