This detection rule is designed to identify instances of credential dumping activities on Windows systems using the Mimikatz tool by analyzing Sysmon event logs for specific loaded images associated with the tool. The rule searches for Sysmon Event ID 7, which records loaded DLL images during the execution of processes. Specifically, it looks for the presence of images such as 'WinSCard.dll', 'cryptdll.dll', 'hid.dll', 'samlib.dll', and 'vaultcli.dll', which are commonly utilized by Mimikatz to extract credentials. However, this rule has been marked as deprecated due to the evolution of Mimikatz libraries which have introduced new methods that may not solely rely on these DLLs, as well as a high incidence of false positives that can occur within environments that utilize PowerShell or similar processes with legitimate credential usage. The rule requires a proper Sysmon configuration and is advised to be implemented with attention to whitelisting known tools that may also use the same DLLs, to mitigate false alerts.