Process Memory Dump via RdrLeakDiag.EXE

 1title: Process Memory Dump via RdrLeakDiag.EXE
 2id: edadb1e5-5919-4e4c-8462-a9e643b02c4b
 3related:
 4    - id: 6355a919-2e97-4285-a673-74645566340d
 5      type: obsolete
 6status: test
 7description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory
 8references:
 9    - https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
10    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
11    - https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/
12    - https://twitter.com/0gtweet/status/1299071304805560321?s=21
13    - https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive
14author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
15date: 2021-09-24
16modified: 2024-08-15
17tags:
18    - attack.credential-access
19    - attack.t1003.001
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_img:
25        - Image|endswith: '\rdrleakdiag.exe'
26        - OriginalFileName: RdrLeakDiag.exe
27    selection_cli_dump:
28        CommandLine|contains|windash:
29            - '/memdmp'
30            - 'fullmemdmp'
31    selection_cli_output_process:
32        CommandLine|contains|windash:
33            - ' /o ' # Output
34            - ' /p ' # Process
35    condition: all of selection_*
36falsepositives:
37    - Unlikely
38level: high

References

• Dumping & Abusing Windows Credentials [Part-1] - PureID

  

  In this blog, we will go through the windows authentication and authorization internals, as well as how to steal and abuse credentials on the Windows attack surface.

  
  Read More

• AQUATIC PANDA in Possession of Log4Shell Exploit Tools | CrowdStrike

  CrowdStrike Falcon® OverWatch exposes AQUATIC PANDA in possession of Log4Shell exploit tools during hands-on intrusion attempt. Learn about the process here.

  
  Read More

• Rdrleakdiag on LOLBAS

  

  rdrleakdiag.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• x.com

  
  Read More

• Operation Crimson Palace: A Technical Deep Dive

  

  Sophos Managed Detection and Response initiated a threat hunt across all customers after the detection of abuse of a vulnerable legitimate VMware executable (vmnat.exe) to perform dynamic link libr…

  
  Read More

Related rules

• APT31 Judgement Panda Activity
• Cred Dump Tools Dropped Files
• Credential Dumping Activity By Python Based Tool
• Credential Dumping Attempt Via WerFault
• Credential Dumping Tools Service Execution - Security