This detection rule identifies unauthorized use of the `vssadmin.exe` utility to delete or resize Volume Shadow Copies on Windows endpoints. This action is often associated with ransomware attacks that aim to eliminate recovery options for the victim by removing system backups. The rule leverages EQL (Event Query Language) to monitor process executions for any occurrences where the `vssadmin.exe` is invoked with 'delete' or 'resize' parameters targeting shadow copies. It is a high-risk detection mechanism designed to alert security teams about potential malicious activities that can lead to data loss or system recovery impairment. The rule entails guidance for investigation, including analyzing the process execution chain, checking user account legitimacy, and reviewing recent alerts related to the user or host to help identify whether the execution was legitimate or part of a malicious attempt. The response actions involve incident isolation, malware detection, and data recovery procedures, promoting swift action against potential ransomware operations before significant damage occurs. Additionally, the rule includes contextual details about false positives and related detection rules to refine the response strategies.