title: LaZagne Password Theft
description: LaZagne happens to spawn 3 cmd shells to save security, system and sam
  RegKeys, and the standard compiled release from github will have the original name
  artifact of lazagne.exe.manifest within the %temp%_MEI?????\lazagne.exe.manifest
  location.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
   tactic: Credential Access
   technique: T1552
   subtechnique: 001
operating_system: windows
query: TgtProcCmdline Contains "reg.exe save hklm\s" OR TgtFilePath Contains "lazagne.exe.manifest"
false_positives: null
tags: null