This detection rule is designed to identify the creation of volume shadow copies on Windows systems using PowerShell. The purpose is to catch adversaries attempting to create copies of sensitive files, particularly the Active Directory domain database, which may contain credential information. The rule looks for specific PowerShell script block text that indicates the use of the `Win32_ShadowCopy` WMI class, along with the `.Create()` method and the `ClientAccessible` parameter, which suggests potential misuse by an attacker. Due to Script Block Logging requirements, the successful implementation of this rule depends on having the logging feature enabled to capture these PowerShell script blocks. Alerts may yield high severity given the potential risk of credential access through shadow copy manipulation.