DeviceProcessEvents
| where FileName =~ 'reg.exe'
| where ProcessCommandLine has_all('save','hklm','sam')
| project DeviceId, DeviceName, TimeGenerated, InitiatingProcessId, InitiatingProcessFileName, ProcessId, FileName, ProcessCommandLine
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
description: |
LaZagne is a popular open-source tool used to recover passwords stored on a local computer. It has been used in ransomware attacks to steal credentials and escalate privileges. This query looks for the execution of LaZagne.
entityMappings:
- fieldMappings:
- columnName: DeviceName
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
entityType: Host
- fieldMappings:
- columnName: ProcessId
identifier: ProcessId
- columnName: ProcessCommandLine
identifier: CommandLine
entityType: Process
query: |
DeviceProcessEvents
| where FileName =~ 'reg.exe'
| where ProcessCommandLine has_all('save','hklm','sam')
| project DeviceId, DeviceName, TimeGenerated, InitiatingProcessId, InitiatingProcessFileName, ProcessId, FileName, ProcessCommandLine
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
tactics:
- CredentialAccess
severity: Medium
triggerThreshold: 0
queryFrequency: 1h
status: Available
queryPeriod: 1h
relevantTechniques:
- T1003
id: 7d0d3050-8dac-4b83-bfae-902f7dc0c21c
name: LaZagne Credential Theft
kind: Scheduled
triggerOperator: gt
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Ransomware/LaZagneCredTheft.yaml
requiredDataConnectors:
- dataTypes:
- DeviceProcessEvents
connectorId: MicrosoftThreatProtection
