mirror of
https://github.com/keyboardcrunch/sentinelone-queries
synced 2026-06-09 09:27:16 +00:00
keyboardcrunch
19 lines
611 B
YAML
19 lines
611 B
YAML
title: LaZagne Password Theft
|
|
description: LaZagne happens to spawn 3 cmd shells to save security, system and sam
|
|
RegKeys, and the standard compiled release from github will have the original name
|
|
artifact of lazagne.exe.manifest within the %temp%_MEI?????\lazagne.exe.manifest
|
|
location.
|
|
author: keyboardcrunch
|
|
date: 10/10/2020
|
|
modified: 05/12/2020
|
|
mitre:
|
|
tactic: Credential Access
|
|
technique: T1552
|
|
subtechnique: 001
|
|
operating_system: windows
|
|
query: TgtProcCmdline Contains "reg.exe save hklm\s" OR TgtFilePath Contains "lazagne.exe.manifest"
|
|
false_positives:
|
|
- Full registry exports
|
|
tags:
|
|
|