Files
Anthropic-Cybersecurity-Skills/skills/hunting-for-shadow-copy-deletion/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

1.6 KiB

API Reference: Hunting for Shadow Copy Deletion

python-evtx

import Evtx.Evtx as evtx

with evtx.Evtx("Security.evtx") as log:
    for record in log.records():
        xml_str = record.xml()       # full XML of event
        ts = record.timestamp()      # datetime object

Detection Patterns

Pattern Technique Severity
vssadmin delete shadows T1490 CRITICAL
wmic shadowcopy delete T1490 CRITICAL
bcdedit /set recoveryenabled no T1490 HIGH
wbadmin delete catalog T1490 HIGH
Win32_ShadowCopy.Delete() T1490 CRITICAL

Splunk SPL

index=wineventlog (EventCode=4688 OR EventCode=1)
| where match(CommandLine, "(?i)(vssadmin.*delete.*shadows|wmic.*shadowcopy.*delete)")
| table _time Computer User CommandLine ParentImage

KQL (Microsoft Sentinel)

DeviceProcessEvents
| where ProcessCommandLine has_any ("vssadmin delete shadows", "wmic shadowcopy delete",
    "bcdedit /set", "wbadmin delete catalog")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName

Sigma Rule Format

title: Shadow Copy Deletion
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\vssadmin.exe'
    CommandLine|contains|all:
      - 'delete'
      - 'shadows'
  condition: selection
level: critical
tags:
  - attack.impact
  - attack.t1490

References