The rule detects suspicious process patterns indicative of using CrackMapExec, a prevalent post-exploitation tool. It focuses on identifying specific command-line arguments and user behaviors typically associated with credential dumping activities. The primary conditions leveraged for detection include the search for processes that access the LSASS (Local Security Authority Subsystem Service) memory space. Two main criteria involve looking for command lines containing standard Windows commands and the use of `rundll32.exe` to create a memory dump of LSASS. This rule primarily targets processes initiated by command-line interpreters that manipulate LSASS, which could signal an attempt at unauthorized credential extraction.