Hunts shadow copy deletions via vssadmin, wmic, and PowerShell commands signaling ransomware preparation or anti-forensics. Useful for threat hunting in EDR/SIEM environments.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 主动狩猎环境中卷影副本删除指标时
Hunts shadow copy deletions indicating ransomware or anti-forensics by monitoring vssadmin, wmic, PowerShell in EDR/SIEM logs like CrowdStrike, Splunk, Sysmon.
Hunts Volume Shadow Copy deletions via vssadmin, wmic, PowerShell indicating ransomware preparation or anti-forensics. For threat hunting and incident response.
Enables endpoint visibility, digital forensics, and incident response using Velociraptor VQL for evidence collection, threat hunting, and live response across endpoints.
Share bugs, ideas, or general feedback.
| 概念 | 描述 |
|---|---|
| T1490 | 抑制系统恢复 |
| T1486 | 加密数据以造成影响 |
| T1485 | 数据销毁 |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | EDR 遥测和威胁检测 |
| Microsoft Defender for Endpoint | 基于 KQL 的高级狩猎 |
| Splunk Enterprise | 使用 SPL 查询的 SIEM 日志分析 |
| Elastic Security | 检测规则和调查时间线 |
| Sysmon | 详细的 Windows 事件监控 |
| Velociraptor | 终端工件收集和狩猎 |
| Sigma Rules | 跨平台检测规则格式 |
vssadmin delete shadows /all /quiet狩猎 ID:TH-HUNTIN-[日期]-[序号]
技术:T1490
主机:[主机名]
用户:[账户上下文]
证据:[日志条目、进程树、网络数据]
风险等级:[严重/高/中/低]
置信度:[高/中/低]
建议措施:[遏制、调查、监控]