This detection rule is aimed at identifying potential credential dumping activities targeting the LSASS (Local Security Authority Subsystem Service) process on Windows systems. LSASS is a critical component for handling authentication, and attackers often attempt to dump its memory to extract sensitive credentials. The rule focuses on the presence of specific keywords in the command line of processes being created. Important keywords that signal potentially malicious activity include 'lsass' combined with file extensions such as '.dmp', '.zip', and '.rar', among others. Notably, the detection criteria include any command line containing 'lsass' and '.dmp', which suggests an attempt to dump the LSASS process's memory. Other variations that include the name 'SQLDmpr' and 'nanodump' are also monitored for suspicious activity. By setting a high alert level for these detections, the rule aims to enable quick responses to mitigate potential credential theft.