diff --git a/atomics/T1555.004/T1555.004.yaml b/atomics/T1555.004/T1555.004.yaml
new file mode 100644
index 00000000..7af751df
--- /dev/null
+++ b/atomics/T1555.004/T1555.004.yaml
@@ -0,0 +1,16 @@
+attack_technique: T1555.004
+display_name: 'Credentials from Password Stores: Windows Credential Manager'
+atomic_tests:
+- name: Access Saved Credentials via VaultCmd
+  description: |
+    List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
+    Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos
+    https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/
+    https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+  supported_platforms:
+    - windows
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      vaultcmd /listcreds:"Windows Credentials"