Josh Rickard
a5dd0813cd
* fix: Updating atomics YAML file structure to align with the new JSON schema definition. This also fixes some white space issues and general line formatting across all impacted atomics. * fix: One additional change needed --------- Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
32 lines
1.3 KiB
YAML
32 lines
1.3 KiB
YAML
attack_technique: T1006
|
|
display_name: Direct Volume Access
|
|
atomic_tests:
|
|
- name: Read volume boot sector via DOS device path (PowerShell)
|
|
auto_generated_guid: 88f6327e-51ec-4bbf-b2e8-3fea534eab8b
|
|
description: |-
|
|
This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume.
|
|
On success, a hex dump of the first 11 bytes of the volume is displayed.
|
|
|
|
For a NTFS volume, it should correspond to the following sequence ([NTFS partition boot sector](https://en.wikipedia.org/wiki/NTFS#Partition_Boot_Sector_(VBR))):
|
|
```
|
|
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
|
|
|
|
00000000 EB 52 90 4E 54 46 53 20 20 20 20 ëR?NTFS
|
|
```
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
volume:
|
|
description: Drive letter of the volume to access
|
|
type: string
|
|
default: 'C:'
|
|
executor:
|
|
command: |
|
|
$buffer = New-Object byte[] 11
|
|
$handle = New-Object IO.FileStream "\\.\#{volume}", 'Open', 'Read', 'ReadWrite'
|
|
$handle.Read($buffer, 0, $buffer.Length)
|
|
$handle.Close()
|
|
Format-Hex -InputObject $buffer
|
|
name: powershell
|
|
elevation_required: true
|