This detection rule identifies suspicious modules loaded by the Local Security Authority Subsystem Service (LSASS) in Windows operating environments. LSASS is responsible for enforcing security policies and handling user logins by managing credentials. One common attack vector is the injection of untrusted or unsigned Dynamic Link Libraries (DLLs) into the LSASS process, which enables attackers to retrieve sensitive credentials stored in memory, including plaintext passwords or PINs. The rule operates by monitoring event logs for DLLs loaded into lsass.exe while explicitly filtering out trusted signatures from established vendors to focus on anomalies that may indicate credential dumping attempts. Any instance where an unsigned or otherwise malicious DLL is detected prompts a high-severity alert as it indicates potential credential compromise. Investigative steps include verifying DLL integrity, cross-referencing hashes with threat databases, and reviewing process activities surrounding the detected event.