From 89ff9a817f8e82c8f55df375259a13b504b4d4ca Mon Sep 17 00:00:00 2001
From: IntelScott <99858125+tropChaud@users.noreply.github.com>
Date: Thu, 17 Feb 2022 12:54:23 -0500
Subject: [PATCH] Create T1003.005.yaml (#1780)

* Create T1003.005.yaml

* Update T1003.005.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1003.005.yaml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 atomics/T1003.005.yaml

diff --git a/atomics/T1003.005.yaml b/atomics/T1003.005.yaml
new file mode 100644
index 00000000..c09b2e5e
--- /dev/null
+++ b/atomics/T1003.005.yaml
@@ -0,0 +1,17 @@
+attack_technique: T1003.005
+display_name: 'OS Credential Dumping: Cached Domain Credentials'
+atomic_tests:
+- name: Cached Credential Dump via Cmdkey
+  description: |
+    List credentials currently stored on the host via the built-in Windows utility cmdkey.exe
+    Credentials listed with Cmdkey only pertain to the current user
+    Passwords will not be displayed once they are stored
+    https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
+    https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
+  supported_platforms:
+    - windows
+  executor:
+  - name: command_prompt
+    elevation_required: false
+    command: |
+      cmdkey /list