diff --git a/rules/windows/process_creation/win_process_dump_rdrleakdiag.yml b/rules/windows/process_creation/win_process_dump_rdrleakdiag.yml
new file mode 100644
index 00000000..22f2284c
--- /dev/null
+++ b/rules/windows/process_creation/win_process_dump_rdrleakdiag.yml
@@ -0,0 +1,22 @@
+title: Process Dump via RdrLeakDiag.exe
+id: EDADB1E5-5919-4E4C-8462-A9E643B02C4B 
+description: Detects a process memory dump performed by RdrLeakDiag.exe
+status: experimental
+level: high
+references:
+    - https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
+author: Cedric MAURUGEON
+date: 2021/09/24
+tags:
+    - attack.credential_access
+    - attack.t1003.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        OriginalFileName: RdrLeakDiag.exe
+        CommandLine|contains:
+            - 'fullmemdmp'
+    condition: selection
+falsepositives: Unknown