PUA - Magnet RAM Capture Service Installation - Security

Rule Info

Name
PUA - Magnet RAM Capture Service Installation - Security
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the service installation of Magnet RAM Capture driver, a legitimate forensics tool that can be abused for malicious purposes. This tool is designed for memory acquisition but has been observed being misused by threat actors for credential harvesting. The tool's signed kernel driver can be exploited to bypass security controls, making it attractive for adversaries seeking to evade detection.
Reference
https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/
Date
2025-04-24 00:00:00
Modified
None
Id
ea132e5d-65c4-4e1e-b101-dfc644b419dc
Tags
attack.credential-access attack.t1003.001 attack.defense-evasion attack.t1553.002
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022