PUA - Memory Dump Mount Via MemProcFS

calendar Apr 27, 2026 · attack.credential-access attack.t1003 attack.t1003.001 attack.t1003.004 attack.t1003.002  ·
Share on: linkedin copy

Detects execution of MemProcFS a memory forensics tool with the '-device' parameter. MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures. Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials. MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.

Sigma rule (View on GitHub)

 1title: PUA - Memory Dump Mount Via MemProcFS
 2id: 8a1b2c3d-4e5f-6789-abcd-ef1234567890
 3status: experimental
 4description: |
 5    Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.
 6    MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.
 7    Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials.
 8    MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.    
 9references:
10    - https://github.com/ufrisk/MemProcFS
11    - https://0xdf.gitlab.io/2024/10/05/htb-freelancer.html#
12    - https://www.huntress.com/blog/curling-for-data-a-dive-into-a-threat-actors-malicious-ttps
13author: Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2026-04-27
15tags:
16    - attack.credential-access
17    - attack.t1003
18    - attack.t1003.001
19    - attack.t1003.004
20    - attack.t1003.002
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_img:
26        - Image|endswith: '\MemProcFS.exe'
27        - OriginalFileName: 'MemProcFS.exe'
28        - Description: 'MemProcFS'
29    selection_cli:
30        CommandLine|contains: '-device'
31    condition: all of selection_*
32falsepositives:
33    - Legitimate use during memory forensics; if not part of authorized analysis, warrants urgent investigation
34level: high
35regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/info.yml

References

Related rules

to-top