Infographic illustrating WerFaultSecure.exe exploit on Windows 11: diagram of LSASS memory dump process, PPL bypass via WSASS loader, undocumented switches (/h /pid /tid /file), header swap from PNG to MDMP for evasion, and icons for credential extraction

Threat actors are exploiting a legacy WerFaultSecure.exe tool from Windows 8.1 on fully patched Windows 11 24H2 systems to bypass Protected Process Light (PPL) protections and dump unencrypted LSASS memory. This enables extraction of cached credentials like NTLM hashes and plaintext passwords, aiding privilege escalation and lateral network movement after initial access. The technique leverages Windows' backward compatibility to circumvent restrictions that require kernel privileges or peer PPL processes for LSASS interaction.

Infographic illustrating WerFaultSecure.exe exploit on Windows 11: diagram of LSASS memory dump process, PPL bypass via WSASS loader, undocumented switches (/h /pid /tid /file), header swap from PNG to MDMP for evasion, and icons for credential extractionInfographic illustrating WerFaultSecure.exe exploit on Windows 11: diagram of LSASS memory dump process, PPL bypass via WSASS loader, undocumented switches (/h /pid /tid /file), header swap from PNG to MDMP for evasion, and icons for credential extraction

As part of the Windows Error Reporting (WER) framework, WerFaultSecure.exe operates with the top WinTCB PPL label to collect crash dumps from protected processes like LSASS. Zero Salarium researchers showed the bypass by copying the vulnerable binary to a Windows 11 host and elevating it via a custom WSASS loader using CreateProcessAsPPL. Undocumented switches—/h for hidden crash mode, /pid [LSASS PID], /tid [main thread ID], and /file [output handle]—trigger an unencrypted minidump, with WSASS inheriting handles and awaiting completion.

Infographic illustrating WerFaultSecure.exe exploit on Windows 11: diagram of LSASS memory dump process, PPL bypass via WSASS loader, undocumented switches (/h /pid /tid /file), header swap from PNG to MDMP for evasion, and icons for credential extractionInfographic illustrating WerFaultSecure.exe exploit on Windows 11: diagram of LSASS memory dump process, PPL bypass via WSASS loader, undocumented switches (/h /pid /tid /file), header swap from PNG to MDMP for evasion, and icons for credential extraction

For evasion, WSASS swaps the dump's PNG header with the MDMP signature (0x4D,0x44,0x4D,0x50) to mimic a benign image, then resumes LSASS threads via PROCESS_SUSPEND_RESUME rights for stability. Dumps can be parsed with pypykatz or Mimikatz for credential theft. Defenders must monitor WerFaultSecure.exe files outside System32, scrutinize PPL invocations, and track anomalous WER activity to counter this compatibility vulnerability.
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security