Merge PR #5829 from @swachchhanda000 - Add PUA - Memory Dump Mount Via MemProcFS

new: PUA - Memory Dump Mount Via MemProcFS --------- Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
2026-04-28 02:15:50 +05:45
parent ff107c3fe1
commit 1a51d53e9f
4 changed files with 114 additions and 0 deletions
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-01-08T11:35:29.019488Z"
+        }
+      },
+      "EventRecordID": 89875,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4048,
+          "ThreadID": 4748
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-01-08 11:35:29.014",
+      "ProcessGuid": "0197231E-9681-695F-9B08-000000000D00",
+      "ProcessId": 6812,
+      "Image": "C:\\Users\\xodih\\Downloads\\MemProcFS_files_and_binaries-win_x64-latest\\MemProcFS.exe",
+      "FileVersion": "5.16.9.223",
+      "Description": "MemProcFS",
+      "Product": "MemProcFS",
+      "Company": "-",
+      "OriginalFileName": "MemProcFS.exe",
+      "CommandLine": "MemProcFS.exe  -device c:\\temp\\win10x64-dump.raw",
+      "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\MemProcFS_files_and_binaries-win_x64-latest\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-C5A4-695E-14DE-010000000000",
+      "LogonId": "0x1de14",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=44E0EDBFD49FE6D5953784CD414637CE,SHA256=B0AEB673F2C28FB57E930E64E7C1BD750D2C59EE5FBED23DCCB0C9113FD2BAB2,IMPHASH=576964736A4F54038535DC0CF647F7AD",
+      "ParentProcessGuid": "0197231E-9680-695F-9A08-000000000D00",
+      "ParentProcessId": 17832,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c MemProcFS.exe -device c:\\temp\\win10x64-dump.raw",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
@@ -0,0 +1,13 @@
+id: f3f626bf-193e-4d06-96cf-7ed84b0550eb
+description: N/A
+date: 2026-01-08
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 8a1b2c3d-4e5f-6789-abcd-ef1234567890
+      title: PUA - MemProcFS Execution for Credential Access
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/8a1b2c3d-4e5f-6789-abcd-ef1234567890.evtx
@@ -0,0 +1,35 @@
+title: PUA - Memory Dump Mount Via MemProcFS
+id: 8a1b2c3d-4e5f-6789-abcd-ef1234567890
+status: experimental
+description: |
+    Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.
+    MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.
+    Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials.
+    MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.
+references:
+    - https://github.com/ufrisk/MemProcFS
+    - https://0xdf.gitlab.io/2024/10/05/htb-freelancer.html#
+    - https://www.huntress.com/blog/curling-for-data-a-dive-into-a-threat-actors-malicious-ttps
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-04-27
+tags:
+    - attack.credential-access
+    - attack.t1003
+    - attack.t1003.001
+    - attack.t1003.004
+    - attack.t1003.002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\MemProcFS.exe'
+        - OriginalFileName: 'MemProcFS.exe'
+        - Description: 'MemProcFS'
+    selection_cli:
+        CommandLine|contains: '-device'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate use during memory forensics; if not part of authorized analysis, warrants urgent investigation
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/info.yml