Detects execution of MemProcFS, a memory-forensics utility, when invoked with the -device parameter to mount physical memory as a virtual file system. MemProcFS can directly access process memory and system structures, enabling dump of memory contents and extraction of sensitive data such as LSASS/SAM credentials, LSA secrets, registry hives, and cached domain credentials. The rule triggers on MemProcFS.exe process creation with a command line containing -device, indicating a memory-mount operation. This behavior aligns with known attacker techniques to obtain credential material from memory. Classify as high severity due to the sensitive nature of the accessed data and potential for credential compromise. False positives include legitimate forensic investigations; confirm authorization before elevating or responding. The rule is designed to complement incident response by flagging unusual or unauthorized use of memory-forensics tooling on endpoints.