Skip to content

S0349 LaZagne

LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. LaZagne is publicly available on GitHub.1

Item Value
ID S0349
Associated Names
Type TOOL
Version 1.6
Created 30 January 2019
Last Modified 04 April 2024
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1555 Credentials from Password Stores LaZagne can obtain credentials from databases, mail, and WiFi across multiple platforms.1
enterprise T1555.001 Keychain LaZagne can obtain credentials from macOS Keychains.1
enterprise T1555.003 Credentials from Web Browsers LaZagne can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox.1
enterprise T1555.004 Windows Credential Manager LaZagne can obtain credentials from Vault files.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory LaZagne can perform credential dumping from memory to obtain account and password information.1
enterprise T1003.004 LSA Secrets LaZagne can perform credential dumping from LSA secrets to obtain account and password information.1
enterprise T1003.005 Cached Domain Credentials LaZagne can perform credential dumping from MSCache to obtain account and password information.1
enterprise T1003.007 Proc Filesystem LaZagne can use the <PID>/maps and <PID>/mem files to identify regex patterns to dump cleartext passwords from the browser’s process memory.13
enterprise T1003.008 /etc/passwd and /etc/shadow LaZagne can obtain credential information from /etc/shadow using the shadow.py module.1
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files LaZagne can obtain credentials from chats, databases, mail, and WiFi.1

Groups That Use This Software

ID Name References
G0077 Leafminer 4
G0102 Wizard Spider 5
G0022 APT3 6
G1015 Scattered Spider Scattered Spider can obtain credential information using LaZagne.7
G0049 OilRig 8
G0069 MuddyWater 910
G0100 Inception 11
G0064 APT33 12
G0139 TeamTNT 13
G0131 Tonto Team 14
G0120 Evilnum 15
G1024 Akira 16

References

  1. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018. 

  2. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018. 

  3. Huseyin Can YUCEEL & Picus Labs. (2022, March 22). Retrieved March 31, 2023. 

  4. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. 

  5. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023. 

  6. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. 

  7. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024. 

  8. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November 17, 2024. 

  9. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018. 

  10. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. 

  11. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020. 

  12. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. 

  13. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021. 

  14. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021. 

  15. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. 

  16. Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.