This detection rule identifies potential unauthorized attempts to dump the memory of the Local Security Authority Subsystem Service (lsass.exe) using the Windows Task Manager. This process may be exploited by threat actors employing credential access tools like Mimikatz to retrieve sensitive information, such as user credentials. The detection logic is designed to evaluate Windows event logs for specific event codes related to lsass.exe memory access (EventCode 4663, 4656, 4688, and 4673) while focusing on the actions performed by taskmgr.exe. The rule flags instances where multiple reads occur from the process or when new processes related to task management are spawned. Several advanced persistent threat (APT) groups are associated with this technique, highlighting its significance in modern cyberattacks. The rule also covers detection of memory access through statistical methods in the logs to ensure comprehensive monitoring of related malicious activities.