This detection rule aims to identify the use of Mimikatz, a well-known credential dumping tool, via PowerShell by monitoring Windows Event Logs, specifically Event Code 4703. The rule captures instances where PowerShell is executed with the '.exe' process name and requests the SeDebugPrivilege, which is often indicative of attempts to manipulate or extract credential data. Although this detection mechanism was robust in tracking suspicious privileges, it is currently deprecated due to changes in logging practices that may affect its reliability. The search aggregates relevant events, showing counts and timing of occurrences per destination, process name, and the enabled privilege, ultimately aiding investigations into potential credential theft activities.