This rule detects credential dumping attempts on Windows systems specifically targeting the LSASS process (Local Security Authority Subsystem Service) through the use of the WerFault.exe process. By monitoring for certain combinations of indicators—namely, the use of WerFault.exe attempting to access lsass.exe with extensive access rights (0x1FFFFF)—the rule aims to identify malicious activities typically associated with tools like Mimikatz, NanoDump, Invoke-Mimikatz, or Procdump. The detection focuses on specific call traces to ntdll.dll, dbghelp.dll, or dbgcore.dll, pertinent to Windows 10, Server 2016, and later versions. Given that credential dumping is a critical step in many cyber attacks, this rule holds high relevance in preventing unauthorized access to sensitive authentication credentials.