This analytic rule targets the creation of an lsass.exe memory dump through Windows Task Manager, leveraging Sysmon Event ID 11 to detect file creation events with filenames that match *lsass*.dmp. The lsass.exe process holds sensitive user credentials, leading to authentication risks if dumps are extracted by attackers. The rule filters for instances where taskmgr.exe creates dumps, as this behavior can signify a credential dumping attempt, allowing attackers to compromise accounts by retrieving stored passwords. The detection captures key information such as the destination, process name, and timestamps, enabling quick insights into potential security incidents.