This detection rule targets the behavior of adversaries attempting to access sensitive credential information from the memory of the Local Security Authority Subsystem Service (LSASS) in Windows environments. Techniques employed by threat actors, including well-known tools like Mimikatz and Dumpert, are observed in relation to processes that may dump this memory. The rule leverages Windows event logs to identify suspicious instances of LSASS being accessed, particularly through process creation and handle duplication events captured by event IDs 4688 (New Process Creation), 4656 (Handle Created), and 4703 (Setting Parameter on a Handle). The rule aggregates these logs to filter out benign instances by requiring that the process user is not a system account and that certain patterns in the process names are matched. It is designed to identify attempts of credential dumping activity that may indicate various attacks from multiple threat actor groups identified in industry reports like APT29 and FIN7. This rule applies to Windows environments and benefits from specific MITRE techniques: primarily T1003.001 for credential dumping related to LSASS memory access.