This detection rule focuses on identifying potential credential dumping from the LSASS (Local Security Authority Subsystem Service) process via whitelisted processes. Attackers may utilize processes such as TrolleyExpress.exe to dump LSASS memory without triggering typical security defenses like Microsoft Defender, which might ignore commands issued from known good executables. The rule monitors process access events to detect if these whitelisted processes attempt to access LSASS memory using common access rights associated with credential dumps. The detection logic specifically looks for events where the target image is lsass.exe, while the source image matches one of the specified whitelisted executables and uses particular access privileges indicating a memory dump action. This raises alerts for security teams, helping them investigate potentially malicious activities without tripping standard alerts for known safe applications.