This threat detection rule is designed to identify the usage of credential dumping tools, specifically focusing on the detection of the mimikatz tool, which is widely used for exploiting user credentials on Windows systems. The rule analyzes events logged by the Crowdstrike endpoint detection system and looks for specific indicators that suggest that credential dumping is in progress. It is triggered by detecting process executions that match a predefined list of known credential dumping commands or tools. For example, if the mimikatz executable is run, the rule will capture this event and log relevant information including timestamps, process IDs, command lines, and source IP addresses related to the executing process. Additional conditions may be included to filter out false positives, ensuring that only suspicious activities that legitimately indicate credential theft attempt get flagged. The findings inform security analysts of potential credential breaches, allowing them to respond swiftly to mitigate damage.