Threat actors have been using several methods for credential stealing, which varies based on the environment and infrastructure of the system.
Most of the time, the threat actors dump the LSASS process to extract the account credentials.
For this, tools such as Mimikatz, which offers several suspicious features, can be used. However, most security products are focused on these kinds of malicious tools that the threat actors know.
Many new methods to dump LSASS memory that maliciously use legitimate tools have been discovered as a means of bypass detection.