The lazagne rule detects potential credential theft by adversaries leveraging the Lazagne tool to extract stored credentials from Windows systems, which is commonly associated with ransomware campaigns like Ryuk. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of lateral movement and privilege escalation attempts by advanced threats.
KQL Query
// Find credential theft via SAM database export by LaZagne
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ 'reg.exe'
and ProcessCommandLine has 'save'
and ProcessCommandLine has 'hklm'
and ProcessCommandLine has 'sam'
| project DeviceId, Timestamp, InitiatingProcessId,
InitiatingProcessFileName, ProcessId, FileName, ProcessCommandLine
id: 97839232-ff2c-4924-983d-f21d25276e88
name: lazagne
description: |
This query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog.
Ryuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot.
During a typical Ryuk campaign, an operator will use LaZagne, a credential theft tool, to access stored passwords for service accounts. The accounts are then used to jump from desktop clients to servers or domain controllers, allowing for better reconnaissance, faster movement, and a more severe impact on the target.
The following query detects credential theft by LaZagne.
The See also section below lists links to other queries associated with Ryuk ransomware.
References:
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Ryuk&threatId=-2147232689
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://github.com/AlessandroZ/LaZagne
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Credential Access
query: |
// Find credential theft via SAM database export by LaZagne
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ 'reg.exe'
and ProcessCommandLine has 'save'
and ProcessCommandLine has 'hklm'
and ProcessCommandLine has 'sam'
| project DeviceId, Timestamp, InitiatingProcessId,
InitiatingProcessFileName, ProcessId, FileName, ProcessCommandLine
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Task Execution
Description: A scheduled task using lazagne as part of a legitimate system maintenance or configuration management process.
Filter/Exclusion: Check for the presence of task scheduler or schtasks.exe in the command line, and ensure the task is associated with a known legitimate service or admin tool (e.g., Microsoft Deployment Toolkit, SCCM, or PowerShell scripts).
Scenario: Use of Lazagne for Internal Credential Harvesting (Authorized Use)
Description: An authorized security team member using lazagne as part of a red team exercise or internal security audit to test credential storage mechanisms.
Filter/Exclusion: Filter by user context (e.g., user == "security_team_user" or user == "internal_audit"), and check for presence of a known internal tool or script used for authorized testing.
Scenario: System Restore or Backup Process
Description: lazagne is executed as part of a system restore or backup operation that includes credential storage files.
Filter/Exclusion: Look for execution context related to system restore, backup, or vss (Volume Shadow Copy Service), and check for presence of known backup tools like Veeam, Acronis, or Microsoft Backup.
Scenario: Administrative Tool with Similar Name
Description: A legitimate administrative tool with a similar name to lazagne (e.g., Lazagne.exe could be confused with a custom tool used internally).
Filter/Exclusion: Check the file path and hash against known internal tools, and verify the digital signature or publisher of the executable.
Scenario: PowerShell Script Using Lazagne as a Variable
Description: A PowerShell script uses the string “lazagne” as