HackTool - WSASS Execution

Rule Info

Name
HackTool - WSASS Execution
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
Reference
https://github.com/TwoSevenOneT/WSASS
Date
2025-11-23 00:00:00
Modified
None
Id
589ac73f-8e12-409c-964e-31a2f5775ae2
Tags
attack.credential-access attack.t1003.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=589ac73f-8e12-409c-964e-31a2f5775ae2

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5777 from @swachchhanda000 - feat: more edrfreeze rules
2025-12-10
c5b881019
Swachchhanda Shrawan Poudel
Merge PR #5652 from @swachchhanda000 - Abuse of WerFaultSecure for PPL Tampering
2025-11-23
5121401b0
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022