This detection rule identifies the use of the Windows Volume Shadow Copy Service (VSS), which allows the creation of backup copies or snapshots of files and volumes, even those currently in use. Adversaries exploit this functionality to copy sensitive files, such as ntds.dit, which contains critical information such as Active Directory data. The rule employs a Splunk logic format to capture events related to the creation of a shadow copy, specifically looking for EventCode 8222, which indicates that a shadow copy has been created. The extraction logic utilizes regular expressions to identify this event and aggregates relevant information such as user details, process names, and event timestamps. This rule is associated with known threat actors, including Lazarus and Volt Typhoon, and relevant software used in credential dumping activities. By monitoring shadow copy activity, organizations can detect potential misuse that may indicate an attack underway or post-exploitation behavior.