This threat detection rule identifies suspicious access to the Local Security Authority Subsystem Service (LSASS) memory through functions that might indicate credential dumping attempts. It utilizes EQL syntax to monitor Windows processes specifically looking for any access to 'lsass.exe' while tracing calls to 'DBGHelp.dll' or 'DBGCore.dll', which provide necessary APIs like 'MiniDumpWriteDump', typically employed by adversaries to extract credential data. The rule also filters out legitimate processes, such as crash handlers, to reduce false positives. Alerts triggered by this detection could suggest attempts to siphon sensitive credentials, warranting immediate investigation and potentially broader institution-wide responses.