This detection rule targets the execution of WSASS, a known hack tool utilized for dumping LSASS memory on Windows systems. It exploits Windows Error Reporting (WER) by leveraging the WerFaultSecure.EXE binary to circumvent Protected Process Light (PPL) safeguards. The rule's primary focus is to identify unauthorized usage of WSASS by monitoring specific characteristics of process creation events in Windows. It scans for processes where the image name ends with 'wsass.exe' and checks for the presence of a specific import hash related to WSASS. Additionally, it looks for command line arguments that contain references to 'werfaultsecure' or follow a defined regex pattern that indicates potentially malicious execution. Given its characteristics, any identified event will raise the alert level to high, helping to mitigate credential access attacks associated with LSASS dumping tactics.