According to gentilkiwi's blog post (in French, sorry), it is possible to dump lsass.exe directly from the Task Manager, without using procdump or any similar tool. Mimikatz can then be used on this dump as usual.
What's interesting is you cannot specify the name of the dump file, it is always of the form [processname].DMP.
I believe monitoring the creation of files with extension .dmp could help catch attackers trying to use this technique to steal credentials.
According to gentilkiwi's blog post (in French, sorry), it is possible to dump
lsass.exedirectly from the Task Manager, without usingprocdumpor any similar tool. Mimikatz can then be used on this dump as usual.What's interesting is you cannot specify the name of the dump file, it is always of the form
[processname].DMP.I believe monitoring the creation of files with extension
.dmpcould help catch attackers trying to use this technique to steal credentials.