diff --git a/datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/credential-dumping-via-symlink.yml b/datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/credential-dumping-via-symlink.yml
new file mode 100644
index 00000000..9c9d5517
--- /dev/null
+++ b/datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/credential-dumping-via-symlink.yml
@@ -0,0 +1,14 @@
+author: PB
+id: 7af655b0-ac26-4bbd-a93a-2ac200861e4b
+date: '2025-11-12'
+description: Attack data for detection Credential Dumping via Symlink to Shadow Copy
+  New
+environment: attack_range
+directory: credential-dumping-via-symlink
+mitre_technique:
+- T1003.003
+datasets:
+- name: data
+  path: datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/data.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
diff --git a/datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/data.log b/datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/data.log
new file mode 100644
index 00000000..4dfa391f
--- /dev/null
+++ b/datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/data.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:263b56afa1db376866d4fa029d4e57a3084d408731473fcff28529f8dfb392c5
+size 11161