hunting-for-shadow-copy-deletion
Hunt for Volume Shadow Copy deletion activity that indicates ransomware preparation or anti-forensics by monitoring vssadmin, wmic, and PowerShell shadow copy commands.
What this skill does
# Hunting For Shadow Copy Deletion ## When to Use - When proactively hunting for indicators of hunting for shadow copy deletion in the environment - After threat intelligence indicates active campaigns using these techniques - During incident response to scope compromise related to these techniques - When EDR or SIEM alerts trigger on related indicators - During periodic security assessments and purple team exercises ## Prerequisites - EDR platform with process and network telemetry (CrowdStrike, MDE, SentinelOne) - SIEM with relevant log data ingested (Splunk, Elastic, Sentinel) - Sysmon deployed with comprehensive configuration - Windows Security Event Log forwarding enabled - Threat intelligence feeds for IOC correlation ## Workflow 1. **Formulate Hypothesis**: Define a testable hypothesis based on threat intelligence or ATT&CK gap analysis. 2. **Identify Data Sources**: Determine which logs and telemetry are needed to validate or refute the hypothesis. 3. **Execute Queries**: Run detection queries against SIEM and EDR platforms to collect relevant events. 4. **Analyze Results**: Examine query results for anomalies, correlating across multiple data sources. 5. **Validate Findings**: Distinguish true positives from false positives through contextual analysis. 6. **Correlate Activity**: Link findings to broader attack chains and threat actor TTPs. 7. **Document and Report**: Record findings, update detection rules, and recommend response actions. ## Key Concepts | Concept | Description | |---------|-------------| | T1490 | Inhibit System Recovery | | T1486 | Data Encrypted for Impact | | T1485 | Data Destruction | ## Tools & Systems | Tool | Purpose | |------|---------| | CrowdStrike Falcon | EDR telemetry and threat detection | | Microsoft Defender for Endpoint | Advanced hunting with KQL | | Splunk Enterprise | SIEM log analysis with SPL queries | | Elastic Security | Detection rules and investigation timeline | | Sysmon | Detailed Windows event monitoring | | Velociraptor | Endpoint artifact collection and hunting | | Sigma Rules | Cross-platform detection rule format | ## Common Scenarios 1. **Scenario 1**: Ransomware deleting shadow copies before encryption 2. **Scenario 2**: vssadmin delete shadows /all /quiet pre-encryption 3. **Scenario 3**: WMIC shadowcopy delete via PowerShell 4. **Scenario 4**: bcdedit disabling recovery mode before impact ## Output Format ``` Hunt ID: TH-HUNTIN-[DATE]-[SEQ] Technique: T1490 Host: [Hostname] User: [Account context] Evidence: [Log entries, process trees, network data] Risk Level: [Critical/High/Medium/Low] Confidence: [High/Medium/Low] Recommended Action: [Containment, investigation, monitoring] ```
Related in Writing & Docs
jax-development
IncludedUse this skill when the user is writing, debugging, profiling, refactoring, reviewing, benchmarking, parallelising, exporting, or explaining JAX code, or when they mention JAX, jax.numpy, jit, grad, value_and_grad, vmap, scan, lax, random keys, pytrees, jax.Array, sharding, Mesh, PartitionSpec, NamedSharding, pmap, shard_map, Pallas, XLA, StableHLO, checkify, profiler, or the JAX repo. It helps turn NumPy or PyTorch-style code into pure functional JAX, fix tracer/control-flow/shape/PRNG bugs, remove recompiles and host-device syncs, choose transforms and sharding strategies, inspect jaxpr/lowering/IR, and benchmark compiled code correctly.
nature-article-writer
IncludedDrafts, rewrites, diagnostically critiques, and style-calibrates primary research manuscripts for Nature and Nature Portfolio journals. Use when the user wants a Nature-style title, summary paragraph or abstract, introduction, results, discussion, methods, figure legends, presubmission enquiry, cover letter, reviewer response, or when a scientific draft sounds generic, jargon-heavy, structurally weak, or AI-ish and needs precise, broad-reader-friendly prose without inventing data, analyses, or references. Best for primary research articles and letters rather than reviews or press releases unless explicitly adapting one.
deckrd
IncludedDocument-driven framework that derives requirements, specifications, implementation plans, and executable tasks from goals through structured AI dialogue. Use when user says "write requirements", "create spec", "plan implementation", "derive tasks", "structure this feature", "break down into tasks", or "document this module". Also use for reverse engineering existing code into docs (/deckrd rev). Do NOT use for direct code writing — use /deckrd-coder after tasks are generated. Do NOT use when the user only wants to run or fix existing code without planning.
clinical-decision-support
IncludedGenerate professional clinical decision support (CDS) documents for pharmaceutical and clinical research settings, including patient cohort analyses (biomarker-stratified with outcomes) and treatment recommendation reports (evidence-based guidelines with decision algorithms). Supports GRADE evidence grading, statistical analysis (hazard ratios, survival curves, waterfall plots), biomarker integration, and regulatory compliance. Outputs publication-ready LaTeX/PDF format optimized for drug development, clinical research, and evidence synthesis.
handling-sf-data
IncludedSalesforce data operations with 130-point scoring. Use this skill to create, update, delete, bulk import/export, generate test data, and clean up org records using sf CLI and anonymous Apex. TRIGGER when: user creates test data, performs bulk import/export, uses sf data CLI commands, needs data factory patterns for Apex tests, or needs to seed/clean records in a Salesforce org. DO NOT TRIGGER when: SOQL query writing only (use querying-soql), Apex test execution (use running-apex-tests), or metadata deployment (use deploying-metadata).
accelint-ac-to-playwright
IncludedConvert and validate acceptance criteria for Playwright test automation. Use when user asks to (1) review/evaluate/check if AC are ready for automation, (2) assess if AC can be converted as-is, (3) validate AC quality for Playwright, (4) turn AC into tests, (5) generate tests from acceptance criteria, (6) convert .md bullets or .feature Gherkin files to Playwright specs, (7) create test automation from requirements. Handles both bullet-style markdown and Gherkin syntax with JSON test plan generation and validation.