This detection rule identifies the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS), which is often associated with credential dumping activities. The rule is based on Sysmon EventID 8 logs and focuses specifically on processes that are creating remote threads within `lsass.exe`. Credential dumping is a technique commonly employed by attackers to extract user authentication credentials, enabling unauthorized access to sensitive data and potentially compromising the entire network. It is crucial for analysts to differentiate between benign tool activities and actual threats when investigating such events. The detection leverages Splunk for log analysis, requiring a properly configured Sysmon setup to ensure accurate monitoring.