This detection rule identifies and alerts on the creation of a memory dump file from the LSASS (Local Security Authority Subsystem Service) process via the Windows Task Manager (`taskmgr.exe`). The detection focuses specifically on files named `lsass.dmp` within the ` empiles` directory. Memory dumping of the LSASS process can indicate potential credential theft activities, as LSASS holds important security credentials, including user logins and password hashes. The attention to processes running from standard Windows directories aims to minimize false positives from legitimate use cases, although administrative actions may still trigger alerts under specific rare circumstances. Affected environments should prioritize investigation of such alerts due to their association with malicious behavior.