NanoDump
Dumping LSASS has never been so stealthy
Features
#dump #lsass #syswhispers
Dumping LSASS has never been so stealthy
Features
• It uses syscalls (with SysWhispers2) for most operationshttps://github.com/helpsystems/nanodump
• You can choose to download the dump without touching disk or write it to a file
• The minidump by default has an invalid signature to avoid detection
• It reduces the size of the dump by ignoring irrelevant DLLs. The (nano)dump tends to be arround 10 MB in size
• You don't need to provide the PID of LSASS
• No calls to dbghelp or any other library are made, all the dump logic is implemented in nanodump
• You can use the .exe version to run nanodump outside of Cobalt Strike
#dump #lsass #syswhispers
This media is not supported in your browser
VIEW IN TELEGRAM
DumpNParse
DumpNParse is a tool that will automatically dump LSASS and parse the results.
https://github.com/icyguider/DumpNParse
#lsass #dump #parse
DumpNParse is a tool that will automatically dump LSASS and parse the results.
https://github.com/icyguider/DumpNParse
#lsass #dump #parse
Abusing Leaked Handles to Dump LSASS Memory
# https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html
# https://github.com/antonioCoco/MalSeclogon
#seclogon #lsass #dump #redteam
# https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html
# https://github.com/antonioCoco/MalSeclogon
#seclogon #lsass #dump #redteam
EDRSandBlast
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
https://github.com/wavestone-cdt/EDRSandblast
#lsass #dump #etw #redteam
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
https://github.com/wavestone-cdt/EDRSandblast
#lsass #dump #etw #redteam
GitHub
GitHub - wavestone-cdt/EDRSandblast
Contribute to wavestone-cdt/EDRSandblast development by creating an account on GitHub.
🔐 Dumping LSASS with AV
Sometimes Antivirus is attackers' best friend. Here is how you can use Avast AV to dump lsass memory
Commands:
There's also Metasploit post exploitation module for this under
You can also download AvDump.exe from this link.
VirusTotal Details:
https://www.virustotal.com/gui/file/52a57aca1d96aee6456d484a2e8459681f6a7a159dc31f62b38942884464f57b/details
#ad #evasion #lsass #dump #avast #redteam
Sometimes Antivirus is attackers' best friend. Here is how you can use Avast AV to dump lsass memory
Commands:
.\AvDump.exe --pid 704 --exception_ptr 0 --thread_id 0 --dump_level 1 --dump_file lsass.dmp
To bypass Microsoft Defender, remember to rename the AvDump.exe file. Also, don't use the name lsass.dmp (see screenshot).There's also Metasploit post exploitation module for this under
post/windows/gather/avast_memory_dump
AvDump.exe is located at C:\Program Files\Avast Software\Avast. You can also download AvDump.exe from this link.
VirusTotal Details:
https://www.virustotal.com/gui/file/52a57aca1d96aee6456d484a2e8459681f6a7a159dc31f62b38942884464f57b/details
#ad #evasion #lsass #dump #avast #redteam
🔥4👍1👎1
🔐 Credential Guard Bypass
The well-known WDigest module, which is loaded by LSASS, has two interesting global variables:
Research:
https://itm4n.github.io/credential-guard-bypass/
PoC:
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp
#lsass #wdigest #credential #guard #research
The well-known WDigest module, which is loaded by LSASS, has two interesting global variables:
g_IsCredGuardEnabled and g_fParameter_UseLogonCredential. Their name is rather self explanatory, the first one holds the state of Credential Guard within the module, the second one determines whether clear-text passwords should be stored in memory. By flipping these two values, you can trick the WDigest module into acting as if Credential Guard was not enabled.Research:
https://itm4n.github.io/credential-guard-bypass/
PoC:
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp
#lsass #wdigest #credential #guard #research
🔥2
APT
🔐 Credential Guard Bypass The well-known WDigest module, which is loaded by LSASS, has two interesting global variables: g_IsCredGuardEnabled and g_fParameter_UseLogonCredential. Their name is rather self explanatory, the first one holds the state of Credential…
🔐 Combination of 2 PoCs for bypassing Credential Guard with in-memory invocation
PoC 1 (patch wdigest.dll):
https://gist.github.com/N4kedTurtle/8238f64d18932c7184faa2d0af2f1240
PoC 2 (find variable offsets in runtime):
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp
Merged:
https://gist.github.com/snovvcrash/43e976779efdd20df1596c6492198c99
#lsass #wdigest #credguard
PoC 1 (patch wdigest.dll):
https://gist.github.com/N4kedTurtle/8238f64d18932c7184faa2d0af2f1240
PoC 2 (find variable offsets in runtime):
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp
Merged:
https://gist.github.com/snovvcrash/43e976779efdd20df1596c6492198c99
#lsass #wdigest #credguard
🔥4👍3
🔐 PPLDump
RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows.
https://github.com/last-byte/RIPPL
#ad #ppl #lsass #tools
RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows.
