LetMeowIn/README.md

# LetMeowIn
A sophisticated, covert LSASS dumper using C++ and MASM x64.

As seen on [Binary Defense](https://www.binarydefense.com/resources/blog/letmeowin-analysis-of-a-credential-dumper/) and [Cyber Security News](https://cybersecuritynews.com/researchers-detailed-letmeowin-credentials/)

## Disclaimer
Don't be evil with this. I created this tool to learn. I'm not responsible if the Feds knock on your door.

----------------------------------------------------------------------------------------------------------

Historically was able to (and may presently still) bypass
  - Windows Defender
  - Malwarebytes Anti-Malware
  - CrowdStrike Falcon EDR (Falcon Complete + OverWatch)
  - Palo Alto Cortex xDR *(When combined with strong initial access methods)*

![image](https://github.com/Meowmycks/LetMeowIn/assets/45502375/fb99f6e3-abb4-4beb-9130-dfbc550e1abe)

## Features
Avoids detection by using various means, such as:
  - Manually implementing NTAPI operations through indirect system calls
  - ~~Disabling~~ Breaking telemetry features (i.e ETW)
  - Polymorphism through compile-time hash generation
  - Obfuscating API function names and pointers
  - Duplicating existing LSASS handles instead of opening new ones
  - Creating offline copies of the LSASS process to perform memory dumps on
  - Corrupting the `MDMP` signature of dropped files
  - Probably other stuff I forgot to mention here

## Negatives
  - Only works on x64 architecture
  - Relies on there being [existing opened LSASS handles](https://itm4n.github.io/lsass-runasppl/#technique-3--python--katz) on target systems 
  - Don't expect this to be undetectable forever 🙂
Add README.md 2025-02-08 10:39:01 -05:00			`# LetMeowIn`
			`A sophisticated, covert LSASS dumper using C++ and MASM x64.`

			`As seen on [Binary Defense](https://www.binarydefense.com/resources/blog/letmeowin-analysis-of-a-credential-dumper/) and [Cyber Security News](https://cybersecuritynews.com/researchers-detailed-letmeowin-credentials/)`

			`## Disclaimer`
			`Don't be evil with this. I created this tool to learn. I'm not responsible if the Feds knock on your door.`

			`----------------------------------------------------------------------------------------------------------`

			`Historically was able to (and may presently still) bypass`
			`- Windows Defender`
			`- Malwarebytes Anti-Malware`
			`- CrowdStrike Falcon EDR (Falcon Complete + OverWatch)`
			`- Palo Alto Cortex xDR (When combined with strong initial access methods)`

			`![image](https://github.com/Meowmycks/LetMeowIn/assets/45502375/fb99f6e3-abb4-4beb-9130-dfbc550e1abe)`

			`## Features`
			`Avoids detection by using various means, such as:`
			`- Manually implementing NTAPI operations through indirect system calls`
			`- ~~Disabling~~ Breaking telemetry features (i.e ETW)`
			`- Polymorphism through compile-time hash generation`
			`- Obfuscating API function names and pointers`
			`- Duplicating existing LSASS handles instead of opening new ones`
			`- Creating offline copies of the LSASS process to perform memory dumps on`
			- Corrupting the `MDMP` signature of dropped files
			`- Probably other stuff I forgot to mention here`

			`## Negatives`
			`- Only works on x64 architecture`
			`- Relies on there being [existing opened LSASS handles](https://itm4n.github.io/lsass-runasppl/#technique-3--python--katz) on target systems`
			`- Don't expect this to be undetectable forever 🙂`