From fad05dbdfab4fdc9d550f2dc1c257f2e658de295 Mon Sep 17 00:00:00 2001
From: CyberConradWilson <72638002+CyberConradWilson@users.noreply.github.com>
Date: Sat, 10 Oct 2020 08:35:03 -0600
Subject: [PATCH] Adding New Test (#1248)

* Adding New Test

Adding a new test that will invoke the command that Ryuk ransomware uses.

* more descriptive wording

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1222.001/T1222.001.yaml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/atomics/T1222.001/T1222.001.yaml b/atomics/T1222.001/T1222.001.yaml
index 6296480e..68501c6c 100644
--- a/atomics/T1222.001/T1222.001.yaml
+++ b/atomics/T1222.001/T1222.001.yaml
@@ -47,7 +47,7 @@ atomic_tests:
   dependency_executor_name: command_prompt
   dependencies:
   - description: |
-      Test requrires a file to modifyto be located at (#{file_or_folder})
+      Test requrires a file to modify to be located at (#{file_or_folder})
     prereq_command: |
       IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 )
     get_prereq_command: |
@@ -56,7 +56,7 @@ atomic_tests:
       echo T1222.001_cacls2 >> #{file_or_folder}\T1222.001_cacls2.txt
   executor:
     command: |
-      Icacls.exe #{file_or_folder} /grant #{user_or_group}:F
+      icacls.exe #{file_or_folder} /grant #{user_or_group}:F
     name: command_prompt
 - name: attrib - Remove read-only attribute
   auto_generated_guid: bec1e95c-83aa-492e-ab77-60c71bbd21b0
@@ -86,3 +86,10 @@ atomic_tests:
     command: |
       attrib.exe -r #{file_or_folder}\*.* /s
     name: command_prompt
+- name: 'Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style'
+  description: Invokes the command line used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone.
+  supported_platforms:
+  - windows
+  executor:
+    command: icacls "C:\*" /grant Everyone:F /T /C /Q
+    name: powershell