This rule is designed to identify suspicious access to the Local Security Authority Subsystem Service (LSASS) through the manipulation of its process handle. It specifically focuses on any calls traced to 'seclogon.dll', which may indicate credential theft or lateral movement attempts. The detection criteria monitor for processes that end with 'lsass.exe' and originate from 'svchost.exe', a common Windows process that could potentially be abused by malicious actors. Access level is strictly filtered to '0x14c0', indicating an attempt to read and execute memory, which is unusual for legitimate processes. Given the critical role of LSASS in managing sensitive information, including user credentials, any abnormal access patterns warrant further investigation. This rule underscores the importance of monitoring process access to prevent credential-related attacks. The threat level is set to high due to the potential implications of such access. Investigating alerts generated by this rule can help security teams detect and respond to potential breaches.