This detection rule is designed to identify potentially malicious behavior associated with the Citrix TrolleyExpress executable, which is a known utility for managing Citrix environments. The purpose of this rule is to detect attempts to perform a memory dump of the Local Security Authority Subsystem Service (LSASS) process using the TrolleyExpress executable. It leverages specific indicators such as command line arguments that include version identifiers (7, 8, or 9), and checks for the presence of 'TrolleyExpress.exe' as well as certain attributes of the file. The rule includes conditions that filter for legitimate use of TrolleyExpress while flagging suspicious activity if the command line contains specific patterns. By monitoring process creation events in Windows environments, this rule aims for a proactive defense against credential theft tactics that exploit known system processes.