NanoDump
Dumping LSASS has never been so stealthy
Features
#dump #lsass #syswhispers
Dumping LSASS has never been so stealthy
Features
• It uses syscalls (with SysWhispers2) for most operationshttps://github.com/helpsystems/nanodump
• You can choose to download the dump without touching disk or write it to a file
• The minidump by default has an invalid signature to avoid detection
• It reduces the size of the dump by ignoring irrelevant DLLs. The (nano)dump tends to be arround 10 MB in size
• You don't need to provide the PID of LSASS
• No calls to dbghelp or any other library are made, all the dump logic is implemented in nanodump
• You can use the .exe version to run nanodump outside of Cobalt Strike
#dump #lsass #syswhispers
This media is not supported in your browser
VIEW IN TELEGRAM
DumpNParse
DumpNParse is a tool that will automatically dump LSASS and parse the results.
https://github.com/icyguider/DumpNParse
#lsass #dump #parse
DumpNParse is a tool that will automatically dump LSASS and parse the results.
https://github.com/icyguider/DumpNParse
#lsass #dump #parse
Abusing Leaked Handles to Dump LSASS Memory
# https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html
# https://github.com/antonioCoco/MalSeclogon
#seclogon #lsass #dump #redteam
# https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html
# https://github.com/antonioCoco/MalSeclogon
#seclogon #lsass #dump #redteam
Extracting passwords from hiberfil.sys
When in password hunting mode and having access to the filesystem of the target, most people would reach out to SAM and/or extracting cached credentials. People often overlooked is hiberfil.sys and/or virtual machine snapshots or memory dumps, as they usually contain passwords in plain text.
https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps
#hiberfil #dump #password
When in password hunting mode and having access to the filesystem of the target, most people would reach out to SAM and/or extracting cached credentials. People often overlooked is hiberfil.sys and/or virtual machine snapshots or memory dumps, as they usually contain passwords in plain text.
https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps
#hiberfil #dump #password
EDRSandBlast
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
https://github.com/wavestone-cdt/EDRSandblast
#lsass #dump #etw #redteam
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
https://github.com/wavestone-cdt/EDRSandblast
#lsass #dump #etw #redteam
GitHub
GitHub - wavestone-cdt/EDRSandblast
Contribute to wavestone-cdt/EDRSandblast development by creating an account on GitHub.
Cobalt-Clip
Cobalt-clip is clipboard addons for Cobalt Strike to interact with clipboard. With this you can dump, edit and monitor the content of clipboard.
https://github.com/DallasFR/Cobalt-Clip
#cobaltstrike #clipboard #dump
Cobalt-clip is clipboard addons for Cobalt Strike to interact with clipboard. With this you can dump, edit and monitor the content of clipboard.
https://github.com/DallasFR/Cobalt-Clip
#cobaltstrike #clipboard #dump
This media is not supported in your browser
VIEW IN TELEGRAM
LFIDump
A simple python script to dump remote files through a local file read or local file inclusion web vulnerability.
https://github.com/p0dalirius/LFIDump
#lfi #dump #tools #bugbounty
A simple python script to dump remote files through a local file read or local file inclusion web vulnerability.
https://github.com/p0dalirius/LFIDump
#lfi #dump #tools #bugbounty
❤1
Remotely Dumping Chrome Cookies
The method in this blog post does not require the remote debugger or Keychain (macOS)/DPAPI (Windows) access and applies to Chromium-based browsers in general
https://cedowens.medium.com/remotely-dumping-chrome-cookies-revisited-b25343257209
#chrome #cookie #dump #blog
The method in this blog post does not require the remote debugger or Keychain (macOS)/DPAPI (Windows) access and applies to Chromium-based browsers in general
https://cedowens.medium.com/remotely-dumping-chrome-cookies-revisited-b25343257209
#chrome #cookie #dump #blog
Medium
Remotely Dumping Chrome Cookies…Revisited
TL;DR Security researcher Ron Masas (twitter: @RonMasas) recently wrote a tool (chrome-bandit) that extracts saved password from…
🔐 Dumping LSASS with AV
Sometimes Antivirus is attackers' best friend. Here is how you can use Avast AV to dump lsass memory
Commands:
There's also Metasploit post exploitation module for this under
You can also download AvDump.exe from this link.
VirusTotal Details:
https://www.virustotal.com/gui/file/52a57aca1d96aee6456d484a2e8459681f6a7a159dc31f62b38942884464f57b/details
#ad #evasion #lsass #dump #avast #redteam
Sometimes Antivirus is attackers' best friend. Here is how you can use Avast AV to dump lsass memory
Commands:
.\AvDump.exe --pid 704 --exception_ptr 0 --thread_id 0 --dump_level 1 --dump_file lsass.dmp
To bypass Microsoft Defender, remember to rename the AvDump.exe file. Also, don't use the name lsass.dmp (see screenshot).There's also Metasploit post exploitation module for this under
post/windows/gather/avast_memory_dump
AvDump.exe is located at C:\Program Files\Avast Software\Avast. You can also download AvDump.exe from this link.
VirusTotal Details:
https://www.virustotal.com/gui/file/52a57aca1d96aee6456d484a2e8459681f6a7a159dc31f62b38942884464f57b/details
#ad #evasion #lsass #dump #avast #redteam
🔥4👍1👎1