Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added support for T1490 creating shadow copies in Windows 10+ #2676

Merged
merged 3 commits into from
Jan 31, 2024
Merged

Added support for T1490 creating shadow copies in Windows 10+ #2676

merged 3 commits into from
Jan 31, 2024

Conversation

emilemarty
Copy link
Contributor

Support for creating shadow copies in Windows 10+

Details:

Added a get-prereq command to create a shadow copy using WMI, which works on Windows 10.

Testing:

Prereq command tested on Windows 10 Enterprise N:

> wmic shadowcopy call create Volume='C:\'
Executing (Win32_ShadowCopy)->create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
        ShadowID = "{7A7524F3-D1AA-4B44-A39E-C8AEC5724BA1}";
};

Associated Issues:

@emilemarty
Update T1490.yaml
0f6f425 
Support for creating shadow copies in Windows 10+
@emilemarty
Update T1490.md
3bde241 
Updating documentation
@emilemarty emilemarty changed the title Update T1490.yaml Added support for creating shadow copies in Windows 10+ Jan 31, 2024
@emilemarty emilemarty changed the title Added support for creating shadow copies in Windows 10+ Added support for T1490 creating shadow copies in Windows 10+ Jan 31, 2024
clr2of8
clr2of8 approved these changes Jan 31, 2024
View reviewed changes
Copy link
Collaborator

@clr2of8 clr2of8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your first-time contribution. Keep it up! Don't forget to claim your free Atomic Red Team t-shirt

@clr2of8 clr2of8 merged commit 2a194cd into redcanaryco:master Jan 31, 2024
3 checks passed
@emilemarty emilemarty deleted the patch-1 branch February 1, 2024 11:27
emilemarty added a commit to emilemarty/atomic-red-team that referenced this pull request Feb 1, 2024
@emilemarty
Update T1490.yaml
4686e11 
Fixed a formatting error in redcanaryco#2676
@emilemarty emilemarty mentioned this pull request Feb 1, 2024
Merged
MHaggis added a commit that referenced this pull request Feb 5, 2024
@emilemarty @MHaggis
Update T1490.yaml (#2677)
12f5d9d 
* Update T1490.yaml

Fixed a formatting error in #2676

* Update T1490.yaml

add dependency_executor_name field

---------

Co-authored-by: Michael Haag <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clr2of8 clr2of8 clr2of8 approved these changes

Assignees

@MHaggis MHaggis

@clr2of8 clr2of8

Labels
windows
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@emilemarty @clr2of8 @MHaggis