You are hunting for signs of credential dumping using Mimikatz. Which process events in Microsoft Defender for Endpoint would most likely indicate this activity?
Mimikatz opens LSASS to read credential material; such access is suspicious.
Why this answer
Option B is correct because Mimikatz often injects into LSASS to dump credentials, so detecting a process opening LSASS with specific access flags (e.g., PROCESS_VM_READ) is a key indicator. Option A is wrong because svchost.exe is not typically used for credential dumping. Option C is wrong because powershell.exe alone is generic.
Option D is wrong because cmd.exe is generic.