LaZagne

LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. LaZagne is publicly available on GitHub.[1]

ID: S0349
Type: TOOL
Platforms: Linux, macOS, Windows
Version: 1.3
Created: 30 January 2019
Last Modified: 15 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1555 Credentials from Password Stores

LaZagne can obtain credentials from databases, mail, and WiFi across multiple platforms.[1]

.001 Keychain

LaZagne can obtain credentials from macOS Keychains.[1]

.003 Credentials from Web Browsers

LaZagne can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox.[1]

.004 Windows Credential Manager

LaZagne can obtain credentials from Vault files.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

LaZagne can perform credential dumping from memory to obtain account and password information.[1]

.004 OS Credential Dumping: LSA Secrets

LaZagne can perform credential dumping from LSA secrets to obtain account and password information.[1]

.005 OS Credential Dumping: Cached Domain Credentials

LaZagne can perform credential dumping from MSCache to obtain account and password information.[1]

.007 OS Credential Dumping: Proc Filesystem

LaZagne can obtain credential information running Linux processes.[1]

.008 OS Credential Dumping: /etc/passwd and /etc/shadow

LaZagne can obtain credential information from /etc/shadow using the shadow.py module.[1]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

LaZagne can obtain credentials from chats, databases, mail, and WiFi.[1]

Groups That Use This Software

ID Name References
G0069 MuddyWater

[2][3]

G0049 OilRig

[4]

G0022 APT3

[5]

G0100 Inception

[6]

G0120 Evilnum

[7]

G0077 Leafminer

[8]

G0139 TeamTNT

[9]

G0064 APT33

[10]

G0131 Tonto Team

[11]

References