This rule detects unauthorized access attempts to the Local Security Authority Subsystem Service (LSASS) using specific Windows API calls, primarily focusing on credential dumping activities. LSASS is a critical Windows process responsible for enforcing security policies and managing user authentication. The rule looks for calls to OpenProcess and OpenThread targeting the lsass.exe process, which are commonly used by adversaries to gain access to memory containing sensitive credentials. The rule leverages the EQL (Event Query Language) syntax and monitors data from Elastic's API logs specifically designed for endpoint events. It is applicable to hosts running Windows operating systems. Additionally, the rule includes several investigative steps for security analysts, such as assessing the process execution tree of the LSASS access attempts, validating the legitimacy of the process executables, and examining DNS and registry activities for any anomalies. It advises on checking for previous access patterns and evaluating the security attributes of the processes involved. Moreover, it provides guidance on incident response steps to follow when confirmed malicious activity is detected, including isolating affected hosts and implementing thorough investigations for further threats. Overall, this detection rule is essential for identifying potential credential theft attempts, allowing organizations to respond promptly to possible security breaches.