some false positive is expected from tools with similar command line flags.

Techniques

Sample rules

HackTool - LaZagne Execution

source: sigma
technicques:

Description

Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.

Detection logic

condition: selection_metadata or selection_img_cli or all of selection_cli_*
selection_cli_modules:
  CommandLine|contains:
  - 'all '
  - 'browsers '
  - 'chats '
  - 'databases '
  - 'games '
  - 'mails '
  - 'maven '
  - 'memory '
  - 'multimedia '
  - 'php '
  - 'svn '
  - 'sysadmin '
  - 'unused '
  - 'wifi '
selection_cli_options:
  CommandLine|contains:
  - -1Password
  - -apachedirectorystudio
  - -autologon
  - -ChromiumBased
  - -coreftp
  - -credfiles
  - -credman
  - -cyberduck
  - -dbvis
  - -EyeCon
  - -filezilla
  - -filezillaserver
  - -ftpnavigator
  - -galconfusion
  - -gitforwindows
  - -hashdump
  - -iisapppool
  - -IISCentralCertP
  - -kalypsomedia
  - -keepass
  - -keepassconfig
  - -lsa_secrets
  - -mavenrepositories
  - -memory_dump
  - -Mozilla
  - -mRemoteNG
  - -mscache
  - -opensshforwindows
  - -openvpn
  - -outlook
  - -pidgin
  - -postgresql
  - -psi-im
  - -puttycm
  - -pypykatz
  - -Rclone
  - -rdpmanager
  - -robomongo
  - -roguestale
  - -skype
  - -SQLDeveloper
  - -squirrel
  - -tortoise
  - -turba
  - -UCBrowser
  - -unattended
  - -vault
  - -vaultfiles
  - -vnc
  - -winscp
selection_img_cli:
  CommandLine|endswith:
  - .exe all
  - .exe browsers
  - .exe chats
  - .exe databases
  - .exe games
  - .exe git
  - .exe mails
  - .exe maven
  - .exe memory
  - .exe multimedia
  - .exe sysadmin
  - .exe unused
  - .exe wifi
  - .exe windows
  Image|contains:
  - :\PerfLogs\
  - :\ProgramData\
  - :\Temp\
  - :\Tmp\
  - :\Users\Public\
  - :\Windows\Temp\
  - \$Recycle.bin
  - \AppData\
  - \Desktop\
  - \Downloads\
  - \Favorites\
  - \Links\
  - \Music\
  - \Photos\
  - \Pictures\
  - \Saved Games\
  - \Searches\
  - \Users\Contacts\
  - \Users\Default\
  - \Users\Searches\
  - \Videos\
  - \Windows\addins\
  - \Windows\Fonts\
  - \Windows\IME\
selection_metadata:
- Image|endswith: \lazagne.exe
- Hashes|contains:
  - IMPHASH=ba5546933531fafa869b1f86a4e2a959
  - IMPHASH=7aa1951517b3b8d38b12f874b66196c9
  - IMPHASH=be10bb45cef8dcc6869b921dd20884ae
  - IMPHASH=4e3e7ce958acceeb80e70eeb7d75870e
  - IMPHASH=fc40519af20116c903e3ff836e366e39
  - IMPHASH=1975641ebd67bc0f49282a7b8555b7b2
  - IMPHASH=468ad8de9dcf3ce7a0becc5916ec6adb
  - IMPHASH=e5d81cf6a49d9472d6de8c1764efdfb4
  - IMPHASH=b87afca7a1175b7eb49b7c1eb6d58adf