Skip to content
Threat Feed
high advisory

WSASS Tool Execution for LSASS Memory Dumping

The WSASS tool is executed to dump LSASS memory, leveraging WER's WerFaultSecure.EXE to bypass Protected Process Light (PPL) protections, potentially leading to credential access.

WSASS is a tool used to dump LSASS (Local Security Authority Subsystem Service) memory on Windows systems. This tool leverages the Windows Error Reporting (WER) mechanism, specifically the WerFaultSecure.exe process, to bypass Protected Process Light (PPL) protections. By injecting into WerFaultSecure.exe, WSASS can access and dump the contents of LSASS, which often contains sensitive information such as passwords and credentials. The tool's goal is to circumvent standard security measures designed to prevent unauthorized access to LSASS memory. Defenders should monitor for the execution of WSASS and its interaction with WerFaultSecure.exe to detect potential credential theft attempts. The tool and technique were publicized around 2025, and the referenced Sigma rule was published in 2026.

Attack Chain

  1. An attacker gains initial access to the target system (details not specified in source).
  2. The attacker deploys the WSASS tool to the compromised system.
  3. The attacker executes WSASS with the path to WerFaultSecure.exe and the LSASS process ID as command-line arguments (e.g., wsass.exe "path to werfaultsecure" lsass_pid).
  4. WSASS leverages WER's WerFaultSecure.exe to bypass PPL protections.
  5. WerFaultSecure.exe is used to gain access to the LSASS process memory.
  6. WSASS dumps the LSASS memory contents to a file or other storage location.
  7. The attacker retrieves the dumped LSASS memory file.
  8. The attacker parses the dumped LSASS memory for credentials and other sensitive information.

Impact

Successful execution of WSASS and subsequent LSASS memory dumping can lead to the theft of sensitive credentials, including user passwords, Kerberos tickets, and NTLM hashes. This can allow attackers to move laterally within the network, escalate privileges, and gain access to critical systems and data. The impact can range from data breaches and financial loss to reputational damage and disruption of services. Organizations across all sectors that rely on Windows systems are potentially vulnerable.

Recommendation

  • Deploy the Sigma rule HackTool - WSASS Execution to your SIEM and tune it for your environment to detect the execution of WSASS based on image name, hash, and command-line arguments.
  • Monitor process creation events for executions of wsass.exe using the process_creation log source.
  • Investigate any process execution where a process calls WerFaultSecure.exe with a PID as a command-line argument, especially if wsass.exe is involved, to identify potential credential access attempts.

Detection coverage 3

WSASS Execution via Image Name

high

Detects execution of WSASS based on the image name.

sigma tactics: credential-access techniques: T1003.001 sources: process_creation, windows

WSASS Execution via CommandLine and WerFaultSecure

high

Detects execution of WSASS based on command line arguments including WERFaultSecure.exe.

sigma tactics: credential-access techniques: T1003.001 sources: process_creation, windows

WSASS Execution via Imphash

high

Detects execution of WSASS based on the Imphash.

sigma tactics: credential-access techniques: T1003.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →