S3cur3Th1sSh1t
commented
4 years ago In my experience this is not a crash but the AV software killing your process. Safetykatz is well known and blocked by many vendors. The block takes place in form of killing your powershell process.
You should be able to use the "default" Invoke-Mimikatz option which should bypass most AV-Softwares up to today or as an alternative use the new option 16 from the WinPwn menu which loads an obfuscated mimikatz version to memory. You can use "sekurlsa::logonpasswords" from there.
If you are still stuck because the AV-Software prevents all lsass dumps you should use the "Obfus_SecurePS_WinPwn.ps1" version which creates a protected process. All other vendors but microsoft should not be able to kill or hook this process. Maybe you can even use safetykatz there i did not test it till now.
Safetykatz in memory dumps the memory perfectly, but as its parsing the dump it crashes while the data scrolls on the screen. using win2k16 ps5. not sure where its crashing. cant test much else in this environment as engagement is complete. but if i get another chance to test ill let you know
btw other than that worked perfectly bypassing AV using the rest of the tools :)