<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Memory-Dumping - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/memory-dumping/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/memory-dumping/feed.xml" rel="self" type="application/rss+xml"/><item><title>WSASS Tool Execution for LSASS Memory Dumping</title><link>https://feed.craftedsignal.io/briefs/2024-01-wsass-execution/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-wsass-execution/</guid><description>The WSASS tool is executed to dump LSASS memory, leveraging WER's WerFaultSecure.EXE to bypass Protected Process Light (PPL) protections, potentially leading to credential access.</description><content:encoded><![CDATA[<p>WSASS is a tool used to dump LSASS (Local Security Authority Subsystem Service) memory on Windows systems. This tool leverages the Windows Error Reporting (WER) mechanism, specifically the <code>WerFaultSecure.exe</code> process, to bypass Protected Process Light (PPL) protections. By injecting into <code>WerFaultSecure.exe</code>, WSASS can access and dump the contents of LSASS, which often contains sensitive information such as passwords and credentials. The tool's goal is to circumvent standard security measures designed to prevent unauthorized access to LSASS memory. Defenders should monitor for the execution of WSASS and its interaction with <code>WerFaultSecure.exe</code> to detect potential credential theft attempts. The tool and technique were publicized around 2025, and the referenced Sigma rule was published in 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to the target system (details not specified in source).</li>
<li>The attacker deploys the WSASS tool to the compromised system.</li>
<li>The attacker executes WSASS with the path to <code>WerFaultSecure.exe</code> and the LSASS process ID as command-line arguments (e.g., <code>wsass.exe &quot;path to werfaultsecure&quot; lsass_pid</code>).</li>
<li>WSASS leverages WER's <code>WerFaultSecure.exe</code> to bypass PPL protections.</li>
<li><code>WerFaultSecure.exe</code> is used to gain access to the LSASS process memory.</li>
<li>WSASS dumps the LSASS memory contents to a file or other storage location.</li>
<li>The attacker retrieves the dumped LSASS memory file.</li>
<li>The attacker parses the dumped LSASS memory for credentials and other sensitive information.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful execution of WSASS and subsequent LSASS memory dumping can lead to the theft of sensitive credentials, including user passwords, Kerberos tickets, and NTLM hashes. This can allow attackers to move laterally within the network, escalate privileges, and gain access to critical systems and data. The impact can range from data breaches and financial loss to reputational damage and disruption of services. Organizations across all sectors that rely on Windows systems are potentially vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>HackTool - WSASS Execution</code> to your SIEM and tune it for your environment to detect the execution of WSASS based on image name, hash, and command-line arguments.</li>
<li>Monitor process creation events for executions of <code>wsass.exe</code> using the <code>process_creation</code> log source.</li>
<li>Investigate any process execution where a process calls <code>WerFaultSecure.exe</code> with a PID as a command-line argument, especially if <code>wsass.exe</code> is involved, to identify potential credential access attempts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>credential-access</category><category>lsass</category><category>memory-dumping</category></item></channel></rss>