title: Live Memory Dump Using Powershell
author: Max Altgelt
date: 2021/09/21
description: Detects usage of a PowerShell command to dump the live memory of a Windows
    machine
detection:
    SELECTION_1:
        ScriptBlockText: '*Get-StorageDiagnosticInfo*'
    SELECTION_2:
        ScriptBlockText: '*-IncludeLiveDump*'
    condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Diagnostics
id: cd185561-4760-45d6-a63e-a51325112cae
level: high
logsource:
    category: ps_script
    definition: Script block logging must be enabled
    product: windows
modified: 2021/10/16
references:
- https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo
status: experimental
tags:
- attack.t1003
yml_filename: powershell_memorydump_getstoragediagnosticinfo.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script