https://github.com/last-byte/RIPPL
#ad #ppl #lsass #tools
GitHub
GitHub - last-byte/RIPPL: RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows
RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows - last-byte/RIPPL
APT
EDRSandBlast EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland…
😈 EDRSandBlast: Update
— User-mode (API hooking) evasion;
— Kernel-mode (callbacks and ETW ThreatIntel events) evasion;
— Successively tested on market-leading EDR products.
https://github.com/wavestone-cdt/EDRSandblast/tree/DefCon30Release
#maldev #edr #lsass #evasion #redteam
— User-mode (API hooking) evasion;
— Kernel-mode (callbacks and ETW ThreatIntel events) evasion;
— Successively tested on market-leading EDR products.
https://github.com/wavestone-cdt/EDRSandblast/tree/DefCon30Release
#maldev #edr #lsass #evasion #redteam
GitHub
GitHub - wavestone-cdt/EDRSandblast at DefCon30Release
Contribute to wavestone-cdt/EDRSandblast development by creating an account on GitHub.
👍3
🎭 Masky
Masky is a python library providing an alternative way to remotely dump domain users' credentials thanks to an ADCS. A command line tool has been built on top of this library in order to easily gather PFX, NT hashes and TGT on a larger scope.
This tool does not exploit any new vulnerability and does not work by dumping the LSASS process memory. Indeed, it only takes advantage of legitimate Windows and Active Directory features (token impersonation, certificate authentication via kerberos & NT hashes retrieval via PKINIT).
Blog:
https://z4ksec.github.io/posts/masky-release-v0.0.3/
Source:
https://github.com/Z4kSec/Masky
#ad #adcs #lsass #redteam
Masky is a python library providing an alternative way to remotely dump domain users' credentials thanks to an ADCS. A command line tool has been built on top of this library in order to easily gather PFX, NT hashes and TGT on a larger scope.
This tool does not exploit any new vulnerability and does not work by dumping the LSASS process memory. Indeed, it only takes advantage of legitimate Windows and Active Directory features (token impersonation, certificate authentication via kerberos & NT hashes retrieval via PKINIT).
Blog:
https://z4ksec.github.io/posts/masky-release-v0.0.3/
Source:
https://github.com/Z4kSec/Masky
#ad #adcs #lsass #redteam
👍7
😈 POSTDump
This is the C# / .NET implementation of the ReactOS minidump function (like nanodump), thus avoiding call to the Windows API MiniDumpWriteDump function.
🚀 Key Features:
— Usage of indirect syscall along with halo's gate technic to retrieve syscalls IDs
— No memory Allocation/Protection call is performed for indirect syscall, instead, free RWX codecave found in the current process are used
— ETW patching
— No call to MiniDumpWriteDump
🌐 Source:
https://github.com/YOLOP0wn/POSTDump
#windows #lsass #dump #syscall #reactos
This is the C# / .NET implementation of the ReactOS minidump function (like nanodump), thus avoiding call to the Windows API MiniDumpWriteDump function.
🚀 Key Features:
— Usage of indirect syscall along with halo's gate technic to retrieve syscalls IDs
— No memory Allocation/Protection call is performed for indirect syscall, instead, free RWX codecave found in the current process are used
— ETW patching
— No call to MiniDumpWriteDump
🌐 Source:
https://github.com/YOLOP0wn/POSTDump
#windows #lsass #dump #syscall #reactos
🔥7👍2
⚙️ MultiDump
This is a post-exploitation tool written in C for dumping and extracting LSASS memory discreetly. MultiDump supports LSASS dump via ProcDump.exe or Comsvc.dll, it offers two modes: a local mode that encrypts and stores the dump file locally, and a remote mode that sends the dump to a handler for decryption and analysis
🔗 https://github.com/Xre0uS/MultiDump
#lsass #remote #cpp #python
This is a post-exploitation tool written in C for dumping and extracting LSASS memory discreetly. MultiDump supports LSASS dump via ProcDump.exe or Comsvc.dll, it offers two modes: a local mode that encrypts and stores the dump file locally, and a remote mode that sends the dump to a handler for decryption and analysis
🔗 https://github.com/Xre0uS/MultiDump
#lsass #remote #cpp #python
🔥15❤🔥5👎3
👻 Ghost in the PPL: BYOVDLL
This blog post explores bypassing LSA Protection in Userland through the "Bring Your Own Vulnerable DLL" (BYOVDLL) technique. It also delves into the successful exploitation of vulnerabilities in the CNG Key Isolation service and the methods employed to load vulnerable DLLs within protected processes.
🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-1/
#lsa #lsass #ppl #dll #maldev
This blog post explores bypassing LSA Protection in Userland through the "Bring Your Own Vulnerable DLL" (BYOVDLL) technique. It also delves into the successful exploitation of vulnerabilities in the CNG Key Isolation service and the methods employed to load vulnerable DLLs within protected processes.
🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-1/
#lsa #lsass #ppl #dll #maldev
itm4n’s blog
Ghost in the PPL Part 1: BYOVDLL
In this series of blog posts, I will explore yet another avenue for bypassing LSA Protection in Userland. I will also detail the biggest challenges I faced while developing a proof-of-concept, and discuss some novel techniques and tricks to load an arbitrary…
🔥12😱3❤1