This analytic detection rule monitors for potential credential dumping activity by tracking the exploitation of the Local Security Authority Subsystem Service (LSASS) via the comsvcs.dll using rundll32. By leveraging an integration of Windows Event Log Security and Sysmon logs, this rule identifies command-line executions indicative of malicious behavior aimed at harvesting credentials from the LSASS process. Such activities can represent a critical security breach, revealing attempts of credential theft that could facilitate system compromises, lateral movements, and privilege escalation. The detection focuses primarily on monitoring specific process behaviors and parental relationships that suggest attempts to access sensitive information from LSASS. Indicators drive immediate investigation and response to mitigate risks associated with data breaches and ransomware threats that exploit these vulnerabilities.