This detection rule identifies the deletion of shadow copies on Windows systems using the built-in utilities vssadmin.exe and wmic.exe. The tactic of deleting shadow copies is commonly employed by attackers to hinder data recovery efforts during or following a compromise, often to conceal traces of their activities. The rule utilizes data from various sources, including Sysmon and Windows Event Logs, to monitor processes that match specific criteria associated with shadow copy deletion. When executed, this rule provides security teams with actionable insights, highlighting instances where potentially malicious commands were issued that could indicate an attack in progress. The rule captures events where processes named vssadmin.exe or wmic.exe are involved in executing delete commands related to shadow copies, allowing for timely investigation and potential incident response.