This rule identifies the execution of various known Windows utilities that are commonly exploited to dump the Local Security Authority Server Service (LSASS) memory or extract data from the Active Directory database (NTDS.dit), typically in preparation for credential access. The detection methodology is realized through searches across multiple Windows event log indices, which include Winlogbeat and Microsoft Defender events, among others. The rule leverages EQL (Event Query Language) to analyse process execution events, particularly focusing on utilities recognized for their potential in credential dumping such as 'procdump', 'WriteMiniDump.exe', 'ntdsutil.exe', and orders to detect unauthorized memory dumps or data extraction attempts that fall under credential access tactics. Triage and analysis steps encourage the investigator to analyze process chains, abnormal behaviors of associated processes, and associated alerts for the subject user/host within the past 48 hours. The rule includes guidance for false positive analysis and outlines a response plan, especially in scenarios where a domain controller is involved, indicating stringent incident response protocols to follow.