LaZagne Credential Theft

Hunt Hypothesis

Processes executing credential theft, such as LaZagne, indicate potential post-compromise lateral movement or ransomware activity, as adversaries often exfiltrate credentials to gain further access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate credential theft early in the attack lifecycle.

KQL Query

DeviceProcessEvents 
| where FileName =~ 'reg.exe'
| where ProcessCommandLine has_all('save','hklm','sam')
| project DeviceId, Timestamp, InitiatingProcessId, InitiatingProcessFileName, ProcessId, FileName, ProcessCommandLine

Analytic Rule Definition

id: f699a3e0-598e-4177-a110-c53c1bfeb897
name: LaZagne Credential Theft
description: |
  Use this query to locate processes executing credential theft activity, often LaZagne in ransomware compromises.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Ransomware
query: |
  DeviceProcessEvents 
  | where FileName =~ 'reg.exe'
  | where ProcessCommandLine has_all('save','hklm','sam')
  | project DeviceId, Timestamp, InitiatingProcessId, InitiatingProcessFileName, ProcessId, FileName, ProcessCommandLine

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Ransomware

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Ransomware/LaZagne Credential Theft.yaml)

False Positive Guidance

Scenario: LaZagne used by legitimate security tools for audit purposes
Filter/Exclusion: Check for processes initiated by known security tools (e.g., Microsoft Defender, CrowdStrike, or Bitdefender) and exclude those running under a security-related service account.
Scenario: Scheduled job extracting credentials for backup or migration
Filter/Exclusion: Exclude processes running under a scheduled task with a known backup or migration service account (e.g., BackupService or MigrationAdmin) and verify the task is part of a documented IT process.
Scenario: Admin task to retrieve credentials for service configuration
Filter/Exclusion: Exclude processes initiated by administrators using tools like PowerShell or cmd.exe with a known admin account (e.g., DomainAdmin) and verify the task is logged in a ticketing system (e.g., ServiceNow or Jira).
Scenario: LaZagne used in a penetration test or red team exercise
Filter/Exclusion: Exclude processes running under a red team or penetration testing account (e.g., RedTeamUser) and check for associated test environments or lab systems.
Scenario: Credential extraction for multi-factor authentication (MFA) bypass
Filter/Exclusion: Exclude processes initiated during a documented MFA bypass test and verify the activity is part of a controlled security assessment.