This detection rule identifies the execution of common credential dumping tools on Windows systems, specifically targeting applications that extract sensitive authentication information like OAuth tokens and passwords from memory (e.g., LSASS) and the Windows registry. Such tools can facilitate unauthorized access to sensitive information and potentially lead to lateral movement within a compromised network. The rule requires monitoring process creation events to capture instances of tools like Mimikatz, which are frequently used in credential theft. It emphasizes examining event logs specifically for Event ID 4688 or Sysmon Event ID 1 to determine if a malicious execution occurred, focusing on instances where the process was run by privileged accounts. The rule's implementation includes queries to identify all process creations in a defined time window around the incident and encourages checking for other suspicious processes spawned by the same parent process. It has a high severity rating, indicative of its critical nature in securing Windows environments.