This detection rule is designed to identify malicious activities involving PowerShell that leverage base64-encoded Windows Management Instrumentation (WMI) classes. Specifically, it targets calls to classes like 'Win32_ShadowCopy' and 'Win32_ScheduledJob', which are often used by attackers to create unauthorized shadow copies or scheduled tasks without raising suspicion. The rule examines process creation events for PowerShell (both powershell.exe and pwsh.exe) and looks for specific encoded command line arguments that correspond to various WMI classes. By focusing on encoded strings within command lines, the rule aims to detect obfuscation techniques employed by threat actors, assisting in the early identification of potentially malicious behavior in Windows environments.