How to Detect False Positives in Credential Dumping

One of my theories is that instead of focusing on Just what's necessary so in the credential I know that you're familiar with this. A lot of us use sismont even ID 10 as our detection Base like the base for our detection But the problem is is that a process access event is only necessary for credential dumping Right, but there's a ton of reasons why somebody might open a handle to to ls right? So maybe you want to write to ls, maybe you just want to enumerate some information about ls Maybe you want to read from ls, but just because we've observed that somebody requested a handle with the process VM read Access does not mean that they actually used that handle to