AV\EDR dump lsass with active AV

[LifeLife]

Install Avast, Get AVDump.exe in the installation directory.
use:
AvDump.exe --pid 980(lsass pid) --exception_ptr 0 --thread_id 0 --dump_level 1 --dump_file lsass.dmp(custom lsass dmp name)

This method may be effective for you, at least I have used this method to bypass many problems. However, they will delete the exported DMP files, so please download and save the DMP files quickly.

 

[Brejnev]

Вот разные методы

Some ways to dump LSASS.exe

As always this is for educational purposes. I like to find multiple ways to do the same thing. It helps me learn and writing about it help…

medium.com

LSASS Memory Dumps: Dumping Methods Explained [Part 1] | Deep Instinct

LSASS memory dump files aid attackers to swiftly extract credentials. Read an in-depth analysis of LSASS dumps as an attack vector & dumping methods.

www.deepinstinct.com

В случае если lsass запущен как PsProtectedSignerLsa-Light , то подойдет только дамп через драйвер с предварительным отключением в ядре защиты процесса или штатные средства системы
(регистрация дампера как отладчика или пост обработчика при аварийном завершении): https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before-part-2