S0349 LaZagne
LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. LaZagne is publicly available on GitHub.1
| Item | Value |
|---|---|
| ID | S0349 |
| Associated Names | |
| Type | TOOL |
| Version | 1.4 |
| Created | 30 January 2019 |
| Last Modified | 02 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1555 | Credentials from Password Stores | LaZagne can obtain credentials from databases, mail, and WiFi across multiple platforms.1 |
| enterprise | T1555.001 | Keychain | LaZagne can obtain credentials from macOS Keychains.1 |
| enterprise | T1555.003 | Credentials from Web Browsers | LaZagne can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox.1 |
| enterprise | T1555.004 | Windows Credential Manager | LaZagne can obtain credentials from Vault files.1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | LaZagne can perform credential dumping from memory to obtain account and password information.1 |
| enterprise | T1003.004 | LSA Secrets | LaZagne can perform credential dumping from LSA secrets to obtain account and password information.1 |
| enterprise | T1003.005 | Cached Domain Credentials | LaZagne can perform credential dumping from MSCache to obtain account and password information.1 |
| enterprise | T1003.007 | Proc Filesystem | LaZagne can use the <PID>/maps and <PID>/mem files to identify regex patterns to dump cleartext passwords from the browser’s process memory.12 |
| enterprise | T1003.008 | /etc/passwd and /etc/shadow | LaZagne can obtain credential information from /etc/shadow using the shadow.py module.1 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | LaZagne can obtain credentials from chats, databases, mail, and WiFi.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0100 | Inception | 3 |
| G0069 | MuddyWater | 45 |
| G0049 | OilRig | 6 |
| G0131 | Tonto Team | 7 |
| G0064 | APT33 | 8 |
| G0139 | TeamTNT | 9 |
| G0077 | Leafminer | 10 |
| G0120 | Evilnum | 11 |
| G0022 | APT3 | 12 |
References
-
Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018. ↩↩↩↩↩↩↩↩↩↩↩
-
Huseyin Can YUCEEL & Picus Labs. (2022, March 22). Retrieved March 31, 2023. ↩
-
GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020. ↩
-
Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018. ↩
-
Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. ↩
-
Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. ↩
-
Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021. ↩
-
Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. ↩
-
AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021. ↩
-
Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. ↩
-
Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. ↩
-
Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. ↩