From 3fb3fb2a84e8bfe5fbd70488ae774c765c071fa7 Mon Sep 17 00:00:00 2001
From: IntelScott <99858125+tropChaud@users.noreply.github.com>
Date: Mon, 4 Apr 2022 08:49:57 -0400
Subject: [PATCH] Create T1555.004.yaml (#1843)

* Create T1555.004.yaml

* remove blank auto-generated guid

* use standard quotes

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1555.004/T1555.004.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 atomics/T1555.004/T1555.004.yaml

diff --git a/atomics/T1555.004/T1555.004.yaml b/atomics/T1555.004/T1555.004.yaml
new file mode 100644
index 00000000..7af751df
--- /dev/null
+++ b/atomics/T1555.004/T1555.004.yaml
@@ -0,0 +1,16 @@
+attack_technique: T1555.004
+display_name: 'Credentials from Password Stores: Windows Credential Manager'
+atomic_tests:
+- name: Access Saved Credentials via VaultCmd
+  description: |
+    List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
+    Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos
+    https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/
+    https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+  supported_platforms:
+    - windows
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      vaultcmd /listcreds:"Windows Credentials"