S0349: LaZagne
Analyst context for executives and security teams
LaZagne matters because it is a publicly available post-exploitation tool for recovering stored passwords from systems, with modules for Windows, Linux, and macOS and a primary focus on Windows. For leaders, the practical risk is not the tool name itself but what it represents: if an intruder reaches an endpoint, locally stored credentials can become fuel for broader access, lateral movement, and incident escalation.
Executive priority
Prioritize LaZagne as a credential-exposure readiness issue. Ask whether the organization knows where passwords, browser credentials, operating system credential stores, cached domain credentials, and local secrets exist; whether endpoint telemetry would show suspicious access to those stores; and whether incident response plans include rapid credential invalidation. The ATT&CK relationships map this tool to multiple credential-access techniques and to use by several named groups, so it is useful for control validation, audit evidence around credential protection, and tabletop scenarios involving credential theft after initial compromise.
Technical view
ATT&CK does not provide a detection analytic for LaZagne, so SOC and detection teams should validate coverage around the related credential-access behaviors rather than relying only on a tool signature. Relevant relationships include LSASS Memory, LSA Secrets, Cached Domain Credentials, Linux proc filesystem access, /etc/passwd and /etc/shadow access, credentials in files, credentials from password stores, macOS Keychain, web browser credential stores, and Windows Credential Manager. On Windows, validate visibility into process execution, credential-store access, LSASS/LSA-related activity, registry/security hive access, browser credential file access, and Windows Credential Manager interactions. On Linux and macOS, validate visibility into access to credential files, password stores, Keychain-related activity, browser credential storage, and sensitive filesystem locations. Relationship context includes use by multiple ATT&CK groups, but local prioritization should be based on the organization’s operating systems, stored credential practices, and exposed identity paths.
Likely telemetry
- Endpoint process creation and command-line metadata on Windows, Linux, and macOS
- Parent-child process lineage for suspicious credential-recovery activity
- File access telemetry for browser credential stores, local password stores, /etc/passwd, /etc/shadow, and credential-containing files
- Windows registry and security-related access telemetry relevant to LSA secrets and cached credentials
- Memory access or security event telemetry relevant to LSASS credential material
Detection direction
- Do not depend solely on the LaZagne filename or repository-derived indicators; validate behavior-based detections mapped to the related ATT&CK techniques.
- Tune for unusual access to credential stores by processes that do not normally read them, while accounting for legitimate administrative, backup, browser, password manager, and endpoint security activity.
- Correlate endpoint credential-store access with later authentication activity, especially use of accounts from unexpected hosts or workflows.
- For Windows, validate coverage for LSASS memory access, LSA secrets, cached domain credential access, browser credential files, and Windows Credential Manager access.
- For Linux, validate monitoring of /proc credential-related access and reads of /etc/passwd, /etc/shadow, and files likely to contain credentials.
Mitigation priorities
- Reduce the amount of reusable credential material stored on endpoints and in files.
- Apply least privilege so ordinary users and non-administrative processes cannot access sensitive credential stores unnecessarily.
- Harden operating system credential protections for Windows, Linux, and macOS according to platform policy and business requirements.
- Review browser password saving, local credential caching, password manager, and secrets-handling practices.
- Ensure incident response procedures include containment of affected hosts and rotation or invalidation of credentials that may have been exposed.
Analyst notes and limits
The supplied ATT&CK object identifies LaZagne as an open-source post-exploitation password recovery tool, publicly available on GitHub, with Windows, Linux, and macOS modules and a main Windows focus. The strongest decision value comes from its relationships to credential-access techniques rather than from a provided MITRE detection, because no official detection text is included. Named group relationships indicate ATT&CK-documented use by APT3, OilRig, APT33, MuddyWater, Leafminer, Inception, Wizard Spider, Evilnum, Tonto Team, TeamTNT, Scattered Spider, and Akira; these should inform threat modeling without implying attribution in a local incident.
No official MITRE detection guidance, aliases, labels, or tactics are provided for the tool object. The analysis is therefore limited to the official description, platforms, external references, and supplied relationships. Local telemetry, asset inventory, credential storage patterns, and identity architecture are required to determine actual exposure or detection coverage.
LaZagne
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1552.001 | Credentials In Files Sub-technique | LaZagne can obtain credentials from chats, databases, mail, and WiFi.CitationGitHub LaZagne Dec 2018 |
| Enterprise | T1555.004 | Windows Credential Manager Sub-technique | LaZagne can obtain credentials from Vault files.CitationGitHub LaZagne Dec 2018 |
| Enterprise | T1003.004 | LSA Secrets Sub-technique | LaZagne can perform credential dumping from LSA secrets to obtain account and password information.CitationGitHub LaZagne Dec 2018 |
| Enterprise | T1003.008 | /etc/passwd and /etc/shadow Sub-technique | LaZagne can obtain credential information from /etc/shadow using the shadow.py module.CitationGitHub LaZagne Dec 2018 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | LaZagne can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox.CitationGitHub LaZagne Dec 2018 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | LaZagne can perform credential dumping from memory to obtain account and password information.CitationGitHub LaZagne Dec 2018 |
| Enterprise | T1003.005 | Cached Domain Credentials Sub-technique | LaZagne can perform credential dumping from MSCache to obtain account and password information.CitationGitHub LaZagne Dec 2018 |
| Enterprise | T1555 | Credentials from Password Stores | LaZagne can obtain credentials from databases, mail, and WiFi across multiple platforms.CitationGitHub LaZagne Dec 2018 |
| Enterprise | T1555.001 | Keychain Sub-technique | LaZagne can obtain credentials from macOS Keychains.CitationGitHub LaZagne Dec 2018 |
| Enterprise | T1003.007 | Proc Filesystem Sub-technique | LaZagne can use the ` |
Groups, software, and campaigns
G0077: Leafminer
G0102: Wizard Spider
Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]
G0022: APT3
APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.[1][2] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[1][3] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[4]
G1015: Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
G0069: MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]
G0100: Inception
G0064: APT33
G0139: TeamTNT
TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.[1][2][3][4][5][6][7][8][9]
G0131: Tonto Team
Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).[1][2][3][4][5][6]
G0120: Evilnum
G1024: Akira
Akira is a ransomware variant and ransomware deployment entity active since at least March 2023.[1] Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.[1][2] Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.[3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.6 | Current bundle | 9f322a997734… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
GitHub LaZagne Dec 2018
Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
Open source URL -
[2]
GitHub LaZange Dec 2018
Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.
Open source URL -
[3]
LaZagne
(Citation: GitHub LaZange Dec 2018)
-
[4]
mitre-attack S0349Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.