This detection rule identifies the creation of symbolic links to shadow copies on Windows systems. These symbolic links can allow unauthorized access to sensitive files preserved in shadow copies, such as the ntds.dit file, which contains sensitive information including password hashes. The rule utilizes Elastic Common Language (EQL) to detect process creation events where command-line arguments indicate the creation of such symbolic links. The setup requires enabling advanced audit policies to ensure relevant events trigger the detection workflow. This rule is essential for detecting potential credential dumping activities by adversaries attempting to exploit compromised systems to harvest sensitive data.