This detection rule identifies suspicious use of the SysInternals Procdump utility, specifically targeting instances where it is utilized to dump the memory of the lsass.exe process. Such activities are often linked to credential dumping by attackers attempting to extract sensitive information from the Local Security Authority Subsystem Service (LSASS). The rule is engineered to detect cases where the Procdump executable may have been renamed by the attacker, enhancing its effectiveness. Protection is enforced through monitoring command line arguments, particularly focusing on the usage of the '-ma' flag, which indicates a full memory dump. This capability allows defenders to catch malicious activity even when attackers employ evasive tactics. The rule contains robust definitions stating that for a detection to occur, both a command line inclusion of 'ls' (representing ''lsass.exe'') and the '-ma' option must be present, thereby verifying the risk associated with the executed command. Given the potential harm of exposing sensitive system data, the detection's level is classified as high.priority for frontline defense against credential access techniques.