detection.wiki

Detection rules › Sigma

HackTool - LaZagne Execution

Severity
medium
Author
Nasreddine Bencherchali, Swachchhanda Shrawan Poudel (Nextron Systems)
Source
upstream

Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: 1 of selection_img_metadata

Image|endswith: '\lazagne.exe'

Stage 2: 1 of selection_img_cli

or:
CommandLine|endswith: '.exe all'
CommandLine|endswith: '.exe browsers'
CommandLine|endswith: '.exe chats'
CommandLine|endswith: '.exe databases'
CommandLine|endswith: '.exe games'
CommandLine|endswith: '.exe git'
CommandLine|endswith: '.exe mails'
CommandLine|endswith: '.exe maven'
CommandLine|endswith: '.exe memory'
CommandLine|endswith: '.exe multimedia'
CommandLine|endswith: '.exe sysadmin'
CommandLine|endswith: '.exe unused'
CommandLine|endswith: '.exe wifi'
CommandLine|endswith: '.exe windows'
or:
Image|contains: ':\PerfLogs\'
Image|contains: ':\ProgramData\'
Image|contains: ':\Temp\'
Image|contains: ':\Tmp\'
Image|contains: ':\Users\Public\'
Image|contains: ':\Windows\Temp\'
Image|contains: '\$Recycle.bin'
Image|contains: '\AppData\'
Image|contains: '\Desktop\'
Image|contains: '\Downloads\'
Image|contains: '\Favorites\'
Image|contains: '\Links\'
Image|contains: '\Music\'
Image|contains: '\Photos\'
Image|contains: '\Pictures\'
Image|contains: '\Saved Games\'
Image|contains: '\Searches\'
Image|contains: '\Users\Contacts\'
Image|contains: '\Users\Default\'
Image|contains: '\Users\Searches\'
Image|contains: '\Videos\'
Image|contains: '\Windows\Fonts\'
Image|contains: '\Windows\IME\'
Image|contains: '\Windows\addins\'

Stage 3: all of selection_cli_modules

or:
CommandLine|contains: ' all '
CommandLine|contains: ' browsers '
CommandLine|contains: ' chats '
CommandLine|contains: ' databases '
CommandLine|contains: ' games '
CommandLine|contains: ' mails '
CommandLine|contains: ' maven '
CommandLine|contains: ' memory '
CommandLine|contains: ' multimedia '
CommandLine|contains: ' php '
CommandLine|contains: ' svn '
CommandLine|contains: ' sysadmin '
CommandLine|contains: ' unused '
CommandLine|contains: ' wifi '

Stage 4: all of selection_cli_options

or:
CommandLine|contains: -1Password
CommandLine|contains: -ChromiumBased
CommandLine|contains: -EyeCon
CommandLine|contains: -IISCentralCertP
CommandLine|contains: -Mozilla
CommandLine|contains: -Rclone
CommandLine|contains: -SQLDeveloper
CommandLine|contains: -UCBrowser
CommandLine|contains: -apachedirectorystudio
CommandLine|contains: -autologon
CommandLine|contains: -coreftp
CommandLine|contains: -credfiles
CommandLine|contains: -credman
CommandLine|contains: -cyberduck
CommandLine|contains: -dbvis
CommandLine|contains: -filezilla
CommandLine|contains: -filezillaserver
CommandLine|contains: -ftpnavigator
CommandLine|contains: -galconfusion
CommandLine|contains: -gitforwindows
CommandLine|contains: -hashdump
CommandLine|contains: -iisapppool
CommandLine|contains: -kalypsomedia
CommandLine|contains: -keepass
CommandLine|contains: -keepassconfig
CommandLine|contains: -lsa_secrets
CommandLine|contains: -mRemoteNG
CommandLine|contains: -mavenrepositories
CommandLine|contains: -memory_dump
CommandLine|contains: -mscache
CommandLine|contains: -opensshforwindows
CommandLine|contains: -openvpn
CommandLine|contains: -outlook
CommandLine|contains: -pidgin
CommandLine|contains: -postgresql
CommandLine|contains: -psi-im
CommandLine|contains: -puttycm
CommandLine|contains: -pypykatz
CommandLine|contains: -rdpmanager
CommandLine|contains: -robomongo
CommandLine|contains: -roguestale
CommandLine|contains: -skype
CommandLine|contains: -squirrel
CommandLine|contains: -tortoise
CommandLine|contains: -turba
CommandLine|contains: -unattended
CommandLine|contains: -vault
CommandLine|contains: -vaultfiles
CommandLine|contains: -vnc
CommandLine|contains: -winscp

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLineends_with
  • .exe all
  • .exe browsers
  • .exe chats
  • .exe databases
  • .exe games
  • .exe git
  • .exe mails
  • .exe maven
  • .exe memory
  • .exe multimedia
  • .exe sysadmin
  • .exe unused
  • .exe wifi
  • .exe windows
CommandLinematch
  • all
  • browsers
  • chats
  • databases
  • games
  • mails
  • maven
  • memory
  • multimedia
  • php
  • svn
  • sysadmin
  • unused
  • wifi
  • -1Password
  • -ChromiumBased
  • -EyeCon
  • -IISCentralCertP
  • -Mozilla
  • -Rclone
  • -SQLDeveloper
  • -UCBrowser
  • -apachedirectorystudio
  • -autologon
  • -coreftp
  • -credfiles
  • -credman
  • -cyberduck
  • -dbvis
  • -filezilla
  • -filezillaserver
  • -ftpnavigator
  • -galconfusion
  • -gitforwindows
  • -hashdump
  • -iisapppool
  • -kalypsomedia
  • -keepass
  • -keepassconfig
  • -lsa_secrets
  • -mRemoteNG
  • -mavenrepositories
  • -memory_dump
  • -mscache
  • -opensshforwindows
  • -openvpn
  • -outlook
  • -pidgin
  • -postgresql
  • -psi-im
  • -puttycm
  • -pypykatz
  • -rdpmanager
  • -robomongo
  • -roguestale
  • -skype
  • -squirrel
  • -tortoise
  • -turba
  • -unattended
  • -vault
  • -vaultfiles
  • -vnc
  • -winscp
Imageends_with
  • \lazagne.exe
Imagematch
  • :\PerfLogs\ corpus 4 (sigma 4)
  • :\ProgramData\ corpus 3 (sigma 3)
  • :\Temp\ corpus 12 (sigma 12)
  • :\Tmp\
  • :\Users\Public\ corpus 14 (sigma 14)
  • :\Windows\Temp\ corpus 9 (sigma 9)
  • \$Recycle.bin corpus 2 (sigma 2)
  • \AppData\ corpus 9 (sigma 9)
  • \Desktop\ corpus 6 (sigma 6)
  • \Downloads\ corpus 8 (sigma 8)
  • \Favorites\ corpus 6 (sigma 6)
  • \Links\
  • \Music\ corpus 4 (sigma 4)
  • \Photos\
  • \Pictures\ corpus 5 (sigma 5)
  • \Saved Games\
  • \Searches\
  • \Users\Contacts\ corpus 2 (sigma 2)
  • \Users\Default\ corpus 4 (sigma 4)
  • \Users\Searches\ corpus 2 (sigma 2)
  • \Videos\ corpus 4 (sigma 4)
  • \Windows\Fonts\ corpus 2 (sigma 2)
  • \Windows\IME\ corpus 2 (sigma 2)
  • \Windows\addins\ corpus 4 (sigma 4)