Add README.md
This commit is contained in:
commit
5924d4c0e3
33
README.md
Normal file
33
README.md
Normal file
@ -0,0 +1,33 @@
|
||||
# LetMeowIn
|
||||
A sophisticated, covert LSASS dumper using C++ and MASM x64.
|
||||
|
||||
As seen on [Binary Defense](https://www.binarydefense.com/resources/blog/letmeowin-analysis-of-a-credential-dumper/) and [Cyber Security News](https://cybersecuritynews.com/researchers-detailed-letmeowin-credentials/)
|
||||
|
||||
## Disclaimer
|
||||
Don't be evil with this. I created this tool to learn. I'm not responsible if the Feds knock on your door.
|
||||
|
||||
----------------------------------------------------------------------------------------------------------
|
||||
|
||||
Historically was able to (and may presently still) bypass
|
||||
- Windows Defender
|
||||
- Malwarebytes Anti-Malware
|
||||
- CrowdStrike Falcon EDR (Falcon Complete + OverWatch)
|
||||
- Palo Alto Cortex xDR *(When combined with strong initial access methods)*
|
||||
|
||||
|
||||
|
||||
## Features
|
||||
Avoids detection by using various means, such as:
|
||||
- Manually implementing NTAPI operations through indirect system calls
|
||||
- ~~Disabling~~ Breaking telemetry features (i.e ETW)
|
||||
- Polymorphism through compile-time hash generation
|
||||
- Obfuscating API function names and pointers
|
||||
- Duplicating existing LSASS handles instead of opening new ones
|
||||
- Creating offline copies of the LSASS process to perform memory dumps on
|
||||
- Corrupting the `MDMP` signature of dropped files
|
||||
- Probably other stuff I forgot to mention here
|
||||
|
||||
## Negatives
|
||||
- Only works on x64 architecture
|
||||
- Relies on there being [existing opened LSASS handles](https://itm4n.github.io/lsass-runasppl/#technique-3--python--katz) on target systems
|
||||
- Don't expect this to be undetectable forever 🙂
|
||||
Loading…
x
Reference in New Issue
Block a user