This rule detects reconnaissance activities targeting the LSASS (Local Security Authority Subsystem Service) process by monitoring the usage of the Findstr tool. It identifies instances where Findstr commands are executed with arguments that reference 'lsass', indicating an attempt to access sensitive processes or information. The detection criterion includes filtering for command line arguments that contain variations of 'lsass', including case-insensitive matches. The rule prioritizes the monitoring of executable images associated with Find and Findstr to ensure effective detection of potential credential access attempts. This type of activity is of particular concern due to its association with credential theft and adversarial actions against Windows systems. With a high detection level, this experimental rule aims to enhance security monitoring capabilities for environments at risk of credential harvesting operations.