Added detection to detect every possible way of execution through rdrleakdiag

rules/windows/process_creation/proc_creation_win_lolbin_rdrleakdiag.yml

@@ -4,9 +4,9 @@ status: experimental
 description: Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory
 references:
     - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
-author: Florian Roth (Nextron Systems)
+author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel
 date: 2022/01/04
-modified: 2023/02/13
+modified: 2023/04/24
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -15,15 +15,22 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection1:
+    selection_img:
         Image|endswith: '\rdrleakdiag.exe'
-        CommandLine|contains: '/fullmemdmp'
-    selection2:
-        CommandLine|contains|all:
-            - '/fullmemdmp'
+        CommandLine|contains: 'fullmemdmp'
+    selection_cli_output:
+        CommandLine|contains:
+            - ' -o '
             - ' /o '
+    selection_cli_process:
+        CommandLine|contains:
+            - ' -p '
             - ' /p '
-    condition: selection1 or selection2
+    selection_cli_memdmp:
+         CommandLine|contains:
+            - '-fullmemdmp'
+            - '/fullmemdmp'
+    condition: selection_img or (all of selection_cli_*)
 falsepositives:
     - Unknown
-level: high
+level: high