From a4ef8ea38251d35d38b140d31cffed5181421da9 Mon Sep 17 00:00:00 2001
From: Lou Stella <ljstella@gmail.com>
Date: Tue, 15 Feb 2022 14:23:09 -0600
Subject: [PATCH] DiskShadow Execution of script (#1778)

* DiskShadow Execution of script

* Added reference to description

* Implemented dspath check
---
 atomics/T1218/T1218.yaml    | 32 ++++++++++++++++++++++++++++++++
 atomics/T1218/src/T1218.txt |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 atomics/T1218/src/T1218.txt

diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml
index 6db7a6d3..762494cd 100644
--- a/atomics/T1218/T1218.yaml
+++ b/atomics/T1218/T1218.yaml
@@ -223,3 +223,35 @@ atomic_tests:
   executor:
     command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath #{module_path}'
     name: powershell
+- name: DiskShadow Command Execution
+  description: |
+    Emulates attack with a DiskShadow.exe (LOLBIN installed by default on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
+  supported_platforms:
+    - windows
+  input_arguments:
+    txt_payload:
+      description: txt to execute
+      type: Path
+      default: PathToAtomicsFolder\T1218\src\T1218.txt
+    dspath:
+      description: Default location of DiskShadow.exe
+      type: Path
+      default: C:\Windows\System32\diskshadow.exe
+  dependency_executor_name: powershell 
+  dependencies: 
+    - description: txt file must exist on disk at specified location (#{txt_payload})
+      prereq_command: |
+        if (Test-Path #{txt_payload}) {exit 0} else {exit 1}
+      get_prereq_command: |
+        New-Item -Type Directory (split-path #{txt_payload}) -ErrorAction ignore | Out-Null
+        Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}"
+    - description: DiskShadow.exe must exist on disk at specified location (#{dspath})
+      prereq_command: |
+        if (Test-Path #{dspath}) {exit 0} else {exit 1}
+      get_prereq_command: |
+        echo "DiskShadow.exe not found on disk at expected location"
+  executor:
+    command: |
+      #{dspath} -S #{txt_payload} 
+    name: powershell
+    elevation_required: false
\ No newline at end of file
diff --git a/atomics/T1218/src/T1218.txt b/atomics/T1218/src/T1218.txt
new file mode 100644
index 00000000..c0ca1339
--- /dev/null
+++ b/atomics/T1218/src/T1218.txt
@@ -0,0 +1 @@
+EXEC c:\windows\system32\calc.exe
\ No newline at end of file