This detection rule identifies potential credential dumping activities targeting the Local Security Authority Subsystem Service (LSASS) process on Windows systems. Credential dumping tools, such as Mimikatz and similar utilities, often attempt to access the LSASS process to extract sensitive security information, including passwords and tokens. The rule specifies that access requests to LSASS are monitored for certain granted access rights and indicates legitimate call traces to filter out non-malicious activity. The rule looks specifically for processes that request particular access rights to the LSASS memory, as these rights correlate with known credential-related access patterns. Additionally, it applies filters to exclude known non-malicious sources to reduce false positives, thus ensuring that detection focuses on genuinely suspicious behavior. The alert level is set to medium, reflecting a significant but not critical indication of a possible security breach. References provided include various threat hunting insights and technical documentation related to credential dumping.