Merge PR #5829 from @swachchhanda000 - Add PUA - Memory Dump Mount Via MemProcFS

new: PUA - Memory Dump Mount Via MemProcFS

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>

regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/8a1b2c3d-4e5f-6789-abcd-ef1234567890.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-01-08T11:35:29.019488Z"
+        }
+      },
+      "EventRecordID": 89875,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4048,
+          "ThreadID": 4748
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-01-08 11:35:29.014",
+      "ProcessGuid": "0197231E-9681-695F-9B08-000000000D00",
+      "ProcessId": 6812,
+      "Image": "C:\\Users\\xodih\\Downloads\\MemProcFS_files_and_binaries-win_x64-latest\\MemProcFS.exe",
+      "FileVersion": "5.16.9.223",
+      "Description": "MemProcFS",
+      "Product": "MemProcFS",
+      "Company": "-",
+      "OriginalFileName": "MemProcFS.exe",
+      "CommandLine": "MemProcFS.exe  -device c:\\temp\\win10x64-dump.raw",
+      "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\MemProcFS_files_and_binaries-win_x64-latest\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-C5A4-695E-14DE-010000000000",
+      "LogonId": "0x1de14",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=44E0EDBFD49FE6D5953784CD414637CE,SHA256=B0AEB673F2C28FB57E930E64E7C1BD750D2C59EE5FBED23DCCB0C9113FD2BAB2,IMPHASH=576964736A4F54038535DC0CF647F7AD",
+      "ParentProcessGuid": "0197231E-9680-695F-9A08-000000000D00",
+      "ParentProcessId": 17832,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c MemProcFS.exe -device c:\\temp\\win10x64-dump.raw",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/info.yml

@@ -0,0 +1,13 @@
+id: f3f626bf-193e-4d06-96cf-7ed84b0550eb
+description: N/A
+date: 2026-01-08
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 8a1b2c3d-4e5f-6789-abcd-ef1234567890
+      title: PUA - MemProcFS Execution for Credential Access
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/8a1b2c3d-4e5f-6789-abcd-ef1234567890.evtx