T1485 Test to delete backup files similar to Ryuk (#659)

* T1485 Test to delete backup files similar to Ryuk

* Generate docs from job=validate_atomics_generate_docs branch=t1485-del-backups

atomics/T1485/T1485.md

@@ -18,6 +18,8 @@ To maximize impact on the target organization in operations where network-wide a
 
 - [Atomic Test #5 - macOS/Linux - Overwrite file with DD](#atomic-test-5---macoslinux---overwrite-file-with-dd)
 
+- [Atomic Test #6 - Windows - Delete Backup Files](#atomic-test-6---windows---delete-backup-files)
+
 
 <br/>
 
@@ -114,4 +116,20 @@ dd of=#{file_to_overwrite} if=#{overwrite_source}
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - Windows - Delete Backup Files
+Deletes backup files in a manner similar to Ryuk ransomware.
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `command_prompt`! 
+```
+del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
+```
+
+
+
 <br/>

atomics/T1485/T1485.yaml

@@ -87,4 +87,16 @@ atomic_tests:
   executor:
     name: bash
     command: |
-      dd of=#{file_to_overwrite} if=#{overwrite_source}
+      dd of=#{file_to_overwrite} if=#{overwrite_source}
+
+- name: Windows - Delete Backup Files
+  description: |
+    Deletes backup files in a manner similar to Ryuk ransomware.
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: command_prompt
+    command: |
+      del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk

atomics/index.md

@@ -474,6 +474,7 @@
   - Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows]
   - Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows]
   - Atomic Test #5: macOS/Linux - Overwrite file with DD [centos, linux, macos, ubuntu]
+  - Atomic Test #6: Windows - Delete Backup Files [windows]
 - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/index.yaml

@@ -13903,7 +13903,19 @@ impact:
           default: "/var/log/syslog"
       executor:
         name: bash
-        command: dd of=#{file_to_overwrite} if=#{overwrite_source}
+        command: 'dd of=#{file_to_overwrite} if=#{overwrite_source}
+
+'
+    - name: Windows - Delete Backup Files
+      description: 'Deletes backup files in a manner similar to Ryuk ransomware.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        command: del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.*
+          c:\backup*.* c:\*.set c:\*.win c:\*.dsk
   '':
     technique:
       x_mitre_data_sources:

atomics/windows-index.md

@@ -330,6 +330,7 @@
   - Atomic Test #2: Windows - Delete Windows Backup Catalog [windows]
   - Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows]
   - Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows]
+  - Atomic Test #6: Windows - Delete Backup Files [windows]
 - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)