WSASS Tool Execution for LSASS Memory Dumping
The WSASS tool is executed to dump LSASS memory, leveraging WER's WerFaultSecure.EXE to bypass Protected Process Light (PPL) protections, potentially leading to credential access.
WSASS is a tool used to dump LSASS (Local Security Authority Subsystem Service) memory on Windows systems. This tool leverages the Windows Error Reporting (WER) mechanism, specifically the WerFaultSecure.exe process, to bypass Protected Process Light (PPL) protections. By injecting into WerFaultSecure.exe, WSASS can access and dump the contents of LSASS, which often contains sensitive information such as passwords and credentials. The tool's goal is to circumvent standard security measures designed to prevent unauthorized access to LSASS memory. Defenders should monitor for the execution of WSASS and its interaction with WerFaultSecure.exe to detect potential credential theft attempts. The tool and technique were publicized around 2025, and the referenced Sigma rule was published in 2026.
Attack Chain
- An attacker gains initial access to the target system (details not specified in source).
- The attacker deploys the WSASS tool to the compromised system.
- The attacker executes WSASS with the path to
WerFaultSecure.exeand the LSASS process ID as command-line arguments (e.g.,wsass.exe "path to werfaultsecure" lsass_pid). - WSASS leverages WER's
WerFaultSecure.exeto bypass PPL protections. WerFaultSecure.exeis used to gain access to the LSASS process memory.- WSASS dumps the LSASS memory contents to a file or other storage location.
- The attacker retrieves the dumped LSASS memory file.
- The attacker parses the dumped LSASS memory for credentials and other sensitive information.
Impact
Successful execution of WSASS and subsequent LSASS memory dumping can lead to the theft of sensitive credentials, including user passwords, Kerberos tickets, and NTLM hashes. This can allow attackers to move laterally within the network, escalate privileges, and gain access to critical systems and data. The impact can range from data breaches and financial loss to reputational damage and disruption of services. Organizations across all sectors that rely on Windows systems are potentially vulnerable.
Recommendation
- Deploy the Sigma rule
HackTool - WSASS Executionto your SIEM and tune it for your environment to detect the execution of WSASS based on image name, hash, and command-line arguments. - Monitor process creation events for executions of
wsass.exeusing theprocess_creationlog source. - Investigate any process execution where a process calls
WerFaultSecure.exewith a PID as a command-line argument, especially ifwsass.exeis involved, to identify potential credential access attempts.
Detection coverage 3
WSASS Execution via Image Name
highDetects execution of WSASS based on the image name.
WSASS Execution via CommandLine and WerFaultSecure
highDetects execution of WSASS based on command line arguments including WERFaultSecure.exe.
WSASS Execution via Imphash
highDetects execution of WSASS based on the Imphash.
Detection queries are available on the platform. Get full rules →