LetMeowIn
A sophisticated, covert LSASS dumper using C++ and MASM x64.
As seen on Binary Defense and Cyber Security News
Disclaimer
Don't be evil with this. I created this tool to learn. I'm not responsible if the Feds knock on your door.
Historically was able to (and may presently still) bypass
- Windows Defender
- Malwarebytes Anti-Malware
- CrowdStrike Falcon EDR (Falcon Complete + OverWatch)
- Palo Alto Cortex xDR (When combined with strong initial access methods)
Features
Avoids detection by using various means, such as:
- Manually implementing NTAPI operations through indirect system calls
Disabling Breaking telemetry features (i.e ETW)
- Polymorphism through compile-time hash generation
- Obfuscating API function names and pointers
- Duplicating existing LSASS handles instead of opening new ones
- Creating offline copies of the LSASS process to perform memory dumps on
- Corrupting the
MDMP
signature of dropped files
- Probably other stuff I forgot to mention here
Negatives
- Only works on x64 architecture
- Relies on there being existing opened LSASS handles on target systems
- Don't expect this to be undetectable forever 🙂