This detection rule focuses on identifying potential execution of 'nanodump', a tool used to create a minidump of the LSASS (Local Security Authority Subsystem Service) process. Nanodump is frequently employed by attackers during credential dumping operations, particularly in scenarios involving red team engagements using tools like Cobalt Strike. The rule utilizes Windows event logs to monitor specific events corresponding to access requests to LSASS, specifically targeting Event Codes 4656 and 4663. The rule captures events that include access requests to the LSASS process, which may indicate an attempt to dump credentials from memory. By leveraging a combination of token events (4656) for file access and process monitoring (4663) spanning a 5-second interval, this detection aims to provide analysts with alerts about potential malicious activities related to credential extraction.