LetMeowIn

A sophisticated, covert LSASS dumper using C++ and MASM x64.

As seen on Binary Defense and Cyber Security News

Disclaimer

Don't be evil with this. I created this tool to learn. I'm not responsible if the Feds knock on your door.

Historically was able to (and may presently still) bypass

• Windows Defender
• Malwarebytes Anti-Malware
• CrowdStrike Falcon EDR (Falcon Complete + OverWatch)
• Palo Alto Cortex xDR (When combined with strong initial access methods)

Features

Avoids detection by using various means, such as:

• Manually implementing NTAPI operations through indirect system calls
• ~~Disabling~~ Breaking telemetry features (i.e ETW)
• Polymorphism through compile-time hash generation
• Obfuscating API function names and pointers
• Duplicating existing LSASS handles instead of opening new ones
• Creating offline copies of the LSASS process to perform memory dumps on
• Corrupting the MDMP signature of dropped files
• Probably other stuff I forgot to mention here

Negatives

• Only works on x64 architecture
• Relies on there being existing opened LSASS handles on target systems
• Don't expect this to be undetectable forever 🙂