diff --git a/rules/credential_access_lsass_memory_dumping.yml b/rules/credential_access_lsass_memory_dumping.yml
index c11785da9..e811dd2a2 100644
--- a/rules/credential_access_lsass_memory_dumping.yml
+++ b/rules/credential_access_lsass_memory_dumping.yml
@@ -23,7 +23,7 @@ condition: >
   sequence
   maxspan 2m
   by ps.uuid
-    |open_process and ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS', 'VM_READ')
+    |open_process and ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS', 'VM_READ', 'DUP_HANDLE')
       and
      kevt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'
       and