Home/LaZagne/YARA rules
YARA

YARA rules for LaZagne

3 rules · scoped to tool · back to LaZagne
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.

YARA rules

3 of 3
direct Lazagne
Lazagne_PW_Dumper
Detects Lazagne PW Dumper
author Markus Neis / Florian Roth license see source repo
view YARA rule 
rule Lazagne_PW_Dumper {
   meta:
      description = "Detects Lazagne PW Dumper"
      author = "Markus Neis / Florian Roth"
      reference = "https://github.com/AlessandroZ/LaZagne/releases/"
      date = "2018-03-22"
      score = 70
      id = "1904029e-9336-5278-ae2e-4bc853316600"
   strings:
      $s1 = "Crypto.Hash" fullword ascii
      $s2 = "laZagne" fullword ascii
      $s3 = "impacket.winregistry" fullword ascii
   condition:
      3 of them
}
direct Lazagne
HKTL_Lazagne_PasswordDumper_Dec18_1
Detects password dumper Lazagne often used by middle eastern threat groups
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule HKTL_Lazagne_PasswordDumper_Dec18_1 {
   meta:
      description = "Detects password dumper Lazagne often used by middle eastern threat groups"
      author = "Florian Roth (Nextron Systems)"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      reference = "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group"
      date = "2018-12-11"
      score = 85
      hash1 = "1205f5845035e3ee30f5a1ced5500d8345246ef4900bcb4ba67ef72c0f79966c"
      hash2 = "884e991d2066163e02472ea82d89b64e252537b28c58ad57d9d648b969de6a63"
      hash3 = "bf8f30031769aa880cdbe22bc0be32691d9f7913af75a5b68f8426d4f0c7be50"
      id = "bae48a4d-33b6-55b9-abf5-daf87e5da9e9"
   strings:
      $s1 = "softwares.opera(" ascii
      $s2 = "softwares.mozilla(" ascii
      $s3 = "config.dico(" ascii
      $s4 = "softwares.chrome(" ascii
      $s5 = "softwares.outlook(" ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 17000KB and 1 of them
}
direct Lazagne
HKTL_Lazagne_Gen_18
Detects Lazagne password extractor hacktool
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule HKTL_Lazagne_Gen_18 {
   meta:
      description = "Detects Lazagne password extractor hacktool"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://github.com/AlessandroZ/LaZagne"
      license = "https://creativecommons.org/licenses/by-nc/4.0/"
      date = "2018-12-11"
      score = 80
      hash1 = "51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf"
      id = "034ea6d8-f5cf-5664-9ff9-24d19403093d"
   strings:
      $x1 = "lazagne.config.powershell_execute(" ascii
      $x2 = "creddump7.win32." ascii
      $x3 = "lazagne.softwares.windows.hashdump" ascii
      $x4 = ".softwares.memory.libkeepass.common(" ascii
   condition:
      2 of them
}
Showing 1-3 of 3
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin