This detection rule identifies attempts to dump credentials from Windows shadow copies using the copy command, indicating a potential credential harvesting tactic by attackers. It specifically looks for command lines that interact with critical system files like `sam`, `security`, `system`, and `ntds.dit` in system directories, which are commonly targeted during attacks aimed at escalating privileges or lateral movement within a network. Leveraging Endpoint Detection and Response (EDR) data, the rule monitors processes with relevant command lines, which can signify an ongoing attack. The detection process involves analyzing telemetry from EDR agents for specific command patterns indicative of credential dumping, providing security teams with timely alerts for further investigation.