From 0ff328c3ba74bdd52269714476dbb27082e54ab3 Mon Sep 17 00:00:00 2001
From: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
Date: Tue, 5 Feb 2019 14:04:44 -0700
Subject: [PATCH] T1107 - Filesystem Deletion from Amnesia malware (#446)

* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* T1107 - Delete Filesystem Test from Amnesia malware
---
 atomics/T1107/T1107.yaml | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/atomics/T1107/T1107.yaml b/atomics/T1107/T1107.yaml
index 089da03f..d0ce165c 100644
--- a/atomics/T1107/T1107.yaml
+++ b/atomics/T1107/T1107.yaml
@@ -132,7 +132,7 @@ atomic_tests:
 
 - name: bcdedit
   description: |
-    xxx
+    This test leverages `bcdedit` to remove boot-time recovery measures.
   supported_platforms:
     - windows
   executor:
@@ -143,10 +143,22 @@ atomic_tests:
 
 - name: wbadmin
   description: |
-    xxx
+    This test deletes Windows Backup catalogs. 
   supported_platforms:
     - windows
   executor:
     name: command_prompt
     command: |
       wbadmin delete catalog -quiet
+
+- name: Delete Filesystem - Linux
+  description: |
+    This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
+  supported_platforms:
+    - linux
+    - centos
+    - ubuntu
+  executor:
+    name: bash
+    command: |
+      rm -rf / --no-preserve-root > /dev/null 2> /dev/null