This detection rule identifies unauthorized access attempts to the Local Security Authority Subsystem Service (LSASS) process on Windows systems. LSASS is a critical component responsible for enforcing security policies on the system and handling authentication processes. The rule leverages Event ID 1121, which indicates a blocking action triggered by Attack Surface Reduction (ASR) rules in Microsoft Defender. The rule specifies that any process attempting to access lsass.exe must not match certain whitelisted processes, such as system utilities and other approved applications. Filter criteria focus on halting credential theft attempts by monitoring the process paths and names that interact with lsass.exe. This proactive measure helps prevent exploits that target LSASS to extract sensitive credentials, thereby enhancing the security posture of the endpoint.