Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump cre
title: HackTool - LaZagne Execution
id: c2b86e67-b880-4eec-b045-50bc98ef4844
status: experimental
description: |
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.
LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
references:
- https://github.com/AlessandroZ/LaZagne/tree/master
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/
- https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
- https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf
author: Nasreddine Bencherchali, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2024-06-24
modified: 2025-10-07
tags:
- attack.credential-access
logsource:
product: windows
category: process_creation
detection:
selection_img_metadata:
Image|endswith: '\lazagne.exe'
selection_img_cli:
# Note: This selection can be prone to FP. An initial baseline is required
Image|contains:
- ':\PerfLogs\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\$Recycle.bin'
- '\AppData\'
- '\Desktop\'
- '\Downloads\'
- '\Favorites\'
- '\Links\'
- '\Music\'
- '\Photos\'
- '\Pictures\'
- '\Saved Games\'
- '\Searches\'
- '\Users\Contacts\'
- '\Users\Default\'
- '\Users\Searches\'
- '\Videos\'
- '\Windows\addins\'
- '\Windows\Fonts\'
- '\Windows\IME\'
CommandLine|endswith:
- '.exe all'
- '.exe browsers'
- '.exe chats'
- '.exe databases'
- '.exe games'
- '.exe git'
- '.exe mails'
- '.exe maven'
- '.exe memory'
- '.exe multimedia'
# - '.exe php' # Might be prone to FP
# - '.exe svn' # Might be prone to FP
- '.exe sysadmin'
- '.exe unused'
- '.exe wifi'
- '.exe windows'
selection_cli_modules:
CommandLine|contains:
- ' all '
- ' browsers '
- ' chats '
- ' databases '
- ' games '
- ' mails '
- ' maven '
- ' memory '
- ' multimedia '
- ' php '
- ' svn '
- ' sysadmin '
- ' unused '
- ' wifi '
selection_cli_options:
CommandLine|contains:
- '-1Password'
- '-apachedirectorystudio'
- '-autologon'
- '-ChromiumBased'
- '-coreftp'
- '-credfiles'
- '-credman'
- '-cyberduck'
- '-dbvis'
- '-EyeCon'
- '-filezilla'
- '-filezillaserver'
- '-ftpnavigator'
- '-galconfusion'
- '-gitforwindows'
- '-hashdump'
- '-iisapppool'
- '-IISCentralCertP'
- '-kalypsomedia'
- '-keepass'
- '-keepassconfig'
- '-lsa_secrets'
- '-mavenrepositories'
- '-memory_dump'
- '-Mozilla'
- '-mRemoteNG'
- '-mscache'
- '-opensshforwindows'
- '-openvpn'
- '-outlook'
- '-pidgin'
- '-postgresql'
- '-psi-im'
- '-puttycm'
- '-pypykatz'
- '-Rclone'
- '-rdpmanager'
- '-robomongo'
- '-roguestale'
- '-skype'
- '-SQLDeveloper'
- '-squirrel'
- '-tortoise'
- '-turba'
- '-UCBrowser'
- '-unattended'
- '-vault'
- '-vaultfiles'
- '-vnc'
- '-winscp'
condition: 1 of selection_img_* or all of selection_cli_*
falsepositives:
- Some false positive is expected from tools with similar command line flags.
