AzureFeeds

From Memory Dumps to Filesystem Browsing

Historically, threat groups like Lorenz have relied on tools such as Magnet RAM Capture to dump volatile memory for offline analysis. While this approach can be effective, it comes with significant operational overhead—dumping large memory files, transferring them, and parsing them with additional forensic tools is time-consuming.

But adversaries are evolving. They are shifting toward real-time, low-footprint techniques like MemProcFS, a forensic tool that exposes system memory as a browsable virtual filesystem. When paired with Dokan, a user-mode library that enables filesystem mounting on Windows, MemProcFS can mount live memory—not just parse dumps—giving attackers direct access to volatile data in real time.

This setup eliminates the need for traditional bulky memory dumps and allows attackers to interact with memory as if it were a local folder structure. The result is faster, more selective data extraction with minimal forensic trace.

With this capability, attackers can:

• Navigate memory like folders, skipping raw dump parsing


• Directly access processes like lsass.exeto extract credentials swiftly


• Evade traditional detection, as no dump files are written to disk

This marks a shift in post-exploitation tactics—precision, stealth, and speed now define how memory is harvested.

Sample directory structure of live system memory mounted using MemProcFS (attacker’s perspective)

Case Study

Microsoft Defender Experts, in late April 2025, observed this technique in an intrusion where a compromised user account was leveraged for lateral movement across the environment. The attacker demonstrated a high level of operational maturity, using stealthy techniques to harvest credentials and exfiltrate sensitive data.

Attack Path summary as observed by Defender Experts

After gaining access, the adversary deployed Dokan and MemProcFS to mount live memory as a virtual filesystem. This allowed them to interact with processes like lsass.exe in real-time, extracting credentials without generating traditional memory dumps—minimizing forensic artifacts.

To further their access, the attacker executed vssuirun.exe to create a Volume Shadow Copy, enabling access to locked system files such as SAM and SYSTEM. These files were critical for offline password cracking and privilege escalation.

Once the data was collected, it was compressed into an archive and exfiltrated via an SSH tunnel.

Attackers compress the LSASS minidump from mounted memory into an archive for exfiltration

This case exemplifies how modern adversaries combine modular tooling, real-time memory interaction, and encrypted exfiltration to operate below the radar and achieve their objectives with precision.

Unmasking Stealth: Defender Experts in Action

The attack outlined above exemplifies the stealth and sophistication of today’s threat actors—leveraging legitimate tools, operating in-memory, and leaving behind minimal forensic evidence. Microsoft Defender Experts successfully detected, investigated, and responded to this memory-resident threat by leveraging rich telemetry, expert-led threat hunting, and contextual analysis that goes far beyond automated detection.

From uncovering evasive techniques like memory mounting and credential harvesting to correlating subtle signals across endpoints, Defender Experts bring human-led insight to the forefront of your cybersecurity strategy. Our ability to pivot quickly, interpret nuanced behaviors, and deliver tailored guidance ensures that even the most covert threats are surfaced and neutralized—before they escalate.

Detection Guidance

The alert Memory forensics tool activity by Microsoft Defender for Endpoint might indicate threat activity associated with this technique.

Microsoft Defender XDR customers can run the following query to identify suspicious use of MemProcFS:

DeviceProcessEvents

| where ProcessVersionInfoOriginalFileName has “MemProcFS”

| where ProcessCommandLine has_all (” -device PMEM”)

Recommendations

To reduce exposure to this emerging technique, Microsoft Defender Experts recommend the following actions:

• Educate security teamson memory-based threats and the offensive repurposing of forensic tools.


• Monitor for memory mounting activity, especially virtual drive creation linked to unusual processes or users.


• Restrict execution of dual-use toolslike MemProcFS via application control policies.


• Track filesystem driver installations, flagging Dokan usage as a potential precursor to memory access.


• Correlate SSH activity with data staging, especially when sensitive files are accessed or archived.


• Submit suspicious samplesto the Microsoft Defender Security Intelligence (WDSI) portal for analysis.

Final Thoughts

We all agree – Memory is no longer just a post-incident artifact—it’s the new frontline in credential theft

What we’re witnessing isn’t just a clever use of forensic tooling, it’s a strategic shift in how adversaries interact with volatile data. By mounting live memory as a virtual filesystem, attackers gain real-time access to a wide range of sensitive information—not just credentials.

From authentication tokens and encryption keys to in-memory malware, clipboard contents, and application data, memory has become a rich, dynamic source of intelligence. Tools like MemProcFS and Dokan enable adversaries to extract this data with speed, precision, and minimal forensic footprint—often without leaving behind the traditional signs defenders rely on.

This evolution challenges defenders to go beyond surface-level detection. We must monitor for subtle signs of memory access abuse, understand how legitimate forensic tools are being repurposed offensively, and treat memory as an active threat surface—not just a post-incident artifact.

To learn more about how our human-led managed security services can help you stay ahead of similar emerging threats, please visit Microsoft Defender Experts for XDR, our managed extended detection and response (MXDR) service, and Microsoft Defender Experts for Hunting (included in Defender Experts for XDR and as a standalone service), our managed threat hunting service.