HackTool - WSASS Execution
Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
Sigma rule (View on GitHub)
1title: HackTool - WSASS Execution
2id: 589ac73f-8e12-409c-964e-31a2f5775ae2
3status: experimental
4description: |
5 Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's
6 (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
7references:
8 - https://github.com/TwoSevenOneT/WSASS
9 - https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html
10author: Swachchhanda Shrawan Poudel (Nextron Systems)
11date: 2025-11-23
12tags:
13 - attack.credential-access
14 - attack.t1003.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 Image|endswith: '\wsass.exe'
21 selection_hash:
22 Hashes|contains: 'IMPHASH=32F5095C9BBDCACF28FD4060EB4DFC42'
23 selection_cli:
24 # change to |re|i after Sigma v2.0 release
25 # plain string without quotation marks as it has to match for both ' and "
26 CommandLine|re: (?i)\.exe[\"\']?\s+.{12,64}[\"\']?\s+\d{2,10} # wsass.exe "path to werfaultsecure" lsass_pid
27 CommandLine|contains: 'werfaultsecure'
28 condition: 1 of selection_*
29falsepositives:
30 - Unlikely
31level: high
References
-
-
Use the offensive tool WSASS to dump the LSASS memory area by exploiting the vulnerability in WerFaultSecure.exe
Read More
Related rules
- PPL Tampering Via WerFaultSecure
- APT31 Judgement Panda Activity
- HackTool - Windows Credential Editor (WCE) Execution
- Potential LSASS Process Dump Via Procdump
- Process Memory Dump via RdrLeakDiag.EXE