This detection rule is designed to identify the execution of Mimikatz, a well-known tool used for credential dumping from memory, which targets plaintext passwords, password hashes, PIN codes, and Kerberos tickets. The rule searches for specific keywords typically associated with Mimikatz usage, contributing to the detection of actions performed by various threat actor groups, including advanced persistent threats (APTs) and ransomware actors like Alloy Taurus, APT10, and LockBit, among others. Specific commands leveraged in Mimikatz, such as `sekurlsa::logonpasswords`, `sekurlsa::pth`, and `lsadump::lsa`, are parsed within the endpoint data gathered from the Splunk EDR logs. The logic aggregates endpoint data where these keywords appear within the process command-line parameters, allowing security teams to monitor and respond to malicious credential access attempts efficiently. This rule falls under the credential access techniques T1003 (Credential Dumping) and T1552 (Unsecured Credentials), indicating the potential threat landscape surrounding unauthorized operational credential access.