From 1a51d53e9f8e5cb6cd2b9297e80366e2abcbce0b Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Tue, 28 Apr 2026 02:15:50 +0545
Subject: [PATCH] Merge PR #5829 from @swachchhanda000 - Add `PUA - Memory Dump
 Mount Via MemProcFS`

new: PUA - Memory Dump Mount Via MemProcFS

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
---
 .../8a1b2c3d-4e5f-6789-abcd-ef1234567890.evtx | Bin 0 -> 69632 bytes
 .../8a1b2c3d-4e5f-6789-abcd-ef1234567890.json |  66 ++++++++++++++++++
 .../proc_creation_win_pua_memprocfs/info.yml  |  13 ++++
 .../proc_creation_win_pua_memprocfs.yml       |  35 ++++++++++
 4 files changed, 114 insertions(+)
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/8a1b2c3d-4e5f-6789-abcd-ef1234567890.evtx
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/8a1b2c3d-4e5f-6789-abcd-ef1234567890.json
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/info.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_pua_memprocfs.yml

diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/8a1b2c3d-4e5f-6789-abcd-ef1234567890.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/8a1b2c3d-4e5f-6789-abcd-ef1234567890.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..3a407d1d61dc8d8f3d967bdbfcca5cabb966e088
GIT binary patch
literal 69632
zcmeI0TWnlc6^7S2o*9qFo*BD|xr8PpX}KiSj^n$V24s&tB-Cy~F9akD<NA_JV~?Yb
z(<DSfE>NKs#7zPu!b62B(IUhf5~`4pkP2@Fp-5bWB2Zt-3sON9pbDA)-)C=+?buFA
zUU>M==*-!dwbx$zTWha<X2urg%aw&W+kC~oVFl0F8q8Xw%_4VPAO81SAHHKHQXm2%
zAOa#F0wN#+A|L`HAOa#F0wQor0%HsFrE}Hu7Jl7t_gtYS{3-Byo7wrtpRU|e@ht>6
z&zahn)9c0dX3TO~vwxuV_0;+vvu?B>$KMcd_j>gfW1hvFy!Lua{^{j^<lEVI4Q=zA
z?D+`l|MGv5?AbKO;<{D6<jWI~EkozaoAgls?Ov}n)+OH`{-CKh{ZFOChrzmNYySV`
zsq3$ObLCG_F^a4ux^e7pFNT>|{@`D)J$&#lzrVinQri!{j+IbqxXr$ZA{WT(<(9OK
z*;6)WRa-{=OSm&n_|Bgd({|YwZ2_G%bflv`I|s34yI}X*5qxSkgO)kSOrzY1X9X=!
z+7fC@HV?^8)R)kH#4e$)if6ZV;nRy!mkr{3Zf*M7hFTo0u3m?)g5Q=N&DbM$1)7)L
zj0o`I)zweIuHex(u4e7DoBb)wH4CXH(c6!^9D?z|Z>8)Z7`up0vqHh5%qM+39BNP5
zNA02;iLRm*8-^Qf0%D)_5^qj7u7h>bM$z{H+!=-()g1a`&OQzm(?C|i@+-~+qAR2<
z6BimRlZu+{AR0oXzpJUyKH<eGAXP<QTxhmb3VUuJDj~#YUrpOM1nH{<Cu9_g?QT@=
z_HjCPHD!-FUz~R$F(-^{KPub;ynehdW2fLix`l{1T|`Z3yBC$PbDsEh)*eLn75Hrl
z9B09uqG@YS0sCoGzTq_<`)V^LtvIG7h|a+Px@Z<M4i9$`W9oscxeXo+gMcSvZ4FTl
