diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index e7470665..99820e1c 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -418,6 +418,7 @@ defense-evasion,T1070.006,Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
+defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,powershell
defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 3259bced..03989321 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -192,6 +192,7 @@ defense-evasion,T1070.006,Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
+defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,powershell
defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 0796aa5f..d1a11c51 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -792,6 +792,7 @@
- Atomic Test #1: Take ownership using takeown utility [windows]
- Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #3: attrib - Remove read-only attribute [windows]
+ - Atomic Test #4: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows]
- [T1220 XSL Script Processing](../../T1220/T1220.md)
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index ed8421b5..a067f6b0 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -368,6 +368,7 @@
- Atomic Test #1: Take ownership using takeown utility [windows]
- Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #3: attrib - Remove read-only attribute [windows]
+ - Atomic Test #4: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows]
- [T1220 XSL Script Processing](../../T1220/T1220.md)
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 2c0f5c73..0c589775 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -35098,7 +35098,7 @@ defense-evasion:
default: Everyone
dependency_executor_name: command_prompt
dependencies:
- - description: 'Test requrires a file to modifyto be located at (#{file_or_folder})
+ - description: 'Test requrires a file to modify to be located at (#{file_or_folder})
'
prereq_command: 'IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 )
@@ -35109,7 +35109,7 @@ defense-evasion:
echo T1222.001_cacls1 >> #{file_or_folder}\T1222.001_cacls1.txt
echo T1222.001_cacls2 >> #{file_or_folder}\T1222.001_cacls2.txt
executor:
- command: 'Icacls.exe #{file_or_folder} /grant #{user_or_group}:F
+ command: 'icacls.exe #{file_or_folder} /grant #{user_or_group}:F
'
name: command_prompt
@@ -35144,6 +35144,15 @@ defense-evasion:
'
name: command_prompt
+ - name: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style
+ auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6
+ description: Invokes the command line used by Ryuk Ransomware to grant full
+ access to the entire C:\ drive for Everyone.
+ supported_platforms:
+ - windows
+ executor:
+ command: icacls "C:\*" /grant Everyone:F /T /C /Q
+ name: powershell
T1220:
technique:
id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
diff --git a/atomics/T1222.001/T1222.001.md b/atomics/T1222.001/T1222.001.md
index c4024725..1ddc2d51 100644
--- a/atomics/T1222.001/T1222.001.md
+++ b/atomics/T1222.001/T1222.001.md
@@ -14,6 +14,8 @@ Adversaries can interact with the DACLs using built-in Windows commands, such as
- [Atomic Test #3 - attrib - Remove read-only attribute](#atomic-test-3---attrib---remove-read-only-attribute)
+- [Atomic Test #4 - Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style](#atomic-test-4---grant-full-access-to-entire-c-drive-for-everyone---ryuk-ransomware-style)
+
@@ -82,14 +84,14 @@ will be displayed.
```cmd
-Icacls.exe #{file_or_folder} /grant #{user_or_group}:F
+icacls.exe #{file_or_folder} /grant #{user_or_group}:F
```
#### Dependencies: Run with `command_prompt`!
-##### Description: Test requrires a file to modifyto be located at (#{file_or_folder})
+##### Description: Test requrires a file to modify to be located at (#{file_or_folder})
##### Check Prereq Commands:
```cmd
IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 )
@@ -150,4 +152,28 @@ attrib.exe +r #{file_or_folder}\T1222.001_attrib2.txt
+
+
+
+## Atomic Test #4 - Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style
+Invokes the command line used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone.
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+icacls "C:\*" /grant Everyone:F /T /C /Q
+```
+
+
+
+
+
+
diff --git a/atomics/T1222.001/T1222.001.yaml b/atomics/T1222.001/T1222.001.yaml
index 68501c6c..4d86fcc8 100644
--- a/atomics/T1222.001/T1222.001.yaml
+++ b/atomics/T1222.001/T1222.001.yaml
@@ -87,6 +87,7 @@ atomic_tests:
attrib.exe -r #{file_or_folder}\*.* /s
name: command_prompt
- name: 'Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style'
+ auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6
description: Invokes the command line used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone.
supported_platforms:
- windows
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 09f21f8a..9123d06f 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -577,3 +577,4 @@ afb5e09e-e385-4dee-9a94-6ee60979d114
da75ae8d-26d6-4483-b0fe-700e4df4f037
342cc723-127c-4d3a-8292-9c0c6b4ecadc
1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff
+ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6