Threat actors are leveraging the legacy Windows error‐reporting utility WerFaultSecure.exe to extract the memory region of the Local Security Authority Subsystem Service (LSASS.EXE) and harvest cached credentials from fully patched Windows 11 24H2 systems.
After gaining initial access to a host, adversaries frequently seek to dump LSASS memory to escalate privileges and move laterally across the network.
Modern Windows severely restricts direct memory access to LSASS by enforcing Protected Process Light (PPL), requiring kernel privilege or a peer PPL process for interaction.
Zero Salarium researchers have now demonstrated how to bypass these defenses by running a vulnerable WerFaultSecure.exe binary compiled for Windows 8.1 under Windows 11, thereby obtaining an unencrypted memory dump of LSASS.
Leveraging WerFaultSecure.exe’s PPL Privilege
WerFaultSecure.exe is part of the Windows Error Reporting (WER) framework and normally executes with the highest PPL label, WinTCB, to collect crash dumps from protected processes.
Its protected status allows it to access LSASS memory under the guise of a crash handler.
In Windows 8.1, a flaw existed whereby WerFaultSecure.exe could be imposed into writing crash dumps without applying its built‐in encryption routines, resulting in unencrypted dump files on disk.
Exploiting WerFaultSecure.exe
By copying the vulnerable WerFaultSecure.exe from Windows 8.1 onto a Windows 11 24H2 machine and launching it with PPL elevation, attackers can trick the tool into capturing LSASS memory and writing a raw dump.
Zero Salarium reports that the exploit sequence involves running WerFaultSecure.exe with undocumented switches discovered through reverse engineering: /h to invoke secure hidden crash mode, /pid [pid] to target the LSASS process, /tid [tid] to specify its main thread, and /file [handle] to designate an unencrypted output handle.
The attacker uses a custom loader named WSASS to spawn WerFaultSecure.exe via the CreateProcessAsPPL API, inheriting handles for the crash dump and event objects.
WSASS waits for dump completion, then replaces the first four bytes of the generated file (from the PNG magic header) with the MDMP signature (0x4D,0x44,0x4D,0x50) so it masquerades as a benign image device and evades antivirus checks.
MDMP replaced
Finally, the loader resumes any suspended threads in LSASS by issuing minimal PROCESS_SUSPEND_RESUME rights to restore system stability.
Once the attacker restores the MDMP header, the resulting minidump can be loaded into standard tools, such as pypykatz or Mimikatz, to extract NTLM hashes and plaintext credentials, facilitating further lateral movement.
This technique underscores the importance of monitoring WerFaultSecure.exe binaries outside the System32 directory and validating PPL‐protected process invocations to detect anomalous behavior early.
This exploit demonstrates how backward compatibility in Windows can be leveraged against modern defenses, highlighting the need for defenders to monitor both file locations and invocation contexts of error-reporting tools.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers Exploit WerFaultSecure.exe Tool to Steal Cached Passwords From LSASS on Windows 11 24H2 appeared first on Cyber Security News.
