Title:PUA - Memory Dump Mount Via MemProcFS Status:experimental Description:Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.
MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.
Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials.
MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.
References: -https://github.com/ufrisk/MemProcFS -https://0xdf.gitlab.io/2024/10/05/htb-freelancer.html# -https://www.huntress.com/blog/curling-for-data-a-dive-into-a-threat-actors-malicious-ttps Author: Swachchhanda Shrawan Poudel (Nextron Systems) Date: 2026-04-27 modified:None Tags:
-'attack.credential-access'
-'attack.t1003'
-'attack.t1003.001'
-'attack.t1003.004'
-'attack.t1003.002'
Logsource:
category: process_creation
product: windows
Detection: selection_img: Image|endswith:'\MemProcFS.exe'OriginalFileName:'MemProcFS.exe'Description:'MemProcFS'selection_cli: CommandLine|contains:
'-device' condition:all of selection_* Falsepositives:
-Legitimate use during memory forensics; if not part of authorized analysis, warrants urgent investigation Level:high
