HandleKatz

https://github.com/codewhitesec/HandleKatz

#mimikatz #lsass #dump

LSASS Encrypted Dump

https://sp00ks-git.github.io/posts/LSASS-Encrypted-Dump/

#lsass #dump

NanoDump

Dumping LSASS has never been so stealthy

Features

• It uses syscalls (with SysWhispers2) for most operations
• You can choose to download the dump without touching disk or write it to a file
• The minidump by default has an invalid signature to avoid detection
• It reduces the size of the dump by ignoring irrelevant DLLs. The (nano)dump tends to be arround 10 MB in size
• You don't need to provide the PID of LSASS
• No calls to dbghelp or any other library are made, all the dump logic is implemented in nanodump
• You can use the .exe version to run nanodump outside of Cobalt Strike

https://github.com/helpsystems/nanodump

#dump #lsass #syswhispers

Bypass Defender and dump LSASS via procdump.exe

If you rename procdump.exe to dump64.exe and place it in the "C:\Program Files (x86)\Microsoft Visual Studio\*" folder, you can bypass Defender and dump LSASS.

#lsass #dump #defender #bypass #dump64

DumpNParse

DumpNParse is a tool that will automatically dump LSASS and parse the results.

https://github.com/icyguider/DumpNParse

#lsass #dump #parse

Abusing Leaked Handles to Dump LSASS Memory

# https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html

# https://github.com/antonioCoco/MalSeclogon

#seclogon #lsass #dump #redteam

EDRSandBlast

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

https://github.com/wavestone-cdt/EDRSandblast

#lsass #dump #etw #redteam

LOLBIN to dump LSASS

Path:
C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions

Binary:
DumpMinitool.exe

#lolbin #lsass #dump

🔐 Dumping LSASS with AV

Sometimes Antivirus is attackers' best friend. Here is how you can use Avast AV to dump lsass memory

Commands:
.\AvDump.exe --pid 704 --exception_ptr 0 --thread_id 0 --dump_level 1 --dump_file lsass.dmp

To bypass Microsoft Defender, remember to rename the AvDump.exe file. Also, don't use the name lsass.dmp (see screenshot).

There's also Metasploit post exploitation module for this under post/windows/gather/avast_memory_dump

AvDump.exe is located at C:\Program Files\Avast Software\Avast.

You can also download AvDump.exe from this link.

VirusTotal Details:
https://www.virustotal.com/gui/file/52a57aca1d96aee6456d484a2e8459681f6a7a159dc31f62b38942884464f57b/details

#ad #evasion #lsass #dump #avast #redteam

🔐 Credential Guard Bypass

The well-known WDigest module, which is loaded by LSASS, has two interesting global variables: g_IsCredGuardEnabled and g_fParameter_UseLogonCredential. Their name is rather self explanatory, the first one holds the state of Credential Guard within the module, the second one determines whether clear-text passwords should be stored in memory. By flipping these two values, you can trick the WDigest module into acting as if Credential Guard was not enabled.

Research:
https://itm4n.github.io/credential-guard-bypass/

PoC:
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp

#lsass #wdigest #credential #guard #research