← Back to Explore
sigmamediumHunting
HackTool - LaZagne Execution
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
Detection Query
selection_img_metadata:
Image|endswith: \lazagne.exe
selection_img_cli:
Image|contains:
- :\PerfLogs\
- :\ProgramData\
- :\Temp\
- :\Tmp\
- :\Users\Public\
- :\Windows\Temp\
- \$Recycle.bin
- \AppData\
- \Desktop\
- \Downloads\
- \Favorites\
- \Links\
- \Music\
- \Photos\
- \Pictures\
- \Saved Games\
- \Searches\
- \Users\Contacts\
- \Users\Default\
- \Users\Searches\
- \Videos\
- \Windows\addins\
- \Windows\Fonts\
- \Windows\IME\
CommandLine|endswith:
- .exe all
- .exe browsers
- .exe chats
- .exe databases
- .exe games
- .exe git
- .exe mails
- .exe maven
- .exe memory
- .exe multimedia
- .exe sysadmin
- .exe unused
- .exe wifi
- .exe windows
selection_cli_modules:
CommandLine|contains:
- " all "
- " browsers "
- " chats "
- " databases "
- " games "
- " mails "
- " maven "
- " memory "
- " multimedia "
- " php "
- " svn "
- " sysadmin "
- " unused "
- " wifi "
selection_cli_options:
CommandLine|contains:
- -1Password
- -apachedirectorystudio
- -autologon
- -ChromiumBased
- -coreftp
- -credfiles
- -credman
- -cyberduck
- -dbvis
- -EyeCon
- -filezilla
- -filezillaserver
- -ftpnavigator
- -galconfusion
- -gitforwindows
- -hashdump
- -iisapppool
- -IISCentralCertP
- -kalypsomedia
- -keepass
- -keepassconfig
- -lsa_secrets
- -mavenrepositories
- -memory_dump
- -Mozilla
- -mRemoteNG
- -mscache
- -opensshforwindows
- -openvpn
- -outlook
- -pidgin
- -postgresql
- -psi-im
- -puttycm
- -pypykatz
- -Rclone
- -rdpmanager
- -robomongo
- -roguestale
- -skype
- -SQLDeveloper
- -squirrel
- -tortoise
- -turba
- -UCBrowser
- -unattended
- -vault
- -vaultfiles
- -vnc
- -winscp
condition: 1 of selection_img_* or all of selection_cli_*
Author
Nasreddine Bencherchali, Swachchhanda Shrawan Poudel (Nextron Systems)
Created
2024-06-24
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://github.com/AlessandroZ/LaZagne/tree/master
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/
- https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
- https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf
Tags
attack.credential-access
Raw Content
title: HackTool - LaZagne Execution
id: c2b86e67-b880-4eec-b045-50bc98ef4844
status: experimental
description: |
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.
LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
references:
- https://github.com/AlessandroZ/LaZagne/tree/master
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/
- https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
- https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf
author: Nasreddine Bencherchali, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2024-06-24
modified: 2025-10-07
tags:
- attack.credential-access
logsource:
product: windows
category: process_creation
detection:
selection_img_metadata:
Image|endswith: '\lazagne.exe'
selection_img_cli:
# Note: This selection can be prone to FP. An initial baseline is required
Image|contains:
- ':\PerfLogs\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\$Recycle.bin'
- '\AppData\'
- '\Desktop\'
- '\Downloads\'
- '\Favorites\'
- '\Links\'
- '\Music\'
- '\Photos\'
- '\Pictures\'
- '\Saved Games\'
- '\Searches\'
- '\Users\Contacts\'
- '\Users\Default\'
- '\Users\Searches\'
- '\Videos\'
- '\Windows\addins\'
- '\Windows\Fonts\'
- '\Windows\IME\'
CommandLine|endswith:
- '.exe all'
- '.exe browsers'
- '.exe chats'
- '.exe databases'
- '.exe games'
- '.exe git'
- '.exe mails'
- '.exe maven'
- '.exe memory'
- '.exe multimedia'
# - '.exe php' # Might be prone to FP
# - '.exe svn' # Might be prone to FP
- '.exe sysadmin'
- '.exe unused'
- '.exe wifi'
- '.exe windows'
selection_cli_modules:
CommandLine|contains:
- ' all '
- ' browsers '
- ' chats '
- ' databases '
- ' games '
- ' mails '
- ' maven '
- ' memory '
- ' multimedia '
- ' php '
- ' svn '
- ' sysadmin '
- ' unused '
- ' wifi '
selection_cli_options:
CommandLine|contains:
- '-1Password'
- '-apachedirectorystudio'
- '-autologon'
- '-ChromiumBased'
- '-coreftp'
- '-credfiles'
- '-credman'
- '-cyberduck'
- '-dbvis'
- '-EyeCon'
- '-filezilla'
- '-filezillaserver'
- '-ftpnavigator'
- '-galconfusion'
- '-gitforwindows'
- '-hashdump'
- '-iisapppool'
- '-IISCentralCertP'
- '-kalypsomedia'
- '-keepass'
- '-keepassconfig'
- '-lsa_secrets'
- '-mavenrepositories'
- '-memory_dump'
- '-Mozilla'
- '-mRemoteNG'
- '-mscache'
- '-opensshforwindows'
- '-openvpn'
- '-outlook'
- '-pidgin'
- '-postgresql'
- '-psi-im'
- '-puttycm'
- '-pypykatz'
- '-Rclone'
- '-rdpmanager'
- '-robomongo'
- '-roguestale'
- '-skype'
- '-SQLDeveloper'
- '-squirrel'
- '-tortoise'
- '-turba'
- '-UCBrowser'
- '-unattended'
- '-vault'
- '-vaultfiles'
- '-vnc'
- '-winscp'
condition: 1 of selection_img_* or all of selection_cli_*
falsepositives:
- Some false positive is expected from tools with similar command line flags.
# Note: Increase the level to "high" after an initial baseline
level: medium