From 12f5d9d323963efe653ea9ad58199fbb5a096a10 Mon Sep 17 00:00:00 2001
From: Emile Marty <34513785+emilemarty@users.noreply.github.com>
Date: Mon, 5 Feb 2024 17:48:15 +0100
Subject: [PATCH] Update T1490.yaml (#2677)

* Update T1490.yaml

Fixed a formatting error in #2676

* Update T1490.yaml

add dependency_executor_name field

---------

Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com>
---
 atomics/T1490/T1490.yaml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/atomics/T1490/T1490.yaml b/atomics/T1490/T1490.yaml
index 8703ff18..eb82199d 100644
--- a/atomics/T1490/T1490.yaml
+++ b/atomics/T1490/T1490.yaml
@@ -29,12 +29,16 @@ atomic_tests:
   auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
   description: |
     Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Create volume shadow copy of C:\ .
     prereq_command: |
       if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
     get_prereq_command: |
       wmic shadowcopy call create Volume='C:\'
-  supported_platforms:
-  - windows
   executor:
     command: |
       wmic.exe shadowcopy delete