This detection rule identifies the use of the HandleKatz tool, which is commonly employed by attackers to manipulate the Local Security Authority Subsystem Service (LSASS) process on Windows systems. The rule targets specific access patterns to the lsass.exe process, looking for a particular set of conditions that indicate an attempt to duplicate LSASS handles for the purpose of memory dumping. The detection logic is based on process access events and specifically checks for the granted access mask (0x1440), which corresponds to the necessary privileges that an attacker would require to perform this action. Furthermore, it looks for traces within the call stack, signaling the behavior typically exhibited by HandleKatz, including function calls originating from ntdll.dll. False positives may occur, but the specifics of those instances are currently unknown. This rule acts as an important alert mechanism for monitoring potentially malicious activity targeting LSASS, a critical component for security on Windows operating systems.