This detection rule identifies instances of Local Security Authority Subsystem Service (LSASS) memory dump creations, a behavior often associated with credential theft attempts. The rule is designed to detect specific `.dmp` files that may indicate the use of tools historically known for extracting credentials, such as Dumpert, SQLDumper, or tools leveraged in pentesting scenarios. The analysis focuses on the identification of files generated under suspicious conditions, specifically those that relate to LSASS, alongside their producing processes. The rule employs a series of investigations and Triage guidelines to ascertain the legitimacy of the activity in question, thus ensuring quick response and remediation actions if necessary. Investigative actions include tracing the process chain leading to the dump, scrutinizing associated user accounts, and performing deep analysis on related host data for signs of compromise.