LaZagne
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1555 | .001 | Credentials from Password Stores: Keychain |
LaZagne can obtain credentials from macOS Keychains.(Citation: GitHub LaZagne Dec 2018) |
.003 | Credentials from Password Stores: Credentials from Web Browsers |
LaZagne can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox.(Citation: GitHub LaZagne Dec 2018) |
||
.004 | Credentials from Password Stores: Windows Credential Manager |
LaZagne can obtain credentials from Vault files.(Citation: GitHub LaZagne Dec 2018) |
||
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
LaZagne can perform credential dumping from memory to obtain account and password information.(Citation: GitHub LaZagne Dec 2018) |
.004 | OS Credential Dumping: LSA Secrets |
LaZagne can perform credential dumping from LSA secrets to obtain account and password information.(Citation: GitHub LaZagne Dec 2018) |
||
.005 | OS Credential Dumping: Cached Domain Credentials |
LaZagne can perform credential dumping from MSCache to obtain account and password information.(Citation: GitHub LaZagne Dec 2018) |
||
.007 | OS Credential Dumping: Proc Filesystem |
LaZagne can use the ` |
||
.008 | OS Credential Dumping: /etc/passwd and /etc/shadow |
LaZagne can obtain credential information from /etc/shadow using the shadow.py module.(Citation: GitHub LaZagne Dec 2018) |
||
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
LaZagne can obtain credentials from chats, databases, mail, and WiFi.(Citation: GitHub LaZagne Dec 2018) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0077 | Leafminer |
(Citation: Symantec Leafminer July 2018) |
G0102 | Wizard Spider |
(Citation: Mandiant FIN12 Oct 2021) |
G0022 | APT3 |
(Citation: Symantec Buckeye) |
G1015 | Scattered Spider |
(Citation: MSTIC Octo Tempest Operations October 2023) |
G0049 | OilRig |
(Citation: FireEye APT35 2018) |
G0069 | MuddyWater |
(Citation: Symantec MuddyWater Dec 2018) (Citation: TrendMicro POWERSTATS V3 June 2019) |
G0100 | Inception |
(Citation: Kaspersky Cloud Atlas August 2019) |
G0064 | APT33 |
(Citation: Symantec Elfin Mar 2019) |
G0139 | TeamTNT |
(Citation: ATT TeamTNT Chimaera September 2020) |
G0131 | Tonto Team |
(Citation: TrendMicro Tonto Team October 2020) |
G0120 | Evilnum |
(Citation: ESET EvilNum July 2020) |
G1024 | Akira |
(Citation: Arctic Wolf Akira 2023) |
References
- Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
- Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
- Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
- Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
- Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
- Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
- Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
- GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
- AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.
- Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
- Huseyin Can YUCEEL & Picus Labs. (2022, March 22). Retrieved March 31, 2023.
- Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
- Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.