This detection rule identifies the creation of the default dump file associated with the Dumpert tool, which is commonly utilized for credential access through process memory dumping. The specific focus of this rule is to detect files that end with 'dumpert.dmp', indicating that a potential attack targeting the LSASS (Local Security Authority Subsystem Service) process may have occurred, thus extracting sensitive information such as credentials. The Dumpert tool, documented on Outflank's GitHub repository and analyzed in a Unit 42 report, is a well-known method employed by attackers to exploit vulnerabilities and gather credentials. This rule is pivotal in monitoring Windows environments for suspicious file creation events that may suggest malicious activity.