This website uses cookies to ensure you get the best experience on our website.
Please note that by continuing to use this site you consent to the terms of our Privacy and Data Protection Policy .
Some of our partner services are located in the United States. According to the case law of the European Court of Justice, there is currently no adequate data protection in the USA. There is a risk that your data will be controlled and monitored by US authorities. You cannot bring any effective legal remedies against this.

LSASS Credential Dumping Certification Test

AV-Comparatives performs targeted offensive security tests, offering vendors the opportunity to pursue certification in specific areas. In this year’s assessment, one focus was “Credential Dumping” (LSASS Protection). Certification reports are exclusively issued for vendors who successfully meet our stringent criteria. Tested vendors received detailed technical data and feedback to enhance their products’ resilience against potential attacks.

In the realm of advanced persistent threats (APTs), attackers employ a myriad of techniques, yet accessing the LSASS process on a compromised Windows host remains a common objective. The LSASS process harbors sensitive data, including Windows login credentials, making it a prime target for attackers. Detection and prevention of malicious activities targeting LSASS are crucial for AV/EDR products, given the significant threat posed by unauthorized access to this process.


The LSASS Credential Dumping Test is designed to assess a specific protection aspect, unlike AV-Comparatives’ comprehensive EPR Tests. Products undergo tailored configurations optimized for thwarting LSASS-related threats. For this evaluation, we utilize the latest version of fully patched Windows 10. Testers log in as minimal users, operating within a medium integrity context, and execute LSASS dump POCs as privileged users with high or system integrity.

Key Variables

Our evaluation encompasses a range of factors to gauge the effectiveness of AV/EDR products in preventing unauthorized LSASS access:

  • Credential Dumping Tools: Assessment of various tools used for dumping credentials from LSASS.
  • Integrity Level: Variation in the integrity level of the executing process.
  • Living-off-the-Land Binaries: Analysis of the use of legitimate system binaries for credential dumping.
  • WIN32 APIs vs. Direct System Calls: Examination of different API usage for LSASS access.
  • PPID Spoofing: Evaluation of techniques used to spoof parent process identification.

By scrutinizing these variables, we aim to provide insights into the capabilities of AV/EDR solutions in safeguarding against unauthorized access to the LSASS process. This evaluation serves as a benchmark for vendors to enhance their products and bolster overall cybersecurity resilience.

Certified Products

AV-Comparatives’ LSASS Credential Dumping Evaluation plays a vital role in assessing the effectiveness of AV/EDR products in protecting against unauthorized access to the LSASS process, a critical component of Windows security. Only vendors that have successfully met our certification criteria have their reports published. Out of six products tested, only four passed the evaluation successfully:

Non-certified vendors receive comprehensive feedback aimed at improving their products’ defenses against LSASS-related threats, demonstrating AV-Comparatives’ commitment to advancing cybersecurity measures collaboratively.