This detection rule identifies attempts to perform credential dumping from the Windows Local Security Authority Subsystem Service (LSASS) process using the 'comsvcs.dll' system DLL. The rule specifically detects instances when LSASS memory is dumped without the need for third-party tools like Mimikatz, leveraging the built-in functionality of 'comsvcs.dll'. The monitoring logic is structured to capture relevant events generated by Windows Sysmon, particularly focusing on execution of 'rundll32.exe' which is commonly associated with DLL-based attacks. The specified technique falls under 'credential-access', targeting the 'lsass memory' as per the MITRE ATT&CK framework (T1003.001). The detection is significant due to its association with advanced persistent threat (APT) groups like APT27 and APT35, among others. These groups are known for conducting sophisticated attacks that often include credential theft as a key component. The rule utilizes a series of event code filters, searching for processes related to 'comsvcs.dll' and various related dump keywords, then compiling incident data into a structured output for analysis, all while observing a one-second binning interval for more precise event correlation.