diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 8b8e2de4..fd116ed3 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -107646,7 +107646,10 @@ impact: auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 description: | Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. - Shadow copies can only be created on Windows server or Windows 8. + prereq_command: | + if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 } + get_prereq_command: | + wmic shadowcopy call create Volume='C:\' supported_platforms: - windows executor: diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index 4f17b3ae..34e076bd 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -88397,7 +88397,10 @@ impact: auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 description: | Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. - Shadow copies can only be created on Windows server or Windows 8. + prereq_command: | + if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 } + get_prereq_command: | + wmic shadowcopy call create Volume='C:\' supported_platforms: - windows executor: diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md index ceb2d5f0..d30c2bab 100644 --- a/atomics/T1490/T1490.md +++ b/atomics/T1490/T1490.md @@ -90,7 +90,10 @@ vssadmin.exe create shadow /for=c: ## Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. -Shadow copies can only be created on Windows server or Windows 8. +prereq_command: | + if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 } +get_prereq_command: | + wmic shadowcopy call create Volume='C:\' **Supported Platforms:** Windows @@ -112,18 +115,6 @@ wmic.exe shadowcopy delete -#### Dependencies: Run with `powershell`! -##### Description: Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8. -##### Check Prereq Commands: -```powershell -if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 } -``` -##### Get Prereq Commands: -```powershell -wmic shadowcopy call create Volume='C:\' -``` - -