Update T1490.yaml (#2677)

* Update T1490.yaml Fixed a formatting error in #2676 * Update T1490.yaml add dependency_executor_name field --------- Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com>
2024-02-05 17:48:15 +01:00
parent e30f9b573f
commit 12f5d9d323
1 changed files with 6 additions and 2 deletions
@@ -29,12 +29,16 @@ atomic_tests:
  auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
  description: |
    Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Create volume shadow copy of C:\ .
    prereq_command: |
      if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
    get_prereq_command: |
      wmic shadowcopy call create Volume='C:\'
-  supported_platforms:
-  - windows
  executor:
    command: |
      wmic.exe shadowcopy delete