From 11a5c061ab2caf753fd9e1b3abd835c05a7e2f5e Mon Sep 17 00:00:00 2001
From: Swelc <shane@swelcher.com>
Date: Mon, 25 Jun 2018 21:53:01 -0500
Subject: [PATCH] Added notes about additional modules being needed for
 Mimikatz etc

---
 atomics/T1081/T1081.yaml | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/atomics/T1081/T1081.yaml b/atomics/T1081/T1081.yaml
index 3fe8419d..b96cd2dd 100644
--- a/atomics/T1081/T1081.yaml
+++ b/atomics/T1081/T1081.yaml
@@ -14,3 +14,42 @@ atomic_tests:
     name: sh
     command: |
       python2 laZagne.py all
+
+- name: Extract credentials from files
+  description: |
+    Extracting credentials from files
+  input_arguments:
+    file_path:
+      description: Path to search
+      type: String
+      default: /
+  supported_platforms:
+    - macos
+    - linux
+  executor:
+    name: sh
+    command: |
+      grep -riP password #{file_path}
+
+- name: Mimikatz & Kittenz
+  description: |
+    Mimikatz/kittenz - This will require a Mimikatz executable or invoke-mimikittenz ps module.
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    command: |
+      invoke-mimikittenz
+      mimikatz.exe
+
+- name: Extracting credentials from files
+  description: |
+    Extracting Credentials from Files
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    command: |
+      findstr /si pass *.xml | *.doc | *.txt | *.xls
+      ls -R | select-string -Pattern password
+