{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/memory-dumping/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["credential-access","lsass","memory-dumping"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eWSASS is a tool used to dump LSASS (Local Security Authority Subsystem Service) memory on Windows systems. This tool leverages the Windows Error Reporting (WER) mechanism, specifically the \u003ccode\u003eWerFaultSecure.exe\u003c/code\u003e process, to bypass Protected Process Light (PPL) protections. By injecting into \u003ccode\u003eWerFaultSecure.exe\u003c/code\u003e, WSASS can access and dump the contents of LSASS, which often contains sensitive information such as passwords and credentials. The tool's goal is to circumvent standard security measures designed to prevent unauthorized access to LSASS memory. Defenders should monitor for the execution of WSASS and its interaction with \u003ccode\u003eWerFaultSecure.exe\u003c/code\u003e to detect potential credential theft attempts. The tool and technique were publicized around 2025, and the referenced Sigma rule was published in 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system (details not specified in source).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys the WSASS tool to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes WSASS with the path to \u003ccode\u003eWerFaultSecure.exe\u003c/code\u003e and the LSASS process ID as command-line arguments (e.g., \u003ccode\u003ewsass.exe \u0026quot;path to werfaultsecure\u0026quot; lsass_pid\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWSASS leverages WER's \u003ccode\u003eWerFaultSecure.exe\u003c/code\u003e to bypass PPL protections.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eWerFaultSecure.exe\u003c/code\u003e is used to gain access to the LSASS process memory.\u003c/li\u003e\n\u003cli\u003eWSASS dumps the LSASS memory contents to a file or other storage location.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the dumped LSASS memory file.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the dumped LSASS memory for credentials and other sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of WSASS and subsequent LSASS memory dumping can lead to the theft of sensitive credentials, including user passwords, Kerberos tickets, and NTLM hashes. This can allow attackers to move laterally within the network, escalate privileges, and gain access to critical systems and data. The impact can range from data breaches and financial loss to reputational damage and disruption of services. Organizations across all sectors that rely on Windows systems are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eHackTool - WSASS Execution\u003c/code\u003e to your SIEM and tune it for your environment to detect the execution of WSASS based on image name, hash, and command-line arguments.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for executions of \u003ccode\u003ewsass.exe\u003c/code\u003e using the \u003ccode\u003eprocess_creation\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eInvestigate any process execution where a process calls \u003ccode\u003eWerFaultSecure.exe\u003c/code\u003e with a PID as a command-line argument, especially if \u003ccode\u003ewsass.exe\u003c/code\u003e is involved, to identify potential credential access attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-wsass-execution/","summary":"The WSASS tool is executed to dump LSASS memory, leveraging WER's WerFaultSecure.EXE to bypass Protected Process Light (PPL) protections, potentially leading to credential access.","title":"WSASS Tool Execution for LSASS Memory Dumping","url":"https://feed.craftedsignal.io/briefs/2024-01-wsass-execution/"}],"language":"en","title":"CraftedSignal Threat Feed - Memory-Dumping","version":"https://jsonfeed.org/version/1.1"}