Credential Dumping Via Symlink To Shadow Copy
This search detects the creation of a symlink to a shadow copy.
Credential Dumping Via Symlink To Shadow Copy Help
You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.
Open in Search