From 9ff3eae91cff0250c33b3d64eea048499fd8ee01 Mon Sep 17 00:00:00 2001
From: Mohana Shankar D <48013681+msdlearn@users.noreply.github.com>
Date: Sat, 20 Jan 2024 14:21:45 +0530
Subject: [PATCH 1/3] Update T1486.yaml

---
 atomics/T1486/T1486.yaml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/atomics/T1486/T1486.yaml b/atomics/T1486/T1486.yaml
index 0e4fe2de16..308ad79b5b 100644
--- a/atomics/T1486/T1486.yaml
+++ b/atomics/T1486/T1486.yaml
@@ -276,3 +276,30 @@ atomic_tests:
       cmd /c '#{GPG_Exe_Location}' -c '#{File_to_Encrypt_Location}'
     cleanup_command: |
       remove-item '#{File_to_Encrypt_Location}.gpg' -force -erroraction silentlycontinue | out-null
+- name: Data Encrypt Using DiskCryptor
+  description: |
+    DiskCryptor, an open source encryption utility, can be exploited by adversaries for encrypting all disk partitions, including system partitions. This tool was identified in a ransomware campaign, as reported on https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/. The documentation for DiskCryptor can be found at https://github.com/DavidXanatos/DiskCryptor. During the installation process, running dcrypt.exe starts the encryption console. It's important to note that a system reboot is necessary as part of the installation.
+  supported_platforms:
+  - windows
+  input_arguments:
+    dcrypt_exe:
+      description: The dcrypt.exe executable from dcrypt_setup.exe
+      type: path
+      default: 'dcrypt.exe'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      dcrypt_setup will be installed at specified location (#{dcrypt_exe})
+    prereq_command: |
+      if (Test-Path "${env:ProgramFiles}/dcrypt/#{dcrypt_exe}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      Write-Host Downloading DiskCryptor installer
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://github.com/DavidXanatos/DiskCryptor/releases/download/1.1.846.118/dcrypt_setup_1.1.846.118.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe"
+      Write-Host Install DiskCryptor
+      Start-Process "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe" -Wait -ArgumentList "/s"
+  executor:
+    name: command_prompt
+    elevation_required: true
+    command: |
+      ""%PROGRAMFILES%\dcrypt"\#{dcrypt_exe}"  

From f4a3fa939ecf1eeea7e442fe722feb0d3b493c87 Mon Sep 17 00:00:00 2001
From: Mohana Shankar D <48013681+msdlearn@users.noreply.github.com>
Date: Sat, 20 Jan 2024 14:28:54 +0530
Subject: [PATCH 2/3] Update T1486.yaml

---
 atomics/T1486/T1486.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/atomics/T1486/T1486.yaml b/atomics/T1486/T1486.yaml
index 308ad79b5b..d26b802f19 100644
--- a/atomics/T1486/T1486.yaml
+++ b/atomics/T1486/T1486.yaml
@@ -280,7 +280,7 @@ atomic_tests:
   description: |
     DiskCryptor, an open source encryption utility, can be exploited by adversaries for encrypting all disk partitions, including system partitions. This tool was identified in a ransomware campaign, as reported on https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/. The documentation for DiskCryptor can be found at https://github.com/DavidXanatos/DiskCryptor. During the installation process, running dcrypt.exe starts the encryption console. It's important to note that a system reboot is necessary as part of the installation.
   supported_platforms:
-  - windows
+    - windows
   input_arguments:
     dcrypt_exe:
       description: The dcrypt.exe executable from dcrypt_setup.exe
@@ -288,7 +288,7 @@ atomic_tests:
       default: 'dcrypt.exe'
   dependency_executor_name: powershell
   dependencies:
-  - description: |
+    - description: |
       dcrypt_setup will be installed at specified location (#{dcrypt_exe})
     prereq_command: |
       if (Test-Path "${env:ProgramFiles}/dcrypt/#{dcrypt_exe}") {exit 0} else {exit 1}

From e16975e89543ed265c710c29d0da63c451337f1a Mon Sep 17 00:00:00 2001
From: Mohana Shankar D <48013681+msdlearn@users.noreply.github.com>
Date: Sat, 20 Jan 2024 14:48:32 +0530
Subject: [PATCH 3/3] Update T1486.yaml

---
 atomics/T1486/T1486.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/atomics/T1486/T1486.yaml b/atomics/T1486/T1486.yaml
index d26b802f19..7cb000af14 100644
--- a/atomics/T1486/T1486.yaml
+++ b/atomics/T1486/T1486.yaml
@@ -280,7 +280,7 @@ atomic_tests:
   description: |
     DiskCryptor, an open source encryption utility, can be exploited by adversaries for encrypting all disk partitions, including system partitions. This tool was identified in a ransomware campaign, as reported on https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/. The documentation for DiskCryptor can be found at https://github.com/DavidXanatos/DiskCryptor. During the installation process, running dcrypt.exe starts the encryption console. It's important to note that a system reboot is necessary as part of the installation.
   supported_platforms:
-    - windows
+  - windows
   input_arguments:
     dcrypt_exe:
       description: The dcrypt.exe executable from dcrypt_setup.exe
@@ -288,18 +288,18 @@ atomic_tests:
       default: 'dcrypt.exe'
   dependency_executor_name: powershell
   dependencies:
-    - description: |
+  - description: |
       dcrypt_setup will be installed at specified location (#{dcrypt_exe})
     prereq_command: |
       if (Test-Path "${env:ProgramFiles}/dcrypt/#{dcrypt_exe}") {exit 0} else {exit 1}
     get_prereq_command: |
       Write-Host Downloading DiskCryptor installer
       New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-      Invoke-WebRequest "https://github.com/DavidXanatos/DiskCryptor/releases/download/1.1.846.118/dcrypt_setup_1.1.846.118.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe"
+      Invoke-WebRequest "https://github.com/DavidXanatos/DiskCryptor/releases/download/1.1.846.118/dcrypt_setup_1.1.846.118.exe" -OutFile      "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe"
       Write-Host Install DiskCryptor
       Start-Process "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe" -Wait -ArgumentList "/s"
   executor:
     name: command_prompt
     elevation_required: true
     command: |
-      ""%PROGRAMFILES%\dcrypt"\#{dcrypt_exe}"  
+      ""%PROGRAMFILES%\dcrypt"\#{dcrypt_exe}"