This detection rule identifies remote access to the Local Security Authority Subsystem Service (LSASS) process through Windows Remote Management (WinRM). LSASS is responsible for enforcing the security policy on the system, managing user logins, and handling password verification. Unauthorized access to LSASS is a common tactic used by attackers for credential dumping, particularly with tools like Mimikatz. The rule focuses on monitoring process access attempts involving lsass.exe when the access is initiated through wsmprovhost.exe, which is a legitimate Windows process facilitating WinRM. A specific access mask (0x80000000) is tracked to identify attempts that could indicate credential dumping activities. The rule includes filters to minimize false positives, ensuring only suspicious attempts are flagged for further investigation.