Upon initial logon, LSASS will:

• Cache credentials locally in memory
• Create access tokens
• Enforce security policies
• Write to Windows' security log

Dumping LSASS process memory

Rundll32.exe & Comsvcs.dll method

Can be done in CLI.

Flagged by AVs.

Run tasklist /svc to find lsass.exe and its process ID

Or

Get-Process lsass