Created
March 1, 2023 22:54
-
-
Save ecapuano/679791ffe049a0b2e81a645df3084944 to your computer and use it in GitHub Desktop.
A Velociraptor artifact that causes a Windows system to self-destruct
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Windows.Destroy.System | |
| description: | | |
| **WARNING! THIS IS HIGHLY DESTRUCTIVE!** | |
| Deletes ALL of the things. UNRECOVERABLE! | |
| First deletes sensitive areas (user profiles, event logs) then moves | |
| to wiping and zeroizing the entire C: drive. | |
| The system will ultimately fail before the process finishes, but the | |
| majority of important data will be gone and the system unusable. | |
| WARNING - THIS IS AN UNRECOVERABLE ACTION! | |
| author: Eric Capuano | @eric_capuano@infosec.exchange | |
| tools: | |
| - name: Sdelete_x86 | |
| url: https://live.sysinternals.com/tools/sdelete.exe | |
| serve_locally: true | |
| - name: Sdelete_amd64 | |
| url: https://live.sysinternals.com/tools/sdelete64.exe | |
| serve_locally: true | |
| precondition: SELECT OS From info() where OS = 'windows' | |
| parameters: | |
| sources: | |
| - name: DownloadBinary | |
| query: | | |
| LET os_info <= SELECT Architecture FROM info() | |
| // Get the path to the binary. | |
| LET bin <= SELECT * FROM Artifact.Generic.Utils.FetchBinary( | |
| ToolName= "Sdelete_" + os_info[0].Architecture, | |
| ToolInfo=ToolInfo) | |
| SELECT * from os_info | |
| - name: AddDefenderExclusion | |
| query: | | |
| LET Command = 'Add-MpPreference -ExclusionPath "C:\Program Files\Velociraptor"' | |
| SELECT * FROM execve(argv=['powershell',"-ExecutionPolicy", "Unrestricted", "-encodedCommand", | |
| base64encode(string=utf16_encode(string=Command))]) | |
| - name: DeleteUserProfiles | |
| query: | | |
| // Call the binary and return all its output in a single row. | |
| SELECT * FROM execve(argv=[bin[0].FullPath, | |
| '-accepteula', '-r', '-s','-q', 'C:\\Users\\*' | |
| ], length=10000000) | |
| - name: DeleteWinTemp | |
| query: | | |
| SELECT * FROM execve(argv=[bin[0].FullPath, | |
| '-accepteula', '-r', '-s','-q', 'C:\\Windows\\Temp\\*' | |
| ], length=10000000) | |
| - name: DeleteEVTX | |
| query: | | |
| LET Command = 'Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }' | |
| SELECT * FROM execve(argv=['powershell',"-ExecutionPolicy", "Unrestricted", "-encodedCommand", | |
| base64encode(string=utf16_encode(string=Command))]) | |
| - name: DestroyCDrive | |
| query: | | |
| SELECT * FROM execve(argv=[bin[0].FullPath, | |
| '-accepteula', '-r', '-s','-q', 'C:\\*' | |
| ], length=10000000) | |
| - name: WipeFreeSpace | |
| query: | | |
| SELECT * FROM execve(argv=[bin[0].FullPath, | |
| '-accepteula', '-c', 'C:' | |
| ], length=10000000) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment