In today’s video, I show a way to dump LSASS without dumping just the LSASS process. We are using DFIR tools to dump all of the memory, exfil the file created, and then dump the credentials of the box. This is a foolproof method and will get by almost every EDR solution. You will have to deal with a large file size, but in today’s day and age, this isn’t as big of a problem as it has been in the past.

WinPmem
https://github.com/Velocidex/WinPmem/releases

Volatility
https://github.com/volatilityfoundation/volatility3

Chapters
00:00 Introduction
00:28 Credential Guard
02:05 WinPmem
04:18 Dumping Memory
05:31 SIEM Rules for Detection of Memory Dumping
07:52 Dumping Creds with Volatility
10:36 Please Turn on Credential Guard! Do IT Now!
10:57 Outro

Please take the opportunity to connect and share this video with your friends and family if you find it useful.