This rule identifies the use of WMIC (Windows Management Instrumentation Command-line) to delete Volume Shadow Copies on Windows endpoints. Such activity is typically associated with ransomware or other destructive attacks, as perpetrators often delete shadow copies to prevent victims from recovering their files without paying a ransom. The rule utilizes an EQL query to monitor for instances where 'wmic.exe' is executed with the parameters related to deleting shadow copies. Investigation should focus on the program execution chain, account permissions, and any related alerts within a specified time frame. Given the potential for false positives, it is advised to set exceptions based on user activity and command-line conditions. Prompt action is recommended in case of detection due to the high severity of this threat, including isolating affected systems and initiating incident response protocols.