HackTool - WSASS Execution

Original Source: [Sigma source]
Title: HackTool - WSASS Execution
Status: experimental
Description:Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
References:
  -https://github.com/TwoSevenOneT/WSASS
   -https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html
 Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2025-11-23
modified:None
Tags:
  • -'attack.credential-access'
  • -'attack.t1003.001'
Logsource:
  • category: process_creation
  • product: windows
Detection:
  selection_img:
    Image|endswith: '\wsass.exe'
  selection_hash:
    Hashes|contains: 'IMPHASH=32F5095C9BBDCACF28FD4060EB4DFC42'
  selection_cli:
    CommandLine|re: '(?i)\.exe[\"\']?\s+.{12,64}[\"\']?\s+\d{2,10}'
    CommandLine|contains: 'werfaultsecure'
  condition:1 of selection_*
Falsepositives:
  -Unlikely
Level: high

© 2024 DetectionCode Website. All Rights Reserved.