The new v11.1 release of MITRE ATT&CK contains a beta version of Sub-Techniques for Mobile. The current, stable Mobile content can be accessed via the v10 release URL.
SOFTWARE
SOFTWARE
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
LaZagne
ID: S0349
ⓘ
Type: TOOL
ⓘ
Platforms: Linux, macOS, Windows
Version: 1.3
Created: 30 January 2019
Last Modified: 15 October 2021
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | Credentials from Password Stores |
LaZagne can obtain credentials from databases, mail, and WiFi across multiple platforms.[1] |
|
| .001 | Keychain | |||
| .003 | Credentials from Web Browsers |
LaZagne can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox.[1] |
||
| .004 | Windows Credential Manager | |||
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
LaZagne can perform credential dumping from memory to obtain account and password information.[1] |
| .004 | OS Credential Dumping: LSA Secrets |
LaZagne can perform credential dumping from LSA secrets to obtain account and password information.[1] |
||
| .005 | OS Credential Dumping: Cached Domain Credentials |
LaZagne can perform credential dumping from MSCache to obtain account and password information.[1] |
||
| .007 | OS Credential Dumping: Proc Filesystem |
LaZagne can obtain credential information running Linux processes.[1] |
||
| .008 | OS Credential Dumping: /etc/passwd and /etc/shadow |
LaZagne can obtain credential information from /etc/shadow using the shadow.py module.[1] |
||
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
LaZagne can obtain credentials from chats, databases, mail, and WiFi.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0131 | Tonto Team | |
| G0064 | APT33 | |
| G0077 | Leafminer | |
| G0139 | TeamTNT | |
| G0120 | Evilnum | |
| G0100 | Inception | |
| G0022 | APT3 | |
| G0049 | OilRig | |
| G0069 | MuddyWater |
References
- Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
- Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
- Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
- AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.
- Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
- GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
- Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
- Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
×