This detection rule identifies suspicious access to the Local Security Authority Subsystem Service (LSASS) process via the DuplicateHandle API, which may indicate an attempt to bypass traditional security measures to dump credentials. It is particularly focused on identifying events where the process named 'lsass.exe' requests '0x40' access rights, and the call is traced back to an unknown module, suggesting that an adversary is attempting to access sensitive information without normal detection mechanisms. The rule employs EQL querying against logs generated by Winlogbeat and Sysmon to capture these events over a specified timeframe. By focusing on granted access during a suspicious context, this rule aims to proactively detect potential credential access attempts.