This detection rule identifies potential credential dumping attempts on a Windows system by monitoring access to the 'svchost.exe' process. Specifically, it triggers when a process attempts to read the memory of 'svchost.exe' with the specific access rights associated with credential dumping (indicated by the 'GrantedAccess' value of '0x143a'). The selection criteria filter for processes with the TargetImage path ending in '\svchost.exe', and utilize the GrantedAccess value to ensure that the access level fits what is indicative of credential dumping. Additionally, known benign processes like 'services.exe' and 'msiexec.exe' are excluded through a filter to minimize false positives. This rule is critical for incident response, tracking attacks exploiting the processes commonly used for legitimate service hosting and their memory to obtain sensitive credentials, which can be leveraged in broader attacks following initial compromise.