This detection rule aims to identify the usage of the pypykatz tool, a Python implementation of the well-known Mimikatz credential dumping utility. The rule focuses on capturing command-line parameters that are typically associated with pypykatz, which suggests potential malicious activities targeting credential theft. The detection logic is based on events generated by Windows operating system services, specifically Event ID 4688, which logs process creation events. The rule aggregates various event attributes such as event time, host, user, and the command-line arguments of processes, using a series of search terms that reflect typical activities involving credential storage and access. The intent is to capture any invocation of pypykatz or commands related to credential dumping techniques, aligning with the techniques defined in the MITRE ATT&CK framework, especially T1003, which pertains to credential dumping. Additionally, the detection encompasses various attacker techniques including the ability to dump LSASS memory, indicative of sophisticated adversary tactics.