LaZagne
LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. LaZagne is publicly available on GitHub.[1]
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1555 | Credentials from Password Stores |
LaZagne can obtain credentials from databases, mail, and WiFi across multiple platforms.[1] |
|
.003 | Credentials from Web Browsers |
LaZagne can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox.[1] |
||
.001 | Keychain | |||
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
LaZagne can perform credential dumping from memory to obtain account and password information.[1] |
.004 | OS Credential Dumping: LSA Secrets |
LaZagne can perform credential dumping from LSA secrets to obtain account and password information.[1] |
||
.005 | OS Credential Dumping: Cached Domain Credentials |
LaZagne can perform credential dumping from MSCache to obtain account and password information.[1] |
||
.007 | OS Credential Dumping: Proc Filesystem |
LaZagne can obtain credential information running Linux processes.[1] |
||
.008 | OS Credential Dumping: /etc/passwd and /etc/shadow |
LaZagne can obtain credential information from /etc/shadow using the shadow.py module.[1] |
||
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
LaZagne can obtain credentials from chats, databases, mail, and WiFi.[1] |
Groups That Use This Software
ID | Name | References |
---|---|---|
G0077 | Leafminer | |
G0049 | OilRig | |
G0022 | APT3 | |
G0069 | MuddyWater | |
G0064 | APT33 | |
G0100 | Inception |
References
- Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
- Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
- Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
- Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
- GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.