Generated docs from job=generate-docs branch=master [ci skip]

2024-02-05 16:49:04 +00:00
parent 12f5d9d323
commit 02c7d02fe1
3 changed files with 44 additions and 16 deletions
@@ -107678,14 +107678,24 @@ impact:
        elevation_required: true
    - name: Windows - Delete Volume Shadow Copies via WMI
      auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
-      description: |
-        Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-        prereq_command: |
-          if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
-        get_prereq_command: |
-          wmic shadowcopy call create Volume='C:\'
+      description: 'Deletes Windows Volume Shadow Copies via WMI. This technique is
+        used by numerous ransomware families and APT malware such as Olympic Destroyer.
+
+        '
      supported_platforms:
      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Create volume shadow copy of C:\ .
+
+          '
+        prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found
+          that satisfy the query.")) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'wmic shadowcopy call create Volume=''C:\''
+
+          '
      executor:
        command: 'wmic.exe shadowcopy delete

@@ -88429,14 +88429,24 @@ impact:
        elevation_required: true
    - name: Windows - Delete Volume Shadow Copies via WMI
      auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
-      description: |
-        Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-        prereq_command: |
-          if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
-        get_prereq_command: |
-          wmic shadowcopy call create Volume='C:\'
+      description: 'Deletes Windows Volume Shadow Copies via WMI. This technique is
+        used by numerous ransomware families and APT malware such as Olympic Destroyer.
+
+        '
      supported_platforms:
      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Create volume shadow copy of C:\ .
+
+          '
+        prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found
+          that satisfy the query.")) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: 'wmic shadowcopy call create Volume=''C:\''
+
+          '
      executor:
        command: 'wmic.exe shadowcopy delete

@@ -90,10 +90,6 @@ vssadmin.exe create shadow /for=c:

 ## Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI
 Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-prereq_command: |
-  if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
-get_prereq_command: |
-  wmic shadowcopy call create Volume='C:\'

 **Supported Platforms:** Windows

@@ -115,6 +111,18 @@ wmic.exe shadowcopy delete



+#### Dependencies:  Run with `powershell`!
+##### Description: Create volume shadow copy of C:\ .
+##### Check Prereq Commands:
+```powershell
+if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+wmic shadowcopy call create Volume='C:\'
+```
+
+


 <br/>