This detection rule focuses on identifying attempts to dump the memory of the Local Security Authority Subsystem Service (LSASS), which is a critical component of Windows security. Credential dumping techniques exploit LSASS to extract sensitive information such as authentication credentials. By leveraging Windows Sysmon logs, specifically EventCode 10, the rule detects abnormal call traces related to the LSASS process. Call traces to dynamic link libraries (DLLs) such as dbgcore.dll and dbghelp.dll are particularly scrutinized because they often hint at malicious behavior typical in credential theft scenarios. Early detection of such activity is crucial as it can prevent further compromise of systems and unauthorized access to secured data.