diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 281ea82adb..136251c6cb 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -107678,14 +107678,24 @@ impact: elevation_required: true - name: Windows - Delete Volume Shadow Copies via WMI auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 - description: | - Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. - prereq_command: | - if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 } - get_prereq_command: | - wmic shadowcopy call create Volume='C:\' + description: 'Deletes Windows Volume Shadow Copies via WMI. This technique is + used by numerous ransomware families and APT malware such as Olympic Destroyer. + + ' supported_platforms: - windows + dependency_executor_name: powershell + dependencies: + - description: 'Create volume shadow copy of C:\ . + + ' + prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found + that satisfy the query.")) { exit 0 } else { exit 1 } + + ' + get_prereq_command: 'wmic shadowcopy call create Volume=''C:\'' + + ' executor: command: 'wmic.exe shadowcopy delete diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index 6984e53168..0473e69574 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -88429,14 +88429,24 @@ impact: elevation_required: true - name: Windows - Delete Volume Shadow Copies via WMI auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 - description: | - Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. - prereq_command: | - if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 } - get_prereq_command: | - wmic shadowcopy call create Volume='C:\' + description: 'Deletes Windows Volume Shadow Copies via WMI. This technique is + used by numerous ransomware families and APT malware such as Olympic Destroyer. + + ' supported_platforms: - windows + dependency_executor_name: powershell + dependencies: + - description: 'Create volume shadow copy of C:\ . + + ' + prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found + that satisfy the query.")) { exit 0 } else { exit 1 } + + ' + get_prereq_command: 'wmic shadowcopy call create Volume=''C:\'' + + ' executor: command: 'wmic.exe shadowcopy delete diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md index d30c2babef..7cf5037c20 100644 --- a/atomics/T1490/T1490.md +++ b/atomics/T1490/T1490.md @@ -90,10 +90,6 @@ vssadmin.exe create shadow /for=c: ## Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. -prereq_command: | - if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 } -get_prereq_command: | - wmic shadowcopy call create Volume='C:\' **Supported Platforms:** Windows @@ -115,6 +111,18 @@ wmic.exe shadowcopy delete +#### Dependencies: Run with `powershell`! +##### Description: Create volume shadow copy of C:\ . +##### Check Prereq Commands: +```powershell +if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 } +``` +##### Get Prereq Commands: +```powershell +wmic shadowcopy call create Volume='C:\' +``` + +