Added support for T1490 creating shadow copies in Windows 10+ (#2676)

* Update T1490.yaml Support for creating shadow copies in Windows 10+ * Update T1490.md Updating documentation --------- Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2024-02-01 00:29:42 +01:00
parent ed9cb8cdc7
commit 2a194cdc34
2 changed files with 16 additions and 1 deletions
@@ -112,6 +112,18 @@ wmic.exe shadowcopy delete



+#### Dependencies:  Run with `powershell`!
+##### Description: Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8.
+##### Check Prereq Commands:
+```powershell
+if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+wmic shadowcopy call create Volume='C:\'
+```
+
+


 <br/>
@@ -29,7 +29,10 @@ atomic_tests:
  auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
  description: |
    Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-    Shadow copies can only be created on Windows server or Windows 8.
+    prereq_command: |
+      if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
+    get_prereq_command: |
+      wmic shadowcopy call create Volume='C:\'
  supported_platforms:
  - windows
  executor: