Update T1486.yaml (#2665)

Co-authored-by: Carrie Roberts <[email protected]>
redcanaryco · Jan 20, 2024 · 11c4421 · 11c4421
1 parent 6a3a2ed
commit 11c4421
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/atomics/T1486/T1486.yaml b/atomics/T1486/T1486.yaml
@@ -276,3 +276,31 @@ atomic_tests:
       cmd /c '#{GPG_Exe_Location}' -c '#{File_to_Encrypt_Location}'
     cleanup_command: |
       remove-item '#{File_to_Encrypt_Location}.gpg' -force -erroraction silentlycontinue | out-null
+
+- name: Data Encrypt Using DiskCryptor
+  description: |
+      DiskCryptor, an open source encryption utility, can be exploited by adversaries for encrypting all disk partitions, including system partitions. This tool was identified in a ransomware campaign, as reported on https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/. The documentation for DiskCryptor can be found at https://github.com/DavidXanatos/DiskCryptor. During the installation process, running dcrypt.exe starts the encryption console. It's important to note that a system reboot is necessary as part of the installation.
+  supported_platforms:
+    - windows
+  input_arguments:
+      dcrypt_exe:
+        description: The dcrypt.exe executable from dcrypt_setup.exe
+        type: path
+        default: 'dcrypt.exe'
+  dependency_executor_name: powershell
+  dependencies:
+    - description: |
+        dcrypt_setup will be installed at specified location (#{dcrypt_exe})
+      prereq_command: |
+        if (Test-Path "${env:ProgramFiles}/dcrypt/#{dcrypt_exe}") {exit 0} else {exit 1}
+      get_prereq_command: |
+        Write-Host Downloading DiskCryptor installer
+        New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+        Invoke-WebRequest "https://github.com/DavidXanatos/DiskCryptor/releases/download/1.1.846.118/dcrypt_setup_1.1.846.118.exe" -OutFile      "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe"
+        Write-Host Install DiskCryptor
+        Start-Process "PathToAtomicsFolder\..\ExternalPayloads\dcrypt_setup_1.1.846.118.exe" -Wait -ArgumentList "/s"
+  executor:
+    name: command_prompt
+    elevation_required: true
+    command: |
+      ""%PROGRAMFILES%\dcrypt"\#{dcrypt_exe}"