z(NfPP<%aw^+7Ck^O{OIY`M8j?9Bp|9gF-_1{@<Ie<iu#lg0m!GorGMu?00zXjhqcb
z<1!3qv@Bz#iQYn^6*Ei<bbH?`ZN{k+O<dD9gYpcQ)zwAJ5t7JHf6{~nTy}<EbQ2}+
zJwZF*O`|Qj-!=J|oq=EtA8$q0vKgjUy7rl&EC`?TYy*HolVuyCRu@i8#=O3O5G_G+
z8i7=GcGGFC7Nw%q)dwKJtVYKjt7aXjMT7#4OZG~fj#^;CC5-3B=AG!8MGIMvKt)Kx
z&v$0wPP*kHEK3lYy%!RhkdNobGxiu1QoCPQi|uMi7251T%I<<FLeJfZR2*2zDzesY
zS;NtVD}@s8tmT{>hP(DI)LN}*C-7{}9dKI0X=p1UFa8F(@++8T*HqG%#%AD^=F}6g
zd1JEburp|@!plowP_qsnu8XKwZEEnsnZv*MbLr>fnKvt6d+QHxcl;5z?}&o?BZ*38
ziX?e|?&R`dI5Jpno;fxZeeBs^{pYbC?!EzsQ3^i%Es8vKd5wOa0Tz<?s8c(QcIL$)
zJb4N;&YoLJAy;uy_P!f;hWRiZWf9vKVZq#5PK@(#2_5}DKmMI{=|;G68N|Z2jq|XG
zvK?O5xjxa{yeX(dVvX~$6*=aRAM>8N{+l<#ti|~T%ToS;m#6o=^=X6@51zBIKh7hJ
zwzZ`U+Fa$vL>uSRJB%5HJdZa<_JuWn#rez*e3HXw7EGB~;(X%{vdmK4eB7y5Ae&8O
z2mCt8$FH*$aYHN4;;uq|!NPjNNfzguc34R=6G<_$$DI}u!-gWUEoUsbJ<S}-_kvN3
zVVSF93Z}iy$!PkVamL;1?M<z1`8eN_NNwruap*ehc2+$)kVa|KmeE(2KZ$k3`9g9O
zg-HKU-GVm6DEAp(M-pPpQ%tVOu1m%jlgR4vE8v`d1qDPF*F6XOLT0O<y>XuT6jt8j
zN4D2TW{{BhD#Vwf8f<J!B)7EjG$aGzByz$LQ0H-1!lTd6<c`y1hZV8Iwi}<UZ&$Lu
zZFXmU?D}1_`!?;}E~eU(@$?0wVsD*HZiBtyP>A#Iz=)JF&BRFMoj$EI<-dS3?7=aS
z-0a_j`!l$o!+kGq9sxWqk|QFr!^o0sW4#~!&wIHJ_uAQwwhp{@9(CV?wjZUVc$Mw3
zK74oE5awrZukE|%JJHkMo~m4PsWxxl+haH`@3+ad*sh^`8PPk7m^z2@D9V=*H4Au7
zqm}&=h=RqnOjyQgGUeV1nTu*DCp&V=9`|v|SYuBIG%<3gFhf7A>44Vcor*8NTj}k@
zIKFB0VFgDqrqivZ8*A#>!it;i>exam=)74v^y~-04y=`Lr94aLP@i#>xObS{CjCl|
zf@@d{^CSB@5&hHX|Nr5--J8#PPct%Jc;(ZT-8Uk{tXX)nb^;X6A{r(T4SjYTp6kT{
z-GzJ9Mv%2fQ6Iu{3?8Dy5bhouz|WvwP+%`(uiv$mAax%i<^<k2yCK&PeIw8{jP?=K
z1|U^NPYL%RN+XaNK;IDBIV0m{3@s(-9D(iu^mpOO5uAAppFTH^)-g^-(Nl7Bl+e$e
z!5P>$f>}rKybpPC0`W|nXxVW$XFsGl8!hTbPcKIG;kyg<L6o?=sJjby*-MroJ&ab;
zT){s3uHR=bj)i@;@l9;fzlkMr)dO255owEvy%38Bp`H8l3~YP|nopth2<kPQR^cb(
z*5mf$XXgwecc(bN^C-Wa*m42I-}kyiKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU
z1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1Vlgt
zL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>Y
zKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU
z1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1Vlgt
zL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>Y
zKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU1VlgtL_h>YKm<fU
T1VlgtL_h>YKm<hKP6_-M@C=6n

