POSTDump - A Stealthy LSASS Minidump Tool for Red Team Operations

POSTDump - A Stealthy LSASS Minidump Tool for Red Team Operations

POSTDump is a C#/.NET-based tool designed to perform minidumps of the LSASS (Local Security Authority Subsystem Service) process while leveraging advanced techniques to avoid detection.

It is inspired by the ReactOS minidump function and tools like NanoDump, but it avoids direct calls to the Windows API MiniDumpWriteDump function, making it more stealthy.

This guide provides an overview of POSTDump's features, usage, evasion techniques, and potential improvements.

What is POSTDump?

POSTDump is a tool that allows users to dump the memory of the LSASS process for credential extraction. It includes several stealthy techniques to avoid detection by security solutions. The core dumping logic is implemented in the POSTMinidump project, which can be reused in other projects.

Key capabilities include:

  • Direct implementation of the ReactOS minidump function.

  • Encryption or invalid signature generation for minidumps.

  • Support for using the Process Explorer (ProcExp) driver to bypass Protected Process Light (PPL) restrictions.

  • Live credential parsing without writing a dump file to disk.

Features and Usage

Command-Line Options

POSTDump offers various options for dumping LSASS and evading detection:

Option

Description

-o, --output

Specify output filename (default: Machine_datetime.dmp). Full paths are supported.

-e, --encrypt

Encrypt the dump in memory.

-s, --signature

Generate an invalid minidump signature.

--snap

Use the snapshot technique for dumping.

--fork

Use the fork technique (default).

--elevate-handle

Open a low-privilege LSASS handle and duplicate it for higher privileges.

--duplicate-elevate

Search for an existing LSASS handle, duplicate it, and elevate privileges.

--live

Parse credentials directly from memory without writing a dump file to disk.

--fromfile [file]

Parse credentials from an existing dump file.

--asr

Attempt LSASS dump using ASR bypass (Windows 10/11/2019). No signature or encryption is applied.

--driver

Use the Process Explorer driver to bypass PPL restrictions and dump LSASS.

--kill [processID]

Kill a process using the Process Explorer driver.

--help

Display help information.

Example Commands

1.Basic LSASS Dump:

PostDump.exe -o lsass_dump.dmp

2.Encrypted Dump:

PostDump.exe -o encrypted_dump.dmp --encrypt

3.Live Credential Parsing:

PostDump.exe --live

4.Bypassing PPL with ProcExp Driver:

PostDump.exe --driver

5.ASR Bypass on Windows 10/11:

PostDump.exe --asr

Evasion Techniques

POSTDump incorporates several advanced evasion techniques to avoid detection by Endpoint Detection and Response (EDR) solutions:

  1. Indirect Syscalls:

    • Uses indirect syscall execution along with Halo's Gate technique to retrieve syscall IDs.

  2. RWX Codecave Usage:

    • Avoids memory allocation or protection changes by utilizing existing RWX codecaves in the current process.

  3. ETW Patching:

    • Disables Event Tracing for Windows (ETW) telemetry to prevent detection.

  4. No MiniDumpWriteDump Calls:

    • Avoids calling the standard Windows API function for minidumps.

  5. Live Credential Parsing:

    • Extracts credentials directly from memory without creating a dump file on disk.

Potential Improvements

The tool could be enhanced further with additional techniques and features:

  • Adding more dumping methods such as:

    • Seclogon exploitation.

    • PPLMedic.

    • Shtinkering.

  • Implementing advanced evasion strategies like call stack spoofing.

  • Incorporating Godfault techniques to avoid reliance on drivers.

Compilation Instructions

To compile POSTDump:

  1. Build using .NET Framework 4.5.1.

  2. If running on systems with older CLR versions, downgrade to .NET 3.5 as needed.

Credits and Disclaimer

POSTDump was developed with contributions from various researchers and tools:

  • Inspired by NanoDump by s4ntiago_p.

  • ProcExp driver integration by Yaxser.

  • RWX codecave discovery by SECFORCE.

  • ASR bypass technique by 0xAbdullah.

  • Minidump parsing library by cube0x0.

Disclaimer: This tool is intended solely for academic research and developing defensive strategies. Unauthorized use of this tool is prohibited, and the maintainers are not responsible for misuse. You can learn more and Download POSTDump in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

Back to blog