This analytic detection rule identifies attempts to dump the LSASS process using the `procdump.exe` tool with command-line arguments `-mm` and `-ma`. These parameters allow for comprehensive memory dumps, making it critical in recognizing potential credential dumping incidents that pose a significant security risk. The detection utilizes logs from endpoint telemetry like Sysmon (EventID 1), Windows Event Log Security (4688), and CrowdStrike. By examining process names, command-line executions, and parent processes, it alerts security teams about risky behavior that could lead to unauthorized access to sensitive credentials and lateral movement within the network. Detection is vital since compromised LSASS memory can expose passwords and tokens that allow attackers to escalate privileges and breach further into systems.