This detection rule focuses on identifying potential credential dumping attempts through the use of PowerShell, specifically by monitoring for remote thread creation into the Windows Local Security Authority Subsystem Service (lsass.exe). The rule triggers when a PowerShell process (either powershell.exe or pwsh.exe) attempts to create a thread in lsass.exe, which is often targeted by attackers to extract sensitive information such as credentials. The rule is categorized under high severity due to the critical nature of lsass.exe in the authentication process. The detection logic relies on analyzing the source and target images involved in the thread creation. False positives may occur, but specifics are currently unknown. The rule is developed by oscd.community, underlining its relevance in addressing attacks related to credential access, particularly those mapped to MITRE ATT&CK technique T1003.001. This rule aids security teams in proactively hunting for malicious activities that exploit PowerShell, thus enhancing the overall security posture of Windows environments.