This detection rule targets the usage of the Sysinternals utility 'procdump.exe' when renaming it to perform process memory dumps of 'lsass.exe'. Dumping this particular process is a common tactic used by attackers to retrieve sensitive information such as credentials from memory. The query identifies both '-mm' (mini dump) and '-ma' (full dump) command line arguments, which indicate suspicious activity and require further investigation. This detection rule is designed to monitor for the execution of procdump with the specified command line options while ensuring that where the legitimate procdump executable is executed, it does not match typical naming patterns such as 'procdump*.exe'. If this utility is being executed for the first time, the command may include '-accepteula' which also needs to be considered during analysis. Additional data sources about process interactions should be reviewed during triage for potential cross-process activities targeting the lsass process.