diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 5b38043c..cab460c0 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -528,7 +528,7 @@ defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
-defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,powershell
+defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt
defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index e5b2c138..2efff797 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -314,7 +314,7 @@ defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
-defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,powershell
+defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt
defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index add95244..afc3f27c 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -962,7 +962,7 @@
- Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #3: attrib - Remove read-only attribute [windows]
- Atomic Test #4: attrib - hide file [windows]
- - Atomic Test #5: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows]
+ - Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows]
- [T1220 XSL Script Processing](../../T1220/T1220.md)
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 8fd72392..c55feaa0 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -569,7 +569,7 @@
- Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #3: attrib - Remove read-only attribute [windows]
- Atomic Test #4: attrib - hide file [windows]
- - Atomic Test #5: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows]
+ - Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows]
- [T1220 XSL Script Processing](../../T1220/T1220.md)
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 8ac803b9..1c5b84b1 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -42143,15 +42143,24 @@ defense-evasion:
del #{file_or_folder}\T1222.001_attrib*.txt
rmdir #{file_or_folder}
name: command_prompt
- - name: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style
+ - name: Grant Full Access to folder for Everyone - Ryuk Ransomware Style
auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6
- description: Invokes the command line used by Ryuk Ransomware to grant full
- access to the entire C:\ drive for Everyone.
+ description: |
+ Invokes the command line similar to that used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone.
+ **icacls "C:\*" /grant Everyone:F /T /C /Q**
+ However, for this atomic we set the permission on C:\Users\Public so it completes faster and doesn't irreversibly affect the host.
+ You can set your own path variable to "C:\*" if you prefer.
supported_platforms:
- windows
+ input_arguments:
+ path:
+ description: Path of folder to recursively set permissions on
+ type: path
+ default: C:\Users\Public\*
executor:
- command: icacls "C:\*" /grant Everyone:F /T /C /Q
- name: powershell
+ command: icacls "#{path}" /grant Everyone:F /T /C /Q
+ name: command_prompt
+ elevation_required: true
T1220:
technique:
id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3
diff --git a/atomics/T1222.001/T1222.001.md b/atomics/T1222.001/T1222.001.md
index 3559d65b..576c3ad0 100644
--- a/atomics/T1222.001/T1222.001.md
+++ b/atomics/T1222.001/T1222.001.md
@@ -16,7 +16,7 @@ Adversaries can interact with the DACLs using built-in Windows commands, such as
- [Atomic Test #4 - attrib - hide file](#atomic-test-4---attrib---hide-file)
-- [Atomic Test #5 - Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style](#atomic-test-5---grant-full-access-to-entire-c-drive-for-everyone---ryuk-ransomware-style)
+- [Atomic Test #5 - Grant Full Access to folder for Everyone - Ryuk Ransomware Style](#atomic-test-5---grant-full-access-to-folder-for-everyone---ryuk-ransomware-style)
@@ -209,20 +209,28 @@ echo T1222.001_attrib2 >> #{file_or_folder}\T1222.001_attrib2.txt
-## Atomic Test #5 - Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style
-Invokes the command line used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone.
+## Atomic Test #5 - Grant Full Access to folder for Everyone - Ryuk Ransomware Style
+Invokes the command line similar to that used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone.
+**icacls "C:\*" /grant Everyone:F /T /C /Q**
+However, for this atomic we set the permission on C:\Users\Public so it completes faster and doesn't irreversibly affect the host.
+You can set your own path variable to "C:\*" if you prefer.
**Supported Platforms:** Windows
-
-#### Attack Commands: Run with `powershell`!
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| path | Path of folder to recursively set permissions on | path | C:\Users\Public\*|
-```powershell
-icacls "C:\*" /grant Everyone:F /T /C /Q
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+
+```cmd
+icacls "#{path}" /grant Everyone:F /T /C /Q
```