heroui logo

HackTool - LaZagne Execution

Sigma Rules

View Source
Summary
This detection rule identifies the execution of LaZagne, a utility tool that can extract various passwords stored on local computers. LaZagne has been frequently utilized by threat actors to gather sensitive credential information from compromised systems. The rule focuses on analyzing process creation logs within the Windows operating system, specifically looking for instances where the LaZagne executable or associated command-line signatures are detected. It employs multiple criteria to enhance detection accuracy, including checks for specific file paths where LaZagne is likely to be executed, as well as command-line arguments that indicate attempts to access different types of stored passwords. The potential for false positives is acknowledged, particularly from benign tools that may share similar command-line patterns or functionalities.
Categories
  • Endpoint
Data Sources
  • Process
Created: 2024-06-24