This rule is designed to detect potential credential theft attacks through the monitoring of interactions with the Local Security Authority Subsystem Service (lsass.exe). The detection focuses on instances where lsass.exe is invoked by either powershell.exe or cmd.exe, as these command-line tools are often used by threat actors during such attacks. The rule is associated with multiple threat actors, including Alloy Taurus/Gallium and Cadet Blizzard, as well as several malware families including Blackcat/ALPHV and Clop. The corresponding technique used for this detection aligns with the MITRE ATT&CK framework under the credential dumping category (Technique T1003). The Splunk logic provided utilizes data from endpoint logs to extract records where lsass is called, presenting the results in a structured format for easy analysis. Given the sensitivity of lsass.exe, monitoring its access could be vital for mitigating credential theft risks.