HackTool - WSASS Execution
Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
Sigma rule (View on GitHub)
1title: HackTool - WSASS Execution
2id: 589ac73f-8e12-409c-964e-31a2f5775ae2
3status: experimental
4description: |
5 Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's
6 (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
7references:
8 - https://github.com/TwoSevenOneT/WSASS
9 - https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html
10author: Swachchhanda Shrawan Poudel (Nextron Systems)
11date: 2025-11-23
12modified: 2026-01-09
13tags:
14 - attack.credential-access
15 - attack.t1003.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 Image|endswith: '\wsass.exe'
22 selection_hash:
23 Hashes|contains: 'IMPHASH=32F5095C9BBDCACF28FD4060EB4DFC42'
24 selection_cli:
25 # change to |re|i after Sigma v2.0 release
26 # plain string without quotation marks as it has to match for both ' and "
27 CommandLine|re: (?i)\.exe[\"\']?\s+[^\"]{0,64}werfaultsecure\.exe[\"\']?\s+\d{2,10} # wsass.exe "path to werfaultsecure" lsass_pid
28 condition: 1 of selection_*
29falsepositives:
30 - Unlikely
31level: high
32regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml
References
-
-
Use the offensive tool WSASS to dump the LSASS memory area by exploiting the vulnerability in WerFaultSecure.exe
Read More
Related rules
- LSASS Process Crashed - Application
- PPL Tampering Via WerFaultSecure
- Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
- Cred Dump Tools Dropped Files
- LSASS Process Memory Dump Creation Via Taskmgr.EXE