literal 0
HcmV?d00001

diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/8a1b2c3d-4e5f-6789-abcd-ef1234567890.json b/regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/8a1b2c3d-4e5f-6789-abcd-ef1234567890.json
new file mode 100644
index 000000000..4b22e215a
--- /dev/null
+++ b/regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/8a1b2c3d-4e5f-6789-abcd-ef1234567890.json
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-01-08T11:35:29.019488Z"
+        }
+      },
+      "EventRecordID": 89875,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4048,
+          "ThreadID": 4748
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-01-08 11:35:29.014",
+      "ProcessGuid": "0197231E-9681-695F-9B08-000000000D00",
+      "ProcessId": 6812,
+      "Image": "C:\\Users\\xodih\\Downloads\\MemProcFS_files_and_binaries-win_x64-latest\\MemProcFS.exe",
+      "FileVersion": "5.16.9.223",
+      "Description": "MemProcFS",
+      "Product": "MemProcFS",
+      "Company": "-",
+      "OriginalFileName": "MemProcFS.exe",
+      "CommandLine": "MemProcFS.exe  -device c:\\temp\\win10x64-dump.raw",
+      "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\MemProcFS_files_and_binaries-win_x64-latest\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-C5A4-695E-14DE-010000000000",
+      "LogonId": "0x1de14",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=44E0EDBFD49FE6D5953784CD414637CE,SHA256=B0AEB673F2C28FB57E930E64E7C1BD750D2C59EE5FBED23DCCB0C9113FD2BAB2,IMPHASH=576964736A4F54038535DC0CF647F7AD",
+      "ParentProcessGuid": "0197231E-9680-695F-9A08-000000000D00",
+      "ParentProcessId": 17832,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c MemProcFS.exe -device c:\\temp\\win10x64-dump.raw",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/info.yml
new file mode 100644
index 000000000..9cb4da2ad
--- /dev/null
+++ b/regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/info.yml
@@ -0,0 +1,13 @@
+id: f3f626bf-193e-4d06-96cf-7ed84b0550eb
+description: N/A
+date: 2026-01-08
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 8a1b2c3d-4e5f-6789-abcd-ef1234567890
+      title: PUA - MemProcFS Execution for Credential Access
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/8a1b2c3d-4e5f-6789-abcd-ef1234567890.evtx
diff --git a/rules/windows/process_creation/proc_creation_win_pua_memprocfs.yml b/rules/windows/process_creation/proc_creation_win_pua_memprocfs.yml
new file mode 100644
index 000000000..e86d608c4
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_pua_memprocfs.yml
@@ -0,0 +1,35 @@
+title: PUA - Memory Dump Mount Via MemProcFS
+id: 8a1b2c3d-4e5f-6789-abcd-ef1234567890
+status: experimental
+description: |
+    Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.
+    MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.
+    Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials.
+    MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.
+references:
+    - https://github.com/ufrisk/MemProcFS
+    - https://0xdf.gitlab.io/2024/10/05/htb-freelancer.html#
+    - https://www.huntress.com/blog/curling-for-data-a-dive-into-a-threat-actors-malicious-ttps
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-04-27
+tags:
+    - attack.credential-access
+    - attack.t1003
+    - attack.t1003.001
+    - attack.t1003.004
+    - attack.t1003.002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\MemProcFS.exe'
+        - OriginalFileName: 'MemProcFS.exe'
+        - Description: 'MemProcFS'
+    selection_cli:
+        CommandLine|contains: '-device'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate use during memory forensics; if not part of authorized analysis, warrants urgent investigation
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/info.yml