From 49f202036f39d6701fb3f6cc144ba3c1d79a51f9 Mon Sep 17 00:00:00 2001
From: sai prashanth pulisetti
 <40313110+prashanthpulisetti@users.noreply.github.com>
Date: Mon, 22 Jan 2024 18:33:07 +0530
Subject: [PATCH] Update T1490.yaml "Modify VSS Service Permissions"

Modify permissions of the VSS service to inhibit system recovery. This test alters the security settings of the Volume Shadow Copy Service (VSS), potentially impacting system recovery operations. It should be conducted only in a controlled environment. The executor must have administrative privileges to modify service permissions. Note that this test does not include a cleanup command; thus, the changes will persist after execution. Ensure that you have a backup or a system recovery plan in place before running this test. Running this test on a production system or critical environment is not recommended without proper precautions.
---
 atomics/T1490/T1490.yaml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/atomics/T1490/T1490.yaml b/atomics/T1490/T1490.yaml
index 92e45a3a35..f08f16c6a4 100644
--- a/atomics/T1490/T1490.yaml
+++ b/atomics/T1490/T1490.yaml
@@ -145,3 +145,16 @@ atomic_tests:
     command: 'vssadmin resize shadowstorage /For=C: /On=C: /MaxSize=20%'
     name: powershell
     elevation_required: true
+
+- name: "Modify VSS Service Permissions"
+  auto_generated_guid: "12345678-1234-1234-1234-1234567890ab"
+  description: |
+    "Modify permissions of the VSS service to inhibit system recovery. This test alters the security settings of the Volume Shadow Copy Service (VSS), potentially impacting system recovery operations. It should be conducted only in a controlled environment. The executor must have administrative privileges to modify service permissions. Note that this test does not include a cleanup command; thus, the changes will persist after execution. Ensure that you have a backup or a system recovery plan in place before running this test. Running this test on a production system or critical environment is not recommended without proper precautions."
+  supported_platforms:
+  - windows
+  executor:
+    name: "command_prompt"
+    elevation_required: true
+    command: |
+      sc sdset VSS D:(D;;GA;;;NU)(D;;GA;;;WD)(D;;GA;;;AN)S:(AU;FA;GA;;;WD)(AU;OIIOFA;GA;;;WD)
+