From 7e87e7e9affa0322c2c49ce5ebd1cedce2035453 Mon Sep 17 00:00:00 2001
From: nsher07 <90919224+nsher07@users.noreply.github.com>
Date: Fri, 24 Dec 2021 00:17:28 +0530
Subject: [PATCH] Update T1070.005.yaml (#1695)

* Update T1070.005.yaml

New test to remove Admin$ share (net share Admin$ /delete)

* add cleanup commands/desc

* spacing fix

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1070.005/T1070.005.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/atomics/T1070.005/T1070.005.yaml b/atomics/T1070.005/T1070.005.yaml
index 5b456d45..c89fd9ec 100644
--- a/atomics/T1070.005/T1070.005.yaml
+++ b/atomics/T1070.005/T1070.005.yaml
@@ -48,3 +48,19 @@ atomic_tests:
       Remove-SmbShare -Name #{share_name}
       Remove-FileShare -Name #{share_name}
     name: powershell
+- name: Remove Administrative Shares
+  description: |
+    Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators 
+    remote access to every disk volume on a network-connected system. As Microsoft puts it, “Missing administrative shares typically 
+    indicate that the computer in question has been compromised by malicious software.
+    https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
+  supported_platforms:
+  - windows
+  executor:
+    command: for %i in (C$ IPC$ ADMIN$) do net share %i /delete
+    cleanup_command: |
+      net share ADMIN$ /UNLIMITED >nul 2>&1
+      net share C$=C:\ >nul 2>&1
+      net share IPC$ >nul 2>&1
+    name: command_prompt
+    elevation_required: true