diff --git a/atomics/T1486/T1486.yaml b/atomics/T1486/T1486.yaml index dc240895fc..47d431af88 100644 --- a/atomics/T1486/T1486.yaml +++ b/atomics/T1486/T1486.yaml @@ -278,6 +278,7 @@ atomic_tests: remove-item '#{File_to_Encrypt_Location}.gpg' -force -erroraction silentlycontinue | out-null - name: Data Encrypt Using DiskCryptor + auto_generated_guid: 44b68e11-9da2-4d45-a0d9-893dabd60f30 description: | DiskCryptor, an open source encryption utility, can be exploited by adversaries for encrypting all disk partitions, including system partitions. This tool was identified in a ransomware campaign, as reported on https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/. The documentation for DiskCryptor can be found at https://github.com/DavidXanatos/DiskCryptor. During the installation process, running dcrypt.exe starts the encryption console. It's important to note that a system reboot is necessary as part of the installation. supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index c5ce8d6ea3..5f4cda3d75 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -1549,3 +1549,4 @@ a768aaa2-2442-475c-8990-69cf33af0f4e ba38e193-37a6-4c41-b214-61b33277fe36 35b88076-7edb-4eb5-bdc5-11ede7f45c6a 444ff124-4c83-4e28-8df6-6efd3ece6bd4 +44b68e11-9da2-4d45-a0d9-893dabd60f30