This detection rule identifies potential credential dumping activities by monitoring command line arguments for the presence of '.dmp' files, which are indicative of attempts to gain unauthorized access to sensitive login materials such as hashed passwords or plaintext credentials. A specific trigger for this rule is the logging of EventCodes 4103 and 4104 on Windows systems which relate to process creation and usage of PowerShell respectively. The detection logic utilizes Splunk to extract and filter relevant process information, looking specifically for command line parameters that reference .dmp files, utilizing regex and field extraction methods to format the output. The underlying threat actors associated with this behavior include Cadet Blizzard, Redfly, Akira, Black Basta, LockBit, Quantum, Rhysida, and Vice Society, highlighting the risk posed by sophisticated actors in the credential-access domain. This rule leverages data primarily from PowerShell logs and process command-line parameters, further refining the response to suspicious activities around credential dumping techniques.