This detection rule seeks to identify potentially suspicious access masks being requested from the LSASS (Local Security Authority Subsystem Service) process in a Windows environment. It focuses on detecting specific Event IDs related to access requests to the LSASS process. The rule captures requests with certain access masks which are commonly associated with credential dumping techniques, such as reading process memory or accessing sensitive data stored within LSASS. It establishes two primary selections based on Event IDs 4656 and 4663, targeting all accesses to lsass.exe with significant access masks. Additionally, various filters are employed to reduce false positives by excluding legitimate processes that may access LSASS for benign purposes. The detection builds a security framework around monitoring credential access tactics, enhancing understanding of potentially unauthorized data access by tracking specific behaviors in Windows systems.