How does the decryption algorithm selection work when extracting credentials in sekurlsa::wdigest?

The algorithm is chosen based on the length of the encrypted credential data: if the length is a multiple of 8, AES in CFB mode is used; otherwise, 3DES in CBC mode is applied. The decryption keys (AES and 3DES) are obtained from the lsasrv.dll module, along with the initialization vector. This process is part of the broader LSASS credential extraction techniques, which also include methods like Usage of SSP in Mimikatz.