EXPLORE
Sign In
← Back to Explore
sigmahighHunting

PUA - Memory Dump Mount Via MemProcFS

Detects execution of MemProcFS a memory forensics tool with the '-device' parameter. MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures. Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials. MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.

MITRE ATT&CK

T1003T1003.001T1003.004T1003.002
credential-access

Detection Query

selection_img:
  - Image|endswith: \MemProcFS.exe
  - OriginalFileName: MemProcFS.exe
  - Description: MemProcFS
selection_cli:
  CommandLine|contains: -device
condition: all of selection_*

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Created

2026-04-27

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.credential-accessattack.t1003attack.t1003.001attack.t1003.004attack.t1003.002
Raw Content
title: PUA - Memory Dump Mount Via MemProcFS
id: 8a1b2c3d-4e5f-6789-abcd-ef1234567890
status: experimental
description: |
    Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.
    MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.
    Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials.
    MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.
references:
    - https://github.com/ufrisk/MemProcFS
    - https://0xdf.gitlab.io/2024/10/05/htb-freelancer.html#
    - https://www.huntress.com/blog/curling-for-data-a-dive-into-a-threat-actors-malicious-ttps
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-27
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1003.001
    - attack.t1003.004
    - attack.t1003.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\MemProcFS.exe'
        - OriginalFileName: 'MemProcFS.exe'
        - Description: 'MemProcFS'
    selection_cli:
        CommandLine|contains: '-device'
    condition: all of selection_*
falsepositives:
    - Legitimate use during memory forensics; if not part of authorized analysis, warrants urgent investigation
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/info.yml