This detection rule aims to identify potential evasion techniques involving the SysInternals ProcDump tool, which is commonly used by attackers to capture memory dumps of running processes. The rule highlights scenarios where ProcDump or its generated output files might be renamed or moved to launder their presence on the system. Specifically, the detection focuses on command line activity that includes the copying or moving of ProcDump binaries and its associated dump files. Three main selections are evaluated to determine if any relevant activity occurred: the first checks for direct mentions of 'copy procdump' or 'move procdump', the second looks for actions involving dump files identified by typical extensions like '.dmp', and the last monitors for renaming activities specifically involving 'lsass.exe_'. The detection will trigger if any one of these selections is met.