auto-generated queries from markdown notes

queries/windows/lazagne_password_theft.yml

@@ -0,0 +1,17 @@
+title: LaZagne Password Theft
+description: LaZagne happens to spawn 3 cmd shells to save security, system and sam
+  RegKeys, and the standard compiled release from github will have the original name
+  artifact of lazagne.exe.manifest within the %temp%_MEI?????\lazagne.exe.manifest
+  location.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Credential Access
+   technique: T1552
+   subtechnique: 001
+operating_system: windows
+query: TgtProcCmdline Contains "reg.exe save hklm\s" OR TgtFilePath Contains "lazagne.exe.manifest"
+false_positives: null
+tags: null
+