Detectionhightest
Process Memory Dump via RdrLeakDiag.EXE
Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)Created Fri Sep 24Updated Thu Aug 15edadb1e5-5919-4e4c-8462-a9e643b02c4bwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
selection_img:
- Image|endswith: '\rdrleakdiag.exe'
- OriginalFileName: RdrLeakDiag.exe
selection_cli_dump:
CommandLine|contains|windash:
- '/memdmp'
- 'fullmemdmp'
selection_cli_output_process:
CommandLine|contains|windash:
- ' /o ' # Output
- ' /p ' # Process
condition: all of selection_*False Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
MITRE ATT&CK
Tactics
Sub-techniques
Related Rules
Similar
Rule not found6355a919-2e97-4285-a673-74645566340d
Rule Metadata
Rule ID
edadb1e5-5919-4e4c-8462-a9e643b02c4b
Status
test
Level
high
Type
Detection
Created
Fri Sep 24
Modified
Thu Aug 15
Author
Path
rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml
Raw Tags
attack.credential-accessattack.t1003.001