diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/8a1b2c3d-4e5f-6789-abcd-ef1234567890.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/8a1b2c3d-4e5f-6789-abcd-ef1234567890.evtx new file mode 100644 index 000000000..3a407d1d6 Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/8a1b2c3d-4e5f-6789-abcd-ef1234567890.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/8a1b2c3d-4e5f-6789-abcd-ef1234567890.json b/regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/8a1b2c3d-4e5f-6789-abcd-ef1234567890.json new file mode 100644 index 000000000..4b22e215a --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/8a1b2c3d-4e5f-6789-abcd-ef1234567890.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-01-08T11:35:29.019488Z" + } + }, + "EventRecordID": 89875, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 4048, + "ThreadID": 4748 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-01-08 11:35:29.014", + "ProcessGuid": "0197231E-9681-695F-9B08-000000000D00", + "ProcessId": 6812, + "Image": "C:\\Users\\xodih\\Downloads\\MemProcFS_files_and_binaries-win_x64-latest\\MemProcFS.exe", + "FileVersion": "5.16.9.223", + "Description": "MemProcFS", + "Product": "MemProcFS", + "Company": "-", + "OriginalFileName": "MemProcFS.exe", + "CommandLine": "MemProcFS.exe -device c:\\temp\\win10x64-dump.raw", + "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\MemProcFS_files_and_binaries-win_x64-latest\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-C5A4-695E-14DE-010000000000", + "LogonId": "0x1de14", + "TerminalSessionId": 1, + "IntegrityLevel": "High", + "Hashes": "MD5=44E0EDBFD49FE6D5953784CD414637CE,SHA256=B0AEB673F2C28FB57E930E64E7C1BD750D2C59EE5FBED23DCCB0C9113FD2BAB2,IMPHASH=576964736A4F54038535DC0CF647F7AD", + "ParentProcessGuid": "0197231E-9680-695F-9A08-000000000D00", + "ParentProcessId": 17832, + "ParentImage": "C:\\Windows\\System32\\cmd.exe", + "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c MemProcFS.exe -device c:\\temp\\win10x64-dump.raw", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/info.yml new file mode 100644 index 000000000..9cb4da2ad --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/info.yml @@ -0,0 +1,13 @@ +id: f3f626bf-193e-4d06-96cf-7ed84b0550eb +description: N/A +date: 2026-01-08 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 8a1b2c3d-4e5f-6789-abcd-ef1234567890 + title: PUA - MemProcFS Execution for Credential Access +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/8a1b2c3d-4e5f-6789-abcd-ef1234567890.evtx diff --git a/rules/windows/process_creation/proc_creation_win_pua_memprocfs.yml b/rules/windows/process_creation/proc_creation_win_pua_memprocfs.yml new file mode 100644 index 000000000..e86d608c4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_pua_memprocfs.yml @@ -0,0 +1,35 @@ +title: PUA - Memory Dump Mount Via MemProcFS +id: 8a1b2c3d-4e5f-6789-abcd-ef1234567890 +status: experimental +description: | + Detects execution of MemProcFS a memory forensics tool with the '-device' parameter. + MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures. + Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials. + MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation. +references: + - https://github.com/ufrisk/MemProcFS + - https://0xdf.gitlab.io/2024/10/05/htb-freelancer.html# + - https://www.huntress.com/blog/curling-for-data-a-dive-into-a-threat-actors-malicious-ttps +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2026-04-27 +tags: + - attack.credential-access + - attack.t1003 + - attack.t1003.001 + - attack.t1003.004 + - attack.t1003.002 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\MemProcFS.exe' + - OriginalFileName: 'MemProcFS.exe' + - Description: 'MemProcFS' + selection_cli: + CommandLine|contains: '-device' + condition: all of selection_* +falsepositives: + - Legitimate use during memory forensics; if not part of authorized analysis, warrants urgent investigation +level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/info.yml