Memory-Dump

Adversaries use MemProcFS, a memory forensics tool, to mount memory dumps as virtual file systems and extract sensitive information like credentials from LSASS or registry hives.

This rule detects handle requests for LSASS object access with specific access masks (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) indicative of memory dumping, commonly employed by tools like SharpDump, Procdump, Mimikatz, and Comsvcs to extract credentials from the LSASS process on Windows systems.