title: Process Dump via RdrLeakDiag.exe
author: Cedric MAURUGEON
date: 2021/09/24
description: Detects a process memory dump performed by RdrLeakDiag.exe
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    OriginalFileName: RdrLeakDiag.exe
  SELECTION_3:
    CommandLine: '*fullmemdmp*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: edadb1e5-5919-4e4c-8462-a9e643b02c4b
level: high
logsource:
  category: process_creation
  product: windows
references:
- https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
status: experimental
tags:
- attack.credential_access
- attack.t1003.001
ruletype: SIGMA