This detection rule identifies the use of Windows Management Instrumentation Command-line (WMIC) for deleting volume shadow copies, which is a tactic commonly employed by ransomware attacks, such as those executed by Cactus ransomware. It aims to hinder system recovery options for victims by removing these backups prior to file encryption. This activity can be indicative of malicious actions, specifically those that prevent data recovery and restoration efforts post-attack. The rule leverages Sysmon Event ID 1, which logs process creation events, to track the execution of ‘wmic.exe’ with commands associated with shadow copy deletions. The provided search query is utilized to monitor for these specific actions within the endpoint data model, focusing on the processes involved, user activity, and the makeshift nature of the command. Additional implementation instructions underscore the necessity of properly configured Sysmon logging and associated permissions to ensure comprehensive data capture.