This detection rule identifies attempted accesses to the Local Security Authority Subsystem Service (LSASS) process carried out by other processes that are positioned in atypical directories, utilizing the dbgcore.dll or dbghelp.dll libraries as part of their execution call trace. LSASS is crucial for handling various security and authentication functions within Windows, and unauthorized access can lead to credential dumping attacks. The libraries dbgcore.dll and dbghelp.dll provide functionality that can be exploited by attackers through tools and scripts designed to capture sensitive information by accessing LSASS memory. Although contemporary credential dumping methods often leverage ntdll.dll, legacy tools continue to use these older libraries to gain malicious insights into sensitive security tokens, which are integral to maintaining system security.