This detection rule is designed to identify potential password dumping activity targeting the Local Security Authority Subsystem Service (LSASS) process on Windows systems. LSASS is a critical component responsible for enforcing the security policy on the system, and unauthorized access to it often signifies an attempt to extract sensitive information, such as user passwords. The rule looks for specific Event ID 4656, which indicates a process attempting to gain access to an object, in this case, LSASS. The criteria include the ProcessName ending with 'lsass.exe', an Access Mask value of '0x705', and an Object Type classified as 'SAM_DOMAIN'. This combination of parameters suggests that a process is trying to access LSA secrets, which is typically indicative of credential theft attempts. Given the critical nature of the LSASS process and its role in security, this rule is categorized as high severity due to the potential impact of successful password dumping activities.