This analytic rule detects the creation of shadow copies on Windows systems using the 'wmic' and 'PowerShell' commands. It operates on data from the Endpoint.Processes data model in Splunk, specifically monitoring for processes involving the keywords 'shadowcopy' and 'create'. The creation of shadow copies can be a tactic used by malicious actors to manipulate or access sensitive data without authorization. By restoring files to a previous state, attackers can potentially cover their tracks after compromising the system or exfiltrating data. Therefore, identifying these activities plays a critical role in detecting suspicious behavior that could lead to data theft or manipulation. The analytic leverages logs such as Sysmon and Windows Event Logs to track relevant process activities, providing a security mechanism to identify and respond to such threats effectively.