nanodump
The swiss army knife of LSASS dumping (by fortra)
Dumpert
LSASS memory dumper using direct system calls and API unhooking. (by outflanknl)
nanodump | Dumpert | |
---|---|---|
6 | 3 | |
1,632 | 1,380 | |
1.0% | 2.5% | |
4.9 | 1.8 | |
4 days ago | over 3 years ago | |
C | C | |
Apache License 2.0 | - |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
nanodump
Posts with mentions or reviews of nanodump.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2021-12-19.
- nanodump: The swiss army knife of LSASS dumping now supports the PPLMedic exploit meaning you can dump LSASS on an up-to-date system with PPL enabled
- add --duplicate-local technique ยท this allows nanodump to open a handle to LSASS with PROCESS_QUERY_LIMITED_INFORMATION and elevate the handle later this way, we might bypass several detections
-
Ways to Dump LSASS
Excellent writeup. Check out this tool as well, https://github.com/helpsystems/nanodump, it supports cloning existing handles to lsass which is a fun technique for dumping lsass more stealthily. I've seen it work against some modern edrs.
-
Alan c2 post-exploitation framework v5.0 - All you can in-memory edition
The video shows the execution of the `run` command. In the first part, the nanodump (https://github.com/helpsystems/nanodump) utility is executed in an external process (you can see in the video that at a given point the raserver.exe process is spawned).
- GitHub - helpsystems/nanodump: Dumping LSASS has never been so stealthy
- nanodump - Dumping LSASS using syscalls
Dumpert
Posts with mentions or reviews of Dumpert.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2021-12-19.
- outflanknl/Dumpert: LSASS memory dumper using direct system calls and API unhooking.
-
Alan c2 post-exploitation framework v5.0 - All you can in-memory edition
In the second part, the dumpert (https://github.com/outflanknl/Dumpert) utility is executed inside notepad.exe process (again, you can see that the process is spawned at a given point).
What are some alternatives?
When comparing nanodump and Dumpert you can also consider the following projects:
CS-Situational-Awareness-BOF - Situational Awareness commands implemented using Beacon Object Files
Awesome-Red-Teaming - List of Awesome Red Teaming Resources
CrossC2 - generate CobaltStrike's cross-platform payload
Awesome-CobaltStrike - List of Awesome CobaltStrike Resources
amd-ryzen-master-driver-v17-exploit - Cobalt Strike (CS) Beacon Object File (BOF) for kernel exploitation using AMD's Ryzen Master Driver (version 17).
WindowSpy - WindowSpy is a Cobalt Strike Beacon Object File meant for automated and targeted user surveillance.