This detection rule targets the unauthorized deletion of Volume Shadow Copies (VSS) using Windows Management Instrumentation (WMI) through PowerShell commands. It specifically looks for instances where a script or administrator may be manipulating shadow copies, which are typically established for backup or restore purposes. The detection focuses on identifying specific construction patterns in the command execution that involve the 'Get-WmiObject' and 'Win32_ShadowCopy' context, alongside function calls such as 'Delete()' and 'Remove-WmiObject'. If these patterns occur, especially in contexts outside of legitimate administrative actions, it signifies potential malicious activity aimed at covering tracks after a breach or attack by removing backup points that can be used for restoration of clean system states.