security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2026-01-07 07:31:13 +00:00
parent 256876632c
commit b5b2cd986b
12 changed files with 109 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -2,7 +2,7 @@
# Atomic Red Team
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1762-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1763-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
Atomic Red Team™ is a library of tests mapped to the
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -2216,6 +2216,7 @@ impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,6
impact,T1490,Inhibit System Recovery,10,Windows - vssadmin Resize Shadowstorage Volume,da558b07-69ae-41b9-b9d4-4d98154a7049,powershell
impact,T1490,Inhibit System Recovery,11,Modify VSS Service Permissions,a4420f93-5386-4290-b780-f4f66abc7070,command_prompt
impact,T1490,Inhibit System Recovery,12,Disable Time Machine,ed952f70-91d4-445a-b7ff-30966bfb1aff,sh
impact,T1490,Inhibit System Recovery,13,Windows - Delete Volume Shadow Copies via Diskshadow,42111a6f-7e7f-482c-9b1b-3cfd090b999c,powershell
impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - FreeBSD/macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2216 impact T1490 Inhibit System Recovery 10 Windows - vssadmin Resize Shadowstorage Volume da558b07-69ae-41b9-b9d4-4d98154a7049 powershell
2217 impact T1490 Inhibit System Recovery 11 Modify VSS Service Permissions a4420f93-5386-4290-b780-f4f66abc7070 command_prompt
2218 impact T1490 Inhibit System Recovery 12 Disable Time Machine ed952f70-91d4-445a-b7ff-30966bfb1aff sh
2219 impact T1490 Inhibit System Recovery 13 Windows - Delete Volume Shadow Copies via Diskshadow 42111a6f-7e7f-482c-9b1b-3cfd090b999c powershell
2220 impact T1529 System Shutdown/Reboot 1 Shutdown System - Windows ad254fa8-45c0-403b-8c77-e00b3d3e7a64 command_prompt
2221 impact T1529 System Shutdown/Reboot 2 Restart System - Windows f4648f0d-bf78-483c-bafc-3ec99cd1c302 command_prompt
2222 impact T1529 System Shutdown/Reboot 3 Restart System via `shutdown` - FreeBSD/macOS/Linux 6326dbc4-444b-4c04-88f4-27e94d0327cb sh
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -1515,6 +1515,7 @@ impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1
impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
impact,T1490,Inhibit System Recovery,10,Windows - vssadmin Resize Shadowstorage Volume,da558b07-69ae-41b9-b9d4-4d98154a7049,powershell
impact,T1490,Inhibit System Recovery,11,Modify VSS Service Permissions,a4420f93-5386-4290-b780-f4f66abc7070,command_prompt
impact,T1490,Inhibit System Recovery,13,Windows - Delete Volume Shadow Copies via Diskshadow,42111a6f-7e7f-482c-9b1b-3cfd090b999c,powershell
impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
impact,T1529,System Shutdown/Reboot,12,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1515 impact T1490 Inhibit System Recovery 9 Disable System Restore Through Registry 66e647d1-8741-4e43-b7c1-334760c2047f command_prompt
1516 impact T1490 Inhibit System Recovery 10 Windows - vssadmin Resize Shadowstorage Volume da558b07-69ae-41b9-b9d4-4d98154a7049 powershell
1517 impact T1490 Inhibit System Recovery 11 Modify VSS Service Permissions a4420f93-5386-4290-b780-f4f66abc7070 command_prompt
1518 impact T1490 Inhibit System Recovery 13 Windows - Delete Volume Shadow Copies via Diskshadow 42111a6f-7e7f-482c-9b1b-3cfd090b999c powershell
1519 impact T1529 System Shutdown/Reboot 1 Shutdown System - Windows ad254fa8-45c0-403b-8c77-e00b3d3e7a64 command_prompt
1520 impact T1529 System Shutdown/Reboot 2 Restart System - Windows f4648f0d-bf78-483c-bafc-3ec99cd1c302 command_prompt
1521 impact T1529 System Shutdown/Reboot 12 Logoff System - Windows 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 command_prompt
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -3083,6 +3083,7 @@
- Atomic Test #10: Windows - vssadmin Resize Shadowstorage Volume [windows]
- Atomic Test #11: Modify VSS Service Permissions [windows]
- Atomic Test #12: Disable Time Machine [macos]
- Atomic Test #13: Windows - Delete Volume Shadow Copies via Diskshadow [windows]
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #1: Shutdown System - Windows [windows]
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -2109,6 +2109,7 @@
- Atomic Test #9: Disable System Restore Through Registry [windows]
- Atomic Test #10: Windows - vssadmin Resize Shadowstorage Volume [windows]
- Atomic Test #11: Modify VSS Service Permissions [windows]
- Atomic Test #13: Windows - Delete Volume Shadow Copies via Diskshadow [windows]
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #1: Shutdown System - Windows [windows]
atomics/Indexes/index.yaml
+29
View File
@@ -118051,6 +118051,35 @@ impact:
cleanup_command: sudo tmutil enable
name: sh
elevation_required: true
- name: Windows - Delete Volume Shadow Copies via Diskshadow
auto_generated_guid: 42111a6f-7e7f-482c-9b1b-3cfd090b999c
description: 'Deletes Windows Volume Shadow Copies via Diskshadow binary. This
technique is used by numerous ransomware families such as Crytox. The binary
is present by default in Windows Server operating systems (since Windows Server
2008). Upon execution, it will delete all shadow copies of the server.
