• Scenario Creation

• Operating System: Windows 10 Virtual Machines (Microsoft Azure)
• EDR Platform: Microsoft Defender for Endpoint
• Query Language: Kusto Query Language (KQL)
• Threat Actor Tool: LaZagne

Security analysts detected a series of failed login attempts, followed by a successful login using an admin account on a system where the user did not typically have such access. This raised concerns about potential credential theft, leading the SOC team to investigate credential dumping techniques.

The goal of this threat hunt is to detect unauthorized credential dumping activity using LaZagne, a known tool that extracts stored credentials from web browsers, Windows Credential Manager, email clients, Wi-Fi networks, and local databases.

1. Check DeviceFileEvents for LaZagne download and execution.
2. Check DeviceProcessEvents for LaZagne execution and command-line parameters.
3. Check DeviceNetworkEvents for data exfiltration attempts.

• Goal: Identify any instance where LaZagne was downloaded or copied within the system.
• Findings: The user attacker downloaded a LaZagne executable at 2025-02-20T19:05:38.2751686Z

DeviceFileEvents  
| where DeviceName == "aph-threat-hunt"  
| where InitiatingProcessAccountName == "labuser"  
| where FileName has "lazagne.exe"  
| where Timestamp >= datetime(2025-02-20T19:05:38.2751686Z)  
| order by Timestamp desc  
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, SHA256, Account = InitiatingProcessAccountName

• Goal: Detect any attempts to bypass antivirus detection by adding exclusion paths.
• Findings: The attacker excluded the Downloads folder from Defender scans at 2025-02-20T19:08:17.5948715Z.

DeviceEvents
| where DeviceName == "aph-threat-hunt"
| where AdditionalFields contains "ExclusionPath"
| project  Timestamp, InitiatingProcessAccountName,DeviceName, AdditionalFields
| order by Timestamp desc

• Goal: Identify the execution of LaZagne.
• Findings: At 2025-02-20T19:08:22.5384068Z, the user executed LaZagne with the all argument to extract credentials.

DeviceProcessEvents   
| where DeviceName == "aph-threat-hunt"  
| where ProcessCommandLine contains "lazagne.exe"   
| project Timestamp, DeviceName, AccountName, ActionType, FileName, FolderPath, SHA256, ProcessCommandLine

• Goal: Detect the exfiltration of dumped credentials using commonly abused tools.
• Findings: The attacker used certutil.exe and curl.exe to encode and send credentials to an external webhook at 2025-02-20T19:10:04.5440702Z.

DeviceProcessEvents
| where DeviceName == "aph-threat-hunt"
| where ProcessCommandLine has_any ("certutil","certutil.exe", "curl.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine

• Goal: Verify if the compromised system established an outbound connection to an attacker-controlled server.
• Findings: The system connected to webhook.site via port 443 at `2025-02-20T19:10:05.8937553Z'.

DeviceNetworkEvents
| where DeviceName == "aph-threat-hunt"
| where InitiatingProcessFileName in ("curl.exe", "certutil.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl
| order by Timestamp desc

• Goal: Detect attempts to cover tracks by deleting files.
• Findings: The attacker deleted the LaZagne executable and credential dump file at 2025-02-20T19:11:37.9798697Z.

DeviceEvents
| where DeviceName == "aph-threat-hunt"
| where ActionType == "PowerShellCommand"
| where Timestamp >= datetime(2025-02-20T19:11:37.9798697Z)  
| project  Timestamp, InitiatingProcessAccountName,DeviceName, AdditionalFields
| order by Timestamp desc

The user labuser on the aph-threat-hunt device downloaded and executed LaZagne to extract stored credentials. After execution, the extracted credentials were saved in creds_dump.txt and later encoded using certutil.exe. The attacker then exfiltrated the credentials to an external webhook server (webhook.site) via curl.exe.

To evade detection, the attacker:

• Added an antivirus exclusion to the Defender policy.
• Deleted evidence, including the LaZagne binary, the credential dump file, and the encoded credentials.

This confirms unauthorized credential dumping, antivirus evasion, and external data exfiltration, requiring immediate remediation and further investigation.

• LaZagne activity was confirmed on the compromised system aph-threat-hunt.
• The compromised endpoint was isolated to prevent further data leakage.
• Incident response teams reviewed all exposed credentials, and affected accounts were reset.
• Security teams updated security policies to block the unauthorized use of certutil.exe and curl.exe.
• SOC team alerted management, and the attacker's account was suspended pending further investigation.
• Endpoint Detection and Response (EDR) rules were deployed to monitor and detect similar credential dumping attempts.

• Author Name: Alejandro Perez Hernandez
• Author Contact: LinkedIn
• Date: February 25, 2025

• Implement endpoint monitoring policies to detect credential dumping tools.
• Block suspicious PowerShell and certutil.exe executions using Group Policy or Defender ATP.