CreateDump Process Dump

Date: 04/30/2025

Severity: Medium

Summary

Detects the use of the LOLOBIN utility "createdump.exe" for capturing process memory dumps.

Image :

'\createdump.exe'

OriginalFileName :

'FX_VER_INTERNALNAME_STR'

CommandLine :

- ' -u '

- ' --full '

- ' -f '

- ' --name '

- '.dmp '

Detection Query :	(resourcename = "Windows Security" AND eventtype = "4688" ) AND processname like "createdump.exe" AND commandline IN ("-u", "--full", "-f", "--name", ".dmp" )
Detection Query :	technologygroup = "EDR" AND processname like "createdump.exe" AND commandline IN ("-u", "--full", "-f", "--name", ".dmp" )

Reference: