Dumping lsass.exe process memory using procmon.exe or taskmgr.exe (both are signed and trusted microsoft utilities) and then extracting secrets offline is a bit stealthier than running a rogue program.
Using Sysmon event 10 "Process A accessed Process B" and filtering by CallTrace, and TargetImage attribute data, we can detect both process memory dumping actions:
As can be seen above, both utilities call APIs exported by dbghelp.dll or dbgcore.dll to invoke memory dump write functions (i.e. MiniDumpWriteDump function).
Sysmon: EventID=10 and CallTrace contains "Dbghelp.dll" or "Dbgcore.dll" and TargetImage=="lsass.exe or any other sensitive process (i.e. Point of Sale related processes or alike)"
IBM Qradar AQL example:
select "SourceImage", "TargetImage" from events where eventid=10 and utf8(payload) imatches '(?i)((.*dbghelp.*)|(.*dbgcore.*))' and TargetImage imatches '.*lsass.*'