This detection rule identifies potential credential dumping attempts targeting the LSASS (Local Security Authority Subsystem Service) process on Windows systems. Specifically, it monitors Event IDs 4656 and 4663, which are indicative of access requests and file system activity related to LSASS. The presence of specific hex values in the event logs suggests unauthorized access or manipulation of the LSASS memory. Furthermore, the rule filters out machine accounts by excluding users that have a '$' in their username, focusing solely on interactive user accounts. The detection logic uses regular expressions and statistical functions to summarize events over a five-second interval, providing context on the host, user, and process information related to these access requests. This rule is critical in identifying actions consistent with credential dumping techniques associated with known threat actors, particularly Alloy Taurus/Gallium.