1. Home
  2. Software
  3. LaZagne

LaZagne

LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. LaZagne is publicly available on GitHub.[1]

ID: S0349
Type: TOOL
Platforms: Linux, macOS, Windows
Version: 1.3
Created: 30 January 2019
Last Modified: 15 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 Credentials from Password Stores

LaZagne can obtain credentials from databases, mail, and WiFi across multiple platforms.[1]
.001 Keychain

LaZagne can obtain credentials from macOS Keychains.[1]

.003 Credentials from Web Browsers

LaZagne can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox.[1]
.004 Windows Credential Manager

LaZagne can obtain credentials from Vault files.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

LaZagne can perform credential dumping from memory to obtain account and password information.[1]
.004 OS Credential Dumping: LSA Secrets

LaZagne can perform credential dumping from LSA secrets to obtain account and password information.[1]
.005 OS Credential Dumping: Cached Domain Credentials

LaZagne can perform credential dumping from MSCache to obtain account and password information.[1]
.007 OS Credential Dumping: Proc Filesystem

LaZagne can obtain credential information running Linux processes.[1]
.008 OS Credential Dumping: /etc/passwd and /etc/shadow

LaZagne can obtain credential information from /etc/shadow using the shadow.py module.[1]
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

LaZagne can obtain credentials from chats, databases, mail, and WiFi.[1]

Groups That Use This Software

ID Name References
G0069 MuddyWater

[2][3]
G0049 OilRig

[4]
G0022 APT3

[5]
G0100 Inception

[6]
G0120 Evilnum

[7]
G0077 Leafminer

[8]
G0139 TeamTNT

[9]
G0064 APT33

[10]
G0131 Tonto Team

[11]

References

  1. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
  2. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  3. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  4. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  5. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  6. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  1. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  2. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  3. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.
  4. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  5. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.