Generated docs from job=generate-docs branch=master [ci skip]

redcanaryco · Feb 5, 2024 · 02c7d02 · 02c7d02
1 parent 12f5d9d
commit 02c7d02
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 16 deletions.
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
@@ -107678,14 +107678,24 @@ impact:
         elevation_required: true
     - name: Windows - Delete Volume Shadow Copies via WMI
       auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
-      description: |
-        Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-        prereq_command: |
-          if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
-        get_prereq_command: |
-          wmic shadowcopy call create Volume='C:\'
+      description: 'Deletes Windows Volume Shadow Copies via WMI. This technique is
+        used by numerous ransomware families and APT malware such as Olympic Destroyer.
+
+        '
       supported_platforms:
       - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Create volume shadow copy of C:\ .
+
+          '
+        prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found
+          that satisfy the query.")) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'wmic shadowcopy call create Volume=''C:\''
+
+          '
       executor:
         command: 'wmic.exe shadowcopy delete
 

diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml
@@ -88429,14 +88429,24 @@ impact:
         elevation_required: true
     - name: Windows - Delete Volume Shadow Copies via WMI
       auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
-      description: |
-        Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-        prereq_command: |
-          if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
-        get_prereq_command: |
-          wmic shadowcopy call create Volume='C:\'
+      description: 'Deletes Windows Volume Shadow Copies via WMI. This technique is
+        used by numerous ransomware families and APT malware such as Olympic Destroyer.
+
+        '
       supported_platforms:
       - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Create volume shadow copy of C:\ .
+
+          '
+        prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found
+          that satisfy the query.")) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'wmic shadowcopy call create Volume=''C:\''
+
+          '
       executor:
         command: 'wmic.exe shadowcopy delete
 

diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md
@@ -90,10 +90,6 @@ vssadmin.exe create shadow /for=c:
 
 ## Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI
 Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-prereq_command: |
-  if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
-get_prereq_command: |
-  wmic shadowcopy call create Volume='C:\'
 
 **Supported Platforms:** Windows
 
@@ -115,6 +111,18 @@ wmic.exe shadowcopy delete
 
 
 
+#### Dependencies:  Run with `powershell`!
+##### Description: Create volume shadow copy of C:\ .
+##### Check Prereq Commands:
+```powershell
+if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+wmic shadowcopy call create Volume='C:\'
+```
+
+
 
 
 <br/>