LSASS Credential Dumping Certification Test
AV-Comparatives performs targeted offensive security tests, offering vendors the opportunity to pursue certification in specific areas. In this year’s assessment, one focus was “Credential Dumping” (LSASS Protection). Certification reports are exclusively issued for vendors who successfully meet our stringent criteria. Tested vendors received detailed technical data and feedback to enhance their products’ resilience against potential attacks.
https://www.av-comparatives.org/news/lsass-credential-dumping-certification-test/
In the realm of advanced persistent threats (APTs), attackers employ a myriad of techniques, yet accessing the LSASS process on a compromised Windows host remains a common objective. The LSASS process harbors sensitive data, including Windows login credentials, making it a prime target for attackers. Detection and prevention of malicious activities targeting LSASS are crucial for AV/EDR products, given the significant threat posed by unauthorized access to this process.
Methodology
The LSASS Credential Dumping Test is designed to assess a specific protection aspect, unlike AV-Comparatives’ comprehensive EPR Tests. Products undergo tailored configurations optimized for thwarting LSASS-related threats. For this evaluation, we utilize the latest version of fully patched Windows 10. Testers log in as minimal users, operating within a medium integrity context, and execute LSASS dump POCs as privileged users with high or system integrity.
Key Variables
Our evaluation encompasses a range of factors to gauge the effectiveness of AV/EDR products in preventing unauthorized LSASS access:
- Credential Dumping Tools: Assessment of various tools used for dumping credentials from LSASS.
- Integrity Level: Variation in the integrity level of the executing process.
- Living-off-the-Land Binaries: Analysis of the use of legitimate system binaries for credential dumping.
- WIN32 APIs vs. Direct System Calls: Examination of different API usage for LSASS access.
- PPID Spoofing: Evaluation of techniques used to spoof parent process identification.
By scrutinizing these variables, we aim to provide insights into the capabilities of AV/EDR solutions in safeguarding against unauthorized access to the LSASS process. This evaluation serves as a benchmark for vendors to enhance their products and bolster overall cybersecurity resilience.
Certified Products
AV-Comparatives’ LSASS Credential Dumping Evaluation plays a vital role in assessing the effectiveness of AV/EDR products in protecting against unauthorized access to the LSASS process, a critical component of Windows security. Only vendors that have successfully met our certification criteria have their reports published. Out of six products tested, only four passed the evaluation successfully:
- Bitdefender GravityZone Business Security Enterprise
- CrowdStrike Falcon Pro
- ESET PROTECT Enterprise Cloud
- Kaspersky Endpoint Security for Business
Non-certified vendors receive comprehensive feedback aimed at improving their products’ defenses against LSASS-related threats, demonstrating AV-Comparatives’ commitment to advancing cybersecurity measures collaboratively.