While integrating LSASS dumping techniques into SpecterInsight’s dumper module, I used Offensive-Panda’s ShadowDumper as a reference point. That tool is great collection of LSASS dump techniques, but I also wanted to improve upon their research by addressing some of the issues that might result in detection by an EDR: Every technique writes a recognizable file to a hardcoded path. The encryption is effectively a single-byte, hard coded XOR. The callback technique collects the dump in memory but then immediately writes it to disk. The native dump variant still loads dbghelp.dll which may stand out. The rest of this post walks through the changes I made and why.