Skip to content

[Security] Memory dump response action - Windows #4511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
natasha-moore-elastic wants to merge 7 commits into
base: main
Choose a base branch
from
Open

[Security] Memory dump response action - Windows #4511

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
51ac58d
Memory dump response action
natasha-moore-elastic Jan 5, 2026
c6dd503
tweak wording
natasha-moore-elastic Jan 7, 2026
fd0f2af
add serverless role reqs
natasha-moore-elastic Jan 8, 2026
0550dd7
remove spacing
natasha-moore-elastic Jan 8, 2026
a43dff6
example formatting
natasha-moore-elastic Jan 8, 2026
c80fe73
updates applies syntax
natasha-moore-elastic Jan 9, 2026
3da0d0b
Merge branch 'main' into issue-4028-mem-dump
natasha-moore-elastic Jan 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 33 additions & 1 deletion solutions/security/endpoint-response-actions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ products:

The response console allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and get near-instant feedback on them. Actions are also recorded in the endpoint’s [response actions history](/solutions/security/endpoint-response-actions.md#actions-log) for reference.

Response actions are supported on all endpoint platforms (Linux, macOS, and Windows).
Unless otherwise specified, response actions are supported on all endpoint platforms (Linux, macOS, and Windows).

::::{admonition} Requirements
* Response actions and the response console UI require the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature tier](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}.
Expand Down Expand Up @@ -340,6 +340,38 @@ Required role or privilege: `cancel` doesn't have its own required role or privi

Example: `cancel --action="copy.sh" --comment="Canceled because it is stuck"`

### `memory-dump` [memory-dump]
```yaml {applies_to}
stack: ga 9.3+
serverless: ga
```

Trigger a virtual process or kernel system memory dump on a Windows endpoint. Use this action to capture volatile artifacts—such as in-memory malware, credentials, and injected payloads—for advanced forensic analysis.

::::{note}
This response action is supported only for Windows endpoints.
::::

The memory dump is stored on the endpoint's local disk. After running `memory-dump`, you must use the [`get-file`](#get-file) response action to download the dump from the endpoint.

Use one of the following parameters to specify the type of memory dump:

* `--kernel`: Generate a kernel-level memory dump. No other arguments are required when using this parameter.
* `--process`: Generate a process-level memory dump. When using this parameter, you must also include one of the following to identify the process:
* `--pid`: The process ID (PID) of the process to dump.
* `--entityId`: The entity ID of the process to dump.

Predefined role (in {{serverless-short}}): **SOC manager** or **Endpoint operations analyst**

Required privilege (in {{stack}}) or custom role privilege (in {{serverless-short}}): **Execute Operations**

Examples:

`memory-dump --process --entityId="jshks0fhksh"`

`memory-dump --kernel --comment "Dumping kernel memory for investigation"`


## Supporting commands and parameters [supporting-commands-parameters]


Expand Down
Loading