# Note: Increase the level to "high" after an initial baseline
level: medium
imProcessCreate
| where (TargetProcessName endswith "\\lazagne.exe" or ((TargetProcessName contains ":\\PerfLogs\\" or TargetProcessName contains ":\\ProgramData\\" or TargetProcessName contains ":\\Temp\\" or TargetProcessName contains ":\\Tmp\\" or TargetProcessName contains ":\\Users\\Public\\" or TargetProcessName contains ":\\Windows\\Temp\\" or TargetProcessName contains "\\$Recycle.bin" or TargetProcessName contains "\\AppData\\" or TargetProcessName contains "\\Desktop\\" or TargetProcessName contains "\\Downloads\\" or TargetProcessName contains "\\Favorites\\" or TargetProcessName contains "\\Links\\" or TargetProcessName contains "\\Music\\" or TargetProcessName contains "\\Photos\\" or TargetProcessName contains "\\Pictures\\" or TargetProcessName contains "\\Saved Games\\" or TargetProcessName contains "\\Searches\\" or TargetProcessName contains "\\Users\\Contacts\\" or TargetProcessName contains "\\Users\\Default\\" or TargetProcessName contains "\\Users\\Searches\\" or TargetProcessName contains "\\Videos\\" or TargetProcessName contains "\\Windows\\addins\\" or TargetProcessName contains "\\Windows\\Fonts\\" or TargetProcessName contains "\\Windows\\IME\\") and (TargetProcessCommandLine endswith ".exe all" or TargetProcessCommandLine endswith ".exe browsers" or TargetProcessCommandLine endswith ".exe chats" or TargetProcessCommandLine endswith ".exe databases" or TargetProcessCommandLine endswith ".exe games" or TargetProcessCommandLine endswith ".exe git" or TargetProcessCommandLine endswith ".exe mails" or TargetProcessCommandLine endswith ".exe maven" or TargetProcessCommandLine endswith ".exe memory" or TargetProcessCommandLine endswith ".exe multimedia" or TargetProcessCommandLine endswith ".exe sysadmin" or TargetProcessCommandLine endswith ".exe unused" or TargetProcessCommandLine endswith ".exe wifi" or TargetProcessCommandLine endswith ".exe windows"))) or ((TargetProcessCommandLine contains " all " or TargetProcessCommandLine contains " browsers " or TargetProcessCommandLine contains " chats " or TargetProcessCommandLine contains " databases " or TargetProcessCommandLine contains " games " or TargetProcessCommandLine contains " mails " or TargetProcessCommandLine contains " maven " or TargetProcessCommandLine contains " memory " or TargetProcessCommandLine contains " multimedia " or TargetProcessCommandLine contains " php " or TargetProcessCommandLine contains " svn " or TargetProcessCommandLine contains " sysadmin " or TargetProcessCommandLine contains " unused " or TargetProcessCommandLine contains " wifi ") and (TargetProcessCommandLine contains "-1Password" or TargetProcessCommandLine contains "-apachedirectorystudio" or TargetProcessCommandLine contains "-autologon" or TargetProcessCommandLine contains "-ChromiumBased" or TargetProcessCommandLine contains "-coreftp" or TargetProcessCommandLine contains "-credfiles" or TargetProcessCommandLine contains "-credman" or TargetProcessCommandLine contains "-cyberduck" or TargetProcessCommandLine contains "-dbvis" or TargetProcessCommandLine contains "-EyeCon" or TargetProcessCommandLine contains "-filezilla" or TargetProcessCommandLine contains "-filezillaserver" or TargetProcessCommandLine contains "-ftpnavigator" or TargetProcessCommandLine contains "-galconfusion" or TargetProcessCommandLine contains "-gitforwindows" or TargetProcessCommandLine contains "-hashdump" or TargetProcessCommandLine contains "-iisapppool" or TargetProcessCommandLine contains "-IISCentralCertP" or TargetProcessCommandLine contains "-kalypsomedia" or TargetProcessCommandLine contains "-keepass" or TargetProcessCommandLine contains "-keepassconfig" or TargetProcessCommandLine contains "-lsa_secrets" or TargetProcessCommandLine contains "-mavenrepositories" or TargetProcessCommandLine contains "-memory_dump" or TargetProcessCommandLine contains "-Mozilla" or TargetProcessCommandLine contains "-mRemoteNG" or TargetProcessCommandLine contains "-mscache" or TargetProcessCommandLine contains "-opensshforwindows" or TargetProcessCommandLine contains "-openvpn" or TargetProcessCommandLine contains "-outlook" or TargetProcessCommandLine contains "-pidgin" or TargetProcessCommandLine contains "-postgresql" or TargetProcessCommandLine contains "-psi-im" or TargetProcessCommandLine contains "-puttycm" or TargetProcessCommandLine contains "-pypykatz" or TargetProcessCommandLine contains "-Rclone" or TargetProcessCommandLine contains "-rdpmanager" or TargetProcessCommandLine contains "-robomongo" or TargetProcessCommandLine contains "-roguestale" or TargetProcessCommandLine contains "-skype" or TargetProcessCommandLine contains "-SQLDeveloper" or TargetProcessCommandLine contains "-squirrel" or TargetProcessCommandLine contains "-tortoise" or TargetProcessCommandLine contains "-turba" or TargetProcessCommandLine contains "-UCBrowser" or TargetProcessCommandLine contains "-unattended" or TargetProcessCommandLine contains "-vault" or TargetProcessCommandLine contains "-vaultfiles" or TargetProcessCommandLine contains "-vnc" or TargetProcessCommandLine contains "-winscp"))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |