This detection rule aims to identify the creation of symbolic links to Volume Shadow Copies (VSS) using the Windows 'mklink' command. In Windows environments, attackers may exploit system utilities to create symbolic links to Volume Shadow Copies, allowing them to access potentially sensitive data stored in those snapshots. The rule utilizes process creation logs to detect the 'mklink' command with the argument 'HarddiskVolumeShadowCopy', indicating a potential credential dumping or data exfiltration attempt via shadow copy access. The rule includes a detection condition that triggers on any command line containing both 'mklink' and 'HarddiskVolumeShadowCopy', which are typically indicative of malicious activity unless performed by legitimate administrative users.