One of the primary indicators of compromise (IoC) is a handle to LSASS. If process A opens a handle to process B (LSASS) with the intent to read memory, EDRs flag it. Nanodump attempts to steal or reuse existing handles. Instead of opening a new, suspicious handle, it scans the system for processes that already have valid handles to LSASS (such as svchost.exe or security products themselves) and duplicates those handles for its own use. This "Handle Duplication" technique is harder to distinguish from legitimate OS activity.
git clone https://github.com/fortra/nanodump cd nanodump make nanodump.x64.exe
Traditional tools load dbghelp.dll to call MiniDumpWriteDump . nanodump implements its own mini-dump writer using functions ( NtReadVirtualMemory , NtOpenProcess ). It replicates the Microsoft minidump format without ever touching monitored DLLs. One of the primary indicators of compromise (IoC)
--getpid : Simply prints the Process ID (PID) of LSASS and exits. Instead of opening a new, suspicious handle, it
You will rarely see a defender double-click nanodump.x64.exe on a desktop. The typical attack chain looks like this:
nanodump.x64.exe remains popular because it is . In 2024–2025, ransomware affiliates have shifted from using procdump.exe (loud) to nanodump variants.
No tool is truly unblockable. Here is a layered defense strategy.