mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 04:35:18 +03:00
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
1.6 KiB
1.6 KiB
API Reference: Hunting for Shadow Copy Deletion
python-evtx
import Evtx.Evtx as evtx
with evtx.Evtx("Security.evtx") as log:
for record in log.records():
xml_str = record.xml() # full XML of event
ts = record.timestamp() # datetime object
Detection Patterns
| Pattern | Technique | Severity |
|---|---|---|
vssadmin delete shadows |
T1490 | CRITICAL |
wmic shadowcopy delete |
T1490 | CRITICAL |
bcdedit /set recoveryenabled no |
T1490 | HIGH |
wbadmin delete catalog |
T1490 | HIGH |
Win32_ShadowCopy.Delete() |
T1490 | CRITICAL |
Splunk SPL
index=wineventlog (EventCode=4688 OR EventCode=1)
| where match(CommandLine, "(?i)(vssadmin.*delete.*shadows|wmic.*shadowcopy.*delete)")
| table _time Computer User CommandLine ParentImage
KQL (Microsoft Sentinel)
DeviceProcessEvents
| where ProcessCommandLine has_any ("vssadmin delete shadows", "wmic shadowcopy delete",
"bcdedit /set", "wbadmin delete catalog")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
Sigma Rule Format
title: Shadow Copy Deletion
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\vssadmin.exe'
CommandLine|contains|all:
- 'delete'
- 'shadows'
condition: selection
level: critical
tags:
- attack.impact
- attack.t1490
References
- MITRE T1490: https://attack.mitre.org/techniques/T1490/
- python-evtx: https://github.com/williballenthin/python-evtx
- Sigma Rules: https://github.com/SigmaHQ/sigma