From 2a194cdc344fe4a1b5b120b6fdbaae7238da0aa2 Mon Sep 17 00:00:00 2001
From: Emile Marty <34513785+emilemarty@users.noreply.github.com>
Date: Thu, 1 Feb 2024 00:29:42 +0100
Subject: [PATCH] Added support for T1490 creating shadow copies in Windows 10+
 (#2676)

* Update T1490.yaml

Support for creating shadow copies in Windows 10+

* Update T1490.md

Updating documentation

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1490/T1490.md   | 12 ++++++++++++
 atomics/T1490/T1490.yaml |  5 ++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md
index e19efce2..ceb2d5f0 100644
--- a/atomics/T1490/T1490.md
+++ b/atomics/T1490/T1490.md
@@ -112,6 +112,18 @@ wmic.exe shadowcopy delete
 
 
 
+#### Dependencies:  Run with `powershell`!
+##### Description: Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8.
+##### Check Prereq Commands:
+```powershell
+if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+wmic shadowcopy call create Volume='C:\'
+```
+
+
 
 
 <br/>
diff --git a/atomics/T1490/T1490.yaml b/atomics/T1490/T1490.yaml
index d923bf5e..8703ff18 100644
--- a/atomics/T1490/T1490.yaml
+++ b/atomics/T1490/T1490.yaml
@@ -29,7 +29,10 @@ atomic_tests:
   auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
   description: |
     Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-    Shadow copies can only be created on Windows server or Windows 8.
+    prereq_command: |
+      if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
+    get_prereq_command: |
+      wmic shadowcopy call create Volume='C:\'
   supported_platforms:
   - windows
   executor: