This rule detects the execution of HandleKatz, a tool used for credential dumping by creating an obfuscated memory dump of the Local Security Authority Subsystem Service (LSASS) process. HandleKatz utilizes cloned handles to bypass security measures and extract sensitive information from the LSASS process memory. The detection logic focuses on the process creation events related to HandleKatz and looks for specific command line arguments and image hashes that signify its use. Key indicators include the presence of a loader executable with the '--pid:' command line option, as well as specific IMPHASH values associated with the tool. Additionally, it checks for command line patterns indicative of an LSASS dump operation, such as referencing .dmp files, the target 'lsass', and various obfuscation markers. The rule is designed to operate within the Windows environment under process creation logs, and it generates high severity alerts due to the critical nature of credential theft risks. Analysts can review the detection criteria to identify potential misuse of HandleKatz or similar credential dumping tools.