PUA - Memory Dump Mount Via MemProcFS

Rule Info

Name
PUA - Memory Dump Mount Via MemProcFS
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects execution of MemProcFS a memory forensics tool with the '-device' parameter. MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures. Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials. MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.
Reference
https://github.com/ufrisk/MemProcFS
Date
2026-04-27 00:00:00
Modified
None
Id
8a1b2c3d-4e5f-6789-abcd-ef1234567890
Tags
attack.credential-access attack.t1003 attack.t1003.001 attack.t1003.004 attack.t1003.002
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=8a1b2c3d-4e5f-6789-abcd-ef1234567890

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5829 from @swachchhanda000 - Add `PUA - Memory Dump Mount Via MemProcFS`
2026-04-28
1a51d53e9
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022