'
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Create volume shadow copy of C:\ . This prereq command only
works on Windows Server or Windows 8.
'
prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found
that satisfy the query.")) { exit 0 } else { exit 1 }
'
get_prereq_command: 'vssadmin.exe create shadow /for=c:
'
executor:
command: '"delete shadows all" | diskshadow.exe
'
name: powershell
elevation_required: true
T1561.001:
technique:
type: attack-pattern
atomics/Indexes/windows-index.yaml
+29
View File
@@ -96296,6 +96296,35 @@ impact:
cleanup_command: 'sc sdset VSS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;LC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
'
- name: Windows - Delete Volume Shadow Copies via Diskshadow
auto_generated_guid: 42111a6f-7e7f-482c-9b1b-3cfd090b999c
description: 'Deletes Windows Volume Shadow Copies via Diskshadow binary. This
technique is used by numerous ransomware families such as Crytox. The binary
is present by default in Windows Server operating systems (since Windows Server
2008). Upon execution, it will delete all shadow copies of the server.
'
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Create volume shadow copy of C:\ . This prereq command only
works on Windows Server or Windows 8.
'
prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found
that satisfy the query.")) { exit 0 } else { exit 1 }
'
get_prereq_command: 'vssadmin.exe create shadow /for=c:
'
executor:
command: '"delete shadows all" | diskshadow.exe
'
name: powershell
elevation_required: true
T1561.001:
technique:
type: attack-pattern
atomics/T1490/T1490.md
+42
View File
@@ -49,6 +49,8 @@ Adversaries may also delete “online” backups that are connected to their net
- [Atomic Test #12 - Disable Time Machine](#atomic-test-12---disable-time-machine)
- [Atomic Test #13 - Windows - Delete Volume Shadow Copies via Diskshadow](#atomic-test-13---windows---delete-volume-shadow-copies-via-diskshadow)
<br/>
@@ -456,4 +458,44 @@ sudo tmutil enable
<br/>
<br/>
## Atomic Test #13 - Windows - Delete Volume Shadow Copies via Diskshadow
Deletes Windows Volume Shadow Copies via Diskshadow binary. This technique is used by numerous ransomware families such as Crytox. The binary is present by default in Windows Server operating systems (since Windows Server 2008). Upon execution, it will delete all shadow copies of the server.
**Supported Platforms:** Windows
**auto_generated_guid:** 42111a6f-7e7f-482c-9b1b-3cfd090b999c
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
"delete shadows all" | diskshadow.exe
```
#### Dependencies: Run with `powershell`!
##### Description: Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8.
##### Check Prereq Commands:
```powershell
if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
```
##### Get Prereq Commands:
```powershell
vssadmin.exe create shadow /for=c:
```
<br/>
atomics/T1490/T1490.yaml
+1
View File
@@ -185,6 +185,7 @@ atomic_tests:
name: sh
elevation_required: true
- name: Windows - Delete Volume Shadow Copies via Diskshadow
auto_generated_guid: 42111a6f-7e7f-482c-9b1b-3cfd090b999c
description: |
Deletes Windows Volume Shadow Copies via Diskshadow binary. This technique is used by numerous ransomware families such as Crytox. The binary is present by default in Windows Server operating systems (since Windows Server 2008). Upon execution, it will delete all shadow copies of the server.
supported_platforms:
atomics/used_guids.txt
+1
View File
@@ -1785,3 +1785,4 @@ d57dfc9e-ed9a-418e-88f8-b59c85f8cfd1
71eab73d-5d7d-4681-9a72-7873489a5b85
c63bbe52-6f17-4832-b221-f07ba8b1736f
98f19852-7348-4f99-9e15-6ff4320464c7
42111a6f-7e7f-482c-9b1b-3cfd090b999c