This detection rule identifies potential malicious activities involving the deletion of Volume Shadow Copies on Windows systems through PowerShell cmdlets. The use of Win32_ShadowCopy class by attackers, especially in conjunction with ransomware, is significant as these actions aim to eliminate recovery options for victims. By monitoring the execution of specific PowerShell commands that interact with the Win32_ShadowCopy WMI (Windows Management Instrumentation) class, security teams can detect and respond to such threats in real time. The rule captures processes that start with PowerShell and execute commands aimed at retrieving and deleting shadow copies. By implementing this rule, organizations can enhance their threat detection capabilities, specifically regarding ransomware tactics aimed at inhibiting system recovery. Analysis and investigation of detected events should be conducted to determine if malicious intent is present, and incident response actions may be necessary if attacks are confirmed.