DiskShadow Execution of script (#1778)

* DiskShadow Execution of script

* Added reference to description

* Implemented dspath check

atomics/T1218/T1218.yaml

@@ -223,3 +223,35 @@ atomic_tests:
   executor:
     command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath #{module_path}'
     name: powershell
+- name: DiskShadow Command Execution
+  description: |
+    Emulates attack with a DiskShadow.exe (LOLBIN installed by default on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
+  supported_platforms:
+    - windows
+  input_arguments:
+    txt_payload:
+      description: txt to execute
+      type: Path
+      default: PathToAtomicsFolder\T1218\src\T1218.txt
+    dspath:
+      description: Default location of DiskShadow.exe
+      type: Path
+      default: C:\Windows\System32\diskshadow.exe
+  dependency_executor_name: powershell 
+  dependencies: 
+    - description: txt file must exist on disk at specified location (#{txt_payload})
+      prereq_command: |
+        if (Test-Path #{txt_payload}) {exit 0} else {exit 1}
+      get_prereq_command: |
+        New-Item -Type Directory (split-path #{txt_payload}) -ErrorAction ignore | Out-Null
+        Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}"
+    - description: DiskShadow.exe must exist on disk at specified location (#{dspath})
+      prereq_command: |
+        if (Test-Path #{dspath}) {exit 0} else {exit 1}
+      get_prereq_command: |
+        echo "DiskShadow.exe not found on disk at expected location"
+  executor:
+    command: |
+      #{dspath} -S #{txt_payload} 
+    name: powershell
+    elevation_required: false

atomics/T1218/src/T1218.txt

@@ -0,0 +1 @@
+EXEC c:\windows\system32\calc.exe