According to gentilkiwi's blog post (in French, sorry), it is possible to dump lsass.exe directly from the Task Manager, without using procdump or any similar tool. Mimikatz can then be used on this dump as usual.
What's interesting is you cannot specify the name of the dump file, it is always of the form [processname].DMP.
I believe monitoring the creation of files with extension .dmp could help catch attackers trying to use this technique to steal credentials.
According to gentilkiwi's blog post (in French, sorry), it is possible to dump
lsass.exe
directly from the Task Manager, without usingprocdump
or any similar tool. Mimikatz can then be used on this dump as usual.What's interesting is you cannot specify the name of the dump file, it is always of the form
[processname].DMP
.I believe monitoring the creation of files with extension
.dmp
could help catch attackers trying to use this technique to steal credentials.