Generated docs from job=generate-docs branch=master [ci skip]

redcanaryco · Jan 31, 2024 · 0e202df · 0e202df
1 parent 2a194cd
commit 0e202df
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 15 deletions.
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
@@ -107646,7 +107646,10 @@ impact:
       auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
       description: |
         Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-        Shadow copies can only be created on Windows server or Windows 8.
+        prereq_command: |
+          if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          wmic shadowcopy call create Volume='C:\'
       supported_platforms:
       - windows
       executor:

diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml
@@ -88397,7 +88397,10 @@ impact:
       auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
       description: |
         Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-        Shadow copies can only be created on Windows server or Windows 8.
+        prereq_command: |
+          if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
+        get_prereq_command: |
+          wmic shadowcopy call create Volume='C:\'
       supported_platforms:
       - windows
       executor:

diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md
@@ -90,7 +90,10 @@ vssadmin.exe create shadow /for=c:
 
 ## Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI
 Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-Shadow copies can only be created on Windows server or Windows 8.
+prereq_command: |
+  if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
+get_prereq_command: |
+  wmic shadowcopy call create Volume='C:\'
 
 **Supported Platforms:** Windows
 
@@ -112,18 +115,6 @@ wmic.exe shadowcopy delete
 
 
 
-#### Dependencies:  Run with `powershell`!
-##### Description: Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8.
-##### Check Prereq Commands:
-```powershell
-if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
-```
-##### Get Prereq Commands:
-```powershell
-wmic shadowcopy call create Volume='C:\'
-```
-
-
 
 
 <br/>