PUA - Memory Dump Mount Via MemProcFS (8a1b2c3d-4e5f-6789-abcd-ef1234567890)

Detects execution of MemProcFS a memory forensics tool with the '-device' parameter. MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures. Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials. MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	PUA - Memory Dump Mount Via MemProcFS (8a1b2c3d-4e5f-6789-abcd-ef1234567890)	Sigma-Rules	1
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	PUA - Memory Dump Mount Via MemProcFS (8a1b2c3d-4e5f-6789-abcd-ef1234567890)	Sigma-Rules	1
PUA - Memory Dump Mount Via MemProcFS (8a1b2c3d-4e5f-6789-abcd-ef1234567890)	Sigma-Rules	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	1
PUA - Memory Dump Mount Via MemProcFS (8a1b2c3d-4e5f-6789-abcd-ef1234567890)	Sigma-Rules	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	1
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2