NanoDump

Dumping LSASS has never been so stealthy

Features

• It uses syscalls (with SysWhispers2) for most operations
• You can choose to download the dump without touching disk or write it to a file
• The minidump by default has an invalid signature to avoid detection
• It reduces the size of the dump by ignoring irrelevant DLLs. The (nano)dump tends to be arround 10 MB in size
• You don't need to provide the PID of LSASS
• No calls to dbghelp or any other library are made, all the dump logic is implemented in nanodump
• You can use the .exe version to run nanodump outside of Cobalt Strike

https://github.com/helpsystems/nanodump

#dump #lsass #syswhispers

Bypass Defender and dump LSASS via procdump.exe

If you rename procdump.exe to dump64.exe and place it in the "C:\Program Files (x86)\Microsoft Visual Studio\*" folder, you can bypass Defender and dump LSASS.

#lsass #dump #defender #bypass #dump64

DumpNParse

DumpNParse is a tool that will automatically dump LSASS and parse the results.

https://github.com/icyguider/DumpNParse

#lsass #dump #parse

Abusing Leaked Handles to Dump LSASS Memory

# https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html

# https://github.com/antonioCoco/MalSeclogon

#seclogon #lsass #dump #redteam

EDRSandBlast

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

https://github.com/wavestone-cdt/EDRSandblast

#lsass #dump #etw #redteam

LOLBIN to dump LSASS

Path:
C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions

Binary:
DumpMinitool.exe

#lolbin #lsass #dump

🔐 Dumping LSASS with AV

Sometimes Antivirus is attackers' best friend. Here is how you can use Avast AV to dump lsass memory

Commands:
.\AvDump.exe --pid 704 --exception_ptr 0 --thread_id 0 --dump_level 1 --dump_file lsass.dmp

To bypass Microsoft Defender, remember to rename the AvDump.exe file. Also, don't use the name lsass.dmp (see screenshot).

There's also Metasploit post exploitation module for this under post/windows/gather/avast_memory_dump

AvDump.exe is located at C:\Program Files\Avast Software\Avast.

You can also download AvDump.exe from this link.

VirusTotal Details:
https://www.virustotal.com/gui/file/52a57aca1d96aee6456d484a2e8459681f6a7a159dc31f62b38942884464f57b/details

#ad #evasion #lsass #dump #avast #redteam

🔐 Credential Guard Bypass

The well-known WDigest module, which is loaded by LSASS, has two interesting global variables: g_IsCredGuardEnabled and g_fParameter_UseLogonCredential. Their name is rather self explanatory, the first one holds the state of Credential Guard within the module, the second one determines whether clear-text passwords should be stored in memory. By flipping these two values, you can trick the WDigest module into acting as if Credential Guard was not enabled.

Research:
https://itm4n.github.io/credential-guard-bypass/

PoC:
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp

#lsass #wdigest #credential #guard #research

🔐 Combination of 2 PoCs for bypassing Credential Guard with in-memory invocation

PoC 1 (patch wdigest.dll):
https://gist.github.com/N4kedTurtle/8238f64d18932c7184faa2d0af2f1240

PoC 2 (find variable offsets in runtime):
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp

Merged:
https://gist.github.com/snovvcrash/43e976779efdd20df1596c6492198c99

#lsass #wdigest #credguard

🔐 PPLDump

RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows.

https://github.com/last-byte/RIPPL

#ad #ppl #lsass #tools

😈 EDRSandBlast: Update

— User-mode (API hooking) evasion;
— Kernel-mode (callbacks and ETW ThreatIntel events) evasion;
— Successively tested on market-leading EDR products.

https://github.com/wavestone-cdt/EDRSandblast/tree/DefCon30Release

#maldev #edr #lsass #evasion #redteam

🎭 Masky

Masky is a python library providing an alternative way to remotely dump domain users' credentials thanks to an ADCS. A command line tool has been built on top of this library in order to easily gather PFX, NT hashes and TGT on a larger scope.

This tool does not exploit any new vulnerability and does not work by dumping the LSASS process memory. Indeed, it only takes advantage of legitimate Windows and Active Directory features (token impersonation, certificate authentication via kerberos & NT hashes retrieval via PKINIT).

Blog:
https://z4ksec.github.io/posts/masky-release-v0.0.3/

Source:
https://github.com/Z4kSec/Masky

#ad #adcs #lsass #redteam

😈 POSTDump

This is the C# / .NET implementation of the ReactOS minidump function (like nanodump), thus avoiding call to the Windows API MiniDumpWriteDump function.

🚀 Key Features:

— Usage of indirect syscall along with halo's gate technic to retrieve syscalls IDs
— No memory Allocation/Protection call is performed for indirect syscall, instead, free RWX codecave found in the current process are used
— ETW patching
— No call to MiniDumpWriteDump

🌐 Source:
https://github.com/YOLOP0wn/POSTDump

#windows #lsass #dump #syscall #reactos

⚙️ MultiDump

This is a post-exploitation tool written in C for dumping and extracting LSASS memory discreetly. MultiDump supports LSASS dump via ProcDump.exe or Comsvc.dll, it offers two modes: a local mode that encrypts and stores the dump file locally, and a remote mode that sends the dump to a handler for decryption and analysis

🔗 https://github.com/Xre0uS/MultiDump

#lsass #remote #cpp #python

👻 Ghost in the PPL: BYOVDLL

This blog post explores bypassing LSA Protection in Userland through the "Bring Your Own Vulnerable DLL" (BYOVDLL) technique. It also delves into the successful exploitation of vulnerabilities in the CNG Key Isolation service and the methods employed to load vulnerable DLLs within protected processes.

🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-1/

#lsa #lsass #ppl #dll #maldev

👻 Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS

In this second installment, the author deepens the exploration of techniques for bypassing LSASS protection, focusing on arbitrary code execution by refining the PoC, exploiting vulnerabilities like CVE-2023-28229, and bypassing Control Flow Guard (CFG) through RPC-based process handle duplication.

🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-2/

#lsa #lsass #ppl #dll #maldev

👻 Ghost in the PPL Part 3: LSASS Memory Dump

In the third part of the series, the author explores methods for dumping the memory of LSASS, including indirectly calling MiniDumpWriteDump, loading arbitrary DLLs into LSASS via the WinSock2 Autodial feature, and dynamically resolving addresses.

🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-3/

#lsa #lsass #ppl #dll #maldev

🎭 Spoofing Call Stacks To Confuse EDRs

The article focuses on techniques for call stack spoofing to bypass detection by EDR. It explains how to fake call stacks during Windows API interactions to mask malicious activity, such as accessing the lsass process, as legitimate operations. The text details the mechanics of call stacks in the x64 architecture, the use of unwind codes, tools for analysis, and provides a PoC implementation demonstrating call stack spoofing in practice.

🔗 Research:
https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs

🔗 Source:
https://github.com/WithSecureLabs/CallStackSpoofer

#edr #evasion #stack #spoofing #lsass

🔑 lsassStealer

lsassStealer is a tool designed to dump the memory of the Windows process "lsass.exe". The dump is performed entirely in RAM, then compressed using the zlib library and fragmented for transmission via UDP packets disguised as NTP packets. This method helps reduce detection by security solutions such as Windows Defender and advanced Endpoint Detection and Response (EDR) tools.

🔗 Source:
https://github.com/Aur3ns/lsassStealer

#windows #lsass #edr #bypass