legitimate use during memory forensics; if not part of authorized analysis, warrants urgent investigation

t1003
t1003.001
t1003.002
t1003.004
windows
sigma

Techniques

t1003
t1003.001
t1003.002
t1003.004

Sample rules

PUA - Memory Dump Mount Via MemProcFS

source: sigma
technicques:
- t1003
- t1003.001
- t1003.002
- t1003.004

Description

Detects execution of MemProcFS a memory forensics tool with the ‘-device’ parameter. MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures. Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials. MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains: -device
selection_img:
- Image|endswith: \MemProcFS.exe
- OriginalFileName: MemProcFS.exe
- Description: MemProcFS