Techniques
Sample rules
HackTool - LaZagne Execution
- source: sigma
- technicques:
Description
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
Detection logic
condition: selection_img or selection_clionly or (selection_cli_modules and selection_cli_options)
selection_cli_modules:
CommandLine|contains:
- 'all '
- 'browsers '
- 'chats '
- 'databases '
- 'games '
- 'git '
- 'mails '
- 'maven '
- 'memory '
- 'multimedia '
- 'php '
- 'svn '
- 'sysadmin '
- 'unused '
- 'wifi '
- 'windows '
selection_cli_options:
CommandLine|contains:
- -oA
- -oJ
- -oN
- -output
- -password
- -1Password
- -apachedirectorystudio
- -autologon
- -ChromiumBased
- -composer
- -coreftp
- -credfiles
- -credman
- -cyberduck
- -dbvis
- -EyeCon
- -filezilla
- -filezillaserver
- -ftpnavigator
- -galconfusion
- -gitforwindows
- -hashdump
- -iisapppool
- -IISCentralCertP
- -kalypsomedia
- -keepass
- -keepassconfig
- -lsa_secrets
- -mavenrepositories
- -memory_dump
- -Mozilla
- -mRemoteNG
- -mscache
- -opensshforwindows
- -openvpn
- -outlook
- -pidgin
- -postgresql
- -psi-im
- -puttycm
- -pypykatz
- -Rclone
- -rdpmanager
- -robomongo
- -roguestale
- -skype
- -SQLDeveloper
- -squirrel
- -tortoise
- -turba
- -UCBrowser
- -unattended
- -vault
- -vaultfiles
- -vnc
- -windows
- -winscp
- -wsl
selection_clionly:
CommandLine|endswith:
- .exe all
- .exe browsers
- .exe chats
- .exe databases
- .exe games
- .exe git
- .exe mails
- .exe maven
- .exe memory
- .exe multimedia
- .exe sysadmin
- .exe unused
- .exe wifi
- .exe windows
Image|contains:
- :\PerfLogs\
- :\ProgramData\
- :\Temp\
- :\Tmp\
- :\Windows\Temp\
- \AppData\
- \Downloads\
- \Users\Public\
selection_img:
Image|endswith: \lazagne.exe