some administrative powershell or vb scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.

windows
sigma

Techniques

Sample rules

Potentially Suspicious DMP/HDMP File Creation

source: sigma
technicques:

Description

Detects the creation of a file with the “.dmp”/".hdmp" extension by a shell or scripting application such as “cmd”, “powershell”, etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It’s best to determine the source of the crash.

Detection logic

condition: selection
selection:
  Image|endswith:
  - \cmd.exe
  - \cscript.exe
  - \mshta.exe
  - \powershell.exe
  - \pwsh.exe
  - \wscript.exe
  TargetFilename|endswith:
  - .dmp
  - .dump
  - .hdmp