Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lazagne Crendential Dumping Tool Detection Rule #4740

Open
cY83rR0H1t opened this issue Feb 27, 2024 · 1 comment
Open

Lazagne Crendential Dumping Tool Detection Rule #4740

cY83rR0H1t opened this issue Feb 27, 2024 · 1 comment
Assignees
@nasbench

Comments

@cY83rR0H1t
Copy link

Description of the Idea of the Rule

Lazagne's primary purpose is to retrieve passwords stored on a local computer. It can access passwords from various applications, browsers, and system configurations. This detection rule is for lazagne.exe binary file arguments.

Public References / Exampel Event Log

https://github.com/AlessandroZ/LaZagne/tree/master
https://github.com/The-DFIR-Report/Sigma-Rules/blob/abaa1097fa72b184349b7467ffc6f9e7646cd900/rules/windows/process_creation/proc_creation_win_lazagne_dumping_credentials.yml#L4

Title: LaZagne Crendential Dumping Tool
id: 48225e49-5fba-42a3-a888-74b0333af782
status: experimental
description: Suspicious usage of lazagne tool via commandline.
references:
    - https://github.com/AlessandroZ/LaZagne/tree/master
author: Rohit Jain
date: 2024/02/27
tags:
    - attack.credential_access
logsource:
    product: windows
    service: windows
    category: process_creation
detection:
    selection1:
        Image|endswith:
            - \\(?i)lazagne(\.exe|)
        Parent Image|endswith:
            - \cmd.exe
            - \powershell.exe
        CommandLine|Contains:
            - all
            - browsers
            - chats
            - databases
            - games
            - git
            - mails
            - maven
            - memory
            - multimedia
            - php
            - sysadmin
            - windows
    selection2:
        Image|endswith:
            - \\(?i)lazagne(\.exe|)
        ParentImage|endswith:
            - \cmd.exe
            - \powershell.exe
        CommandLine|Contains:
            - -oN
            - -oJ
            - -oA
            - -quiet
            - -vv
    condition: selection1 or selection2
falsepositives:
    - Unknown
level: medium
@github-actions GitHub Actions
Copy link
Contributor

Welcome @cY83rR0H1t 👋

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nasbench nasbench

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nasbench @cY83rR0H1t