security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2024-01-31 23:30:28 +00:00
parent 2a194cdc34
commit 0e202df355
3 changed files with 12 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/index.yaml
+4 -1
View File
@@ -107646,7 +107646,10 @@ impact:
auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
description: |
Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
Shadow copies can only be created on Windows server or Windows 8.
prereq_command: |
if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
get_prereq_command: |
wmic shadowcopy call create Volume='C:\'
supported_platforms:
- windows
executor:
atomics/Indexes/windows-index.yaml
+4 -1
View File
@@ -88397,7 +88397,10 @@ impact:
auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
description: |
Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
Shadow copies can only be created on Windows server or Windows 8.
prereq_command: |
if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
get_prereq_command: |
wmic shadowcopy call create Volume='C:\'
supported_platforms:
- windows
executor:
atomics/T1490/T1490.md
+4 -13
View File
@@ -90,7 +90,10 @@ vssadmin.exe create shadow /for=c:
## Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI
Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
Shadow copies can only be created on Windows server or Windows 8.
prereq_command: |
if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
get_prereq_command: |
wmic shadowcopy call create Volume='C:\'
**Supported Platforms:** Windows
@@ -112,18 +115,6 @@ wmic.exe shadowcopy delete
#### Dependencies: Run with `powershell`!
##### Description: Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8.
##### Check Prereq Commands:
```powershell
if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
```
##### Get Prereq Commands:
```powershell
wmic shadowcopy call create Volume='C:\'
```
<br/>