nanodump
The swiss army knife of LSASS dumping (by fortra)
WindowSpy
WindowSpy is a Cobalt Strike Beacon Object File meant for automated and targeted user surveillance. (by CodeXTF2)
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
nanodump
Posts with mentions or reviews of nanodump.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2021-12-19.
- nanodump: The swiss army knife of LSASS dumping now supports the PPLMedic exploit meaning you can dump LSASS on an up-to-date system with PPL enabled
- add --duplicate-local technique ยท this allows nanodump to open a handle to LSASS with PROCESS_QUERY_LIMITED_INFORMATION and elevate the handle later this way, we might bypass several detections
-
Ways to Dump LSASS
Excellent writeup. Check out this tool as well, https://github.com/helpsystems/nanodump, it supports cloning existing handles to lsass which is a fun technique for dumping lsass more stealthily. I've seen it work against some modern edrs.
-
Alan c2 post-exploitation framework v5.0 - All you can in-memory edition
The video shows the execution of the `run` command. In the first part, the nanodump (https://github.com/helpsystems/nanodump) utility is executed in an external process (you can see in the video that at a given point the raserver.exe process is spawned).
- GitHub - helpsystems/nanodump: Dumping LSASS has never been so stealthy
- nanodump - Dumping LSASS using syscalls
WindowSpy
Posts with mentions or reviews of WindowSpy.
We have used some of these posts to build our list of alternatives
and similar projects.
- WindowSpy: WindowSpy is a Cobalt Strike Beacon Object File meant for targetted user surveillance. The goal of this project was to trigger surveillance capabilities only on certain targets, e.g. browser login pages, confidential documents, VPN logins etc.
- WindowSpy - A Cobalt Strike Beacon Object File meant for targetted user surveillance
What are some alternatives?
When comparing nanodump and WindowSpy you can also consider the following projects:
CS-Situational-Awareness-BOF - Situational Awareness commands implemented using Beacon Object Files
amd-ryzen-master-driver-v17-exploit - Cobalt Strike (CS) Beacon Object File (BOF) for kernel exploitation using AMD's Ryzen Master Driver (version 17).
Awesome-Red-Teaming - List of Awesome Red Teaming Resources
CrossC2 - generate CobaltStrike's cross-platform payload
ScreenshotBOF - An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory.
Awesome-CobaltStrike - List of Awesome CobaltStrike Resources
Dumpert - LSASS memory dumper using direct system calls and API unhooking.
nanodump vs CS-Situational-Awareness-BOF
WindowSpy vs amd-ryzen-master-driver-v17-exploit
nanodump vs Awesome-Red-Teaming
WindowSpy vs CS-Situational-Awareness-BOF
nanodump vs CrossC2
WindowSpy vs ScreenshotBOF
nanodump vs Awesome-CobaltStrike
WindowSpy vs CrossC2
nanodump vs Dumpert
nanodump vs amd-ryzen-master-driver-v17-exploit