LoFP / legitimate administrator deletes shadow copies using operating systems utilities for legitimate reason

condition: selection
selection:
  Data|contains:
  - Delete()
  - Remove-WmiObject
  Data|contains|all:
  - Get-WmiObject
  - Win32_ShadowCopy

condition: (all of selection1*) or (all of selection2*) or (all of selection3*)
selection1_cli:
  CommandLine|contains|all:
  - shadow
  - delete
selection1_img:
- Image|endswith:
  - \powershell.exe
  - \pwsh.exe
  - \wmic.exe
  - \vssadmin.exe
  - \diskshadow.exe
- OriginalFileName:
  - PowerShell.EXE
  - pwsh.dll
  - wmic.exe
  - VSSADMIN.EXE
  - diskshadow.exe
selection2_cli:
  CommandLine|contains|all:
  - delete
  - catalog
  - quiet
selection2_img:
- Image|endswith: \wbadmin.exe
- OriginalFileName: WBADMIN.EXE
selection3_cli:
  CommandLine|contains:
  - unbounded
  - /MaxSize=
  CommandLine|contains|all:
  - resize
  - shadowstorage
selection3_img:
- Image|endswith: \vssadmin.exe
- OriginalFileName: VSSADMIN.EXE