Process Memory Dump via RdrLeakDiag.EXE

calendarApr 24, 2023 · attack.credential_access attack.t1003.001  ·
Share on: linkedincopy

Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory

Sigma rule (View on GitHub)

 1title: Process Memory Dump via RdrLeakDiag.EXE
 2id: edadb1e5-5919-4e4c-8462-a9e643b02c4b
 3related:
 4    - id: 6355a919-2e97-4285-a673-74645566340d
 5      type: obsoletes
 6status: test
 7description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory
 8references:
 9    - https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
10    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
11    - https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/
12    - https://twitter.com/0gtweet/status/1299071304805560321?s=21
13author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
14date: 2021/09/24
15modified: 2023/04/24
16tags:
17    - attack.credential_access
18    - attack.t1003.001
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\rdrleakdiag.exe'
25        - OriginalFileName: RdrLeakDiag.exe
26    selection_cli_dump:
27        CommandLine|contains:
28            - 'fullmemdmp'
29            - '/memdmp'
30            - '-memdmp'
31    selection_cli_output:
32        CommandLine|contains:
33            - ' -o '
34            - ' /o '
35    selection_cli_process:
36        CommandLine|contains:
37            - ' -p '
38            - ' /p '
39    condition: all of selection_cli_* or (selection_img and selection_cli_dump)
40falsepositives:
41    - Unknown
42level: high

Related rules

to-top