From 8e322ecb766d60dbb1a79e85c0a27fafb2df6db4 Mon Sep 17 00:00:00 2001
From: gregclermont <580609+gregclermont@users.noreply.github.com>
Date: Thu, 15 Oct 2020 18:36:07 +0200
Subject: [PATCH] Add test for T1006 Direct Volume Access (#1254)

---
 atomics/T1006/T1006.yaml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 atomics/T1006/T1006.yaml

diff --git a/atomics/T1006/T1006.yaml b/atomics/T1006/T1006.yaml
new file mode 100644
index 00000000..5d824201
--- /dev/null
+++ b/atomics/T1006/T1006.yaml
@@ -0,0 +1,30 @@
+attack_technique: T1006
+display_name: Direct Volume Access
+atomic_tests:
+- name: Read volume boot sector via DOS device path (PowerShell)
+  description: |-
+    This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume.
+    On success, a hex dump of the first 11 bytes of the volume is displayed.
+
+    For a NTFS volume, it should correspond to the following sequence ([NTFS partition boot sector](https://en.wikipedia.org/wiki/NTFS#Partition_Boot_Sector_(VBR))):
+    ```
+               00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
+
+    00000000   EB 52 90 4E 54 46 53 20 20 20 20                 ëR?NTFS
+    ```
+  supported_platforms:
+  - windows
+  input_arguments:
+    volume:
+      description: Drive letter of the volume to access
+      type: string
+      default: 'C:'
+  executor:
+    command: |
+      $buffer = New-Object byte[] 11
+      $handle = New-Object IO.FileStream "\\.\#{volume}", 'Open', 'Read', 'ReadWrite'
+      $handle.Read($buffer, 0, $buffer.Length)
+      $handle.Close()
+      Format-Hex -InputObject $buffer
+    name: powershell
+    elevation_required: true