LSASS Credential Dumping Certification Test 2026
AV-Comparatives conducts targeted offensive security evaluations, offering vendors the opportunity to achieve certification in specific protection areas. In 2026, one key focus was “Credential Dumping” (LSASS Protection). Certification reports are published exclusively for vendors that successfully meet the defined criteria. Participating vendors receive detailed technical feedback to further strengthen their products.
https://www.av-comparatives.org/news/lsass-credential-dumping-certification-test-2026/
Credential dumping from the LSASS process remains one of the most critical techniques in real-world attacks. Once an attacker has gained a foothold on a system, accessing LSASS memory is a common objective, as it contains highly sensitive information such as user credentials in cleartext or hashed form. Successful access to LSASS often enables lateral movement and escalation across the environment.
Positioning
The LSASS Credential Dumping Test is designed as a focused evaluation of a single, high-impact attack objective, rather than a full attack-chain simulation.
While broader evaluations assess end-to-end protection and operational impact, this test isolates one of the most decisive post-compromise steps: the ability to protect credential material in memory. This makes it particularly relevant for analysts and enterprise decision-makers evaluating how effectively a solution can contain an attacker after initial access.
Methodology
The evaluation focuses on the prevention and detection capabilities of AV, EPP, and EDR solutions against attempts to access and dump LSASS memory.
Testing is conducted on fully updated Windows systems under realistic conditions. Scenarios assume that the attacker already has privileged access (e.g. local administrator or system level), reflecting common real-world situations where credential dumping occurs after initial compromise .
The test examines whether products:
- prevent unauthorized access to LSASS
- detect credential dumping techniques in real time
- generate actionable alerts when such activity occurs
Key Variables
To ensure realistic and comprehensive coverage, multiple factors are varied:
- Credential Dumping Techniques and Tools: including standard and custom approaches
- Integrity Levels: execution under different privilege contexts
- Living-off-the-Land Techniques: use of legitimate system binaries
- API Usage: WIN32 APIs vs. direct system calls
- Evasion Techniques: including PPID spoofing and multi-stage dumping
As reflected in the 2026 test cases, the scenarios range from well-known dumping techniques to more advanced variants such as indirect syscalls, snapshot-based dumping, and staged or obfuscated approaches
Certified Products
The 2026 results highlight that robust LSASS protection remains a challenging area, particularly against modern and evasive techniques.
A number of enterprise products participated in the evaluation, but only two successfully achieved certification. To qualify, a product must successfully prevent or detect at least two-thirds of all tested credential dumping scenarios.
The following products met these requirements in 2026:
Only certified vendors are publicly listed. Non-certified participants receive detailed internal feedback to support further improvements.
Outlook
As attack techniques continue to evolve, particularly with increasing use of kernel-level and driver-based approaches to bypass protections, safeguarding LSASS remains a critical and moving target.
Future iterations of this test will continue to expand coverage to reflect these developments and maintain relevance for real-world enterprise environments.
Conclusion
The 2026 results underline the importance of effective credential protection at the memory level, especially in post-compromise scenarios.
By isolating LSASS access as a dedicated evaluation focus, this test provides clear and actionable insight into a product’s ability to prevent credential theft, complementing broader security assessments and supporting more informed decision-making.
