diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml
index ffdc05d3..2f18088f 100644
--- a/atomics/T1003/T1003.yaml
+++ b/atomics/T1003/T1003.yaml
@@ -142,3 +142,13 @@ atomic_tests:
       C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
     name: powershell
     elevation_required: true
+
+- name: Dump Credential Manager using keymgr.dll and rundll32.exe
+  description: |-
+    This test executes the exported function `KRShowKeyMgr` located in `keymgr.dll` using `rundll32.exe`. It opens a window that allows to export stored Windows credentials from the credential manager to a file (`.crd` by default). The file can then be retrieved and imported on an attacker-controlled computer to list the credentials get the passwords. The only limitation is that it requires a CTRL+ALT+DELETE input from the attacker, which can be achieve multiple ways (e.g. a custom implant with remote control capabilities, enabling RDP, etc.).
+    Reference: https://twitter.com/0gtweet/status/1415671356239216653
+  supported_platforms:
+  - windows
+  executor:
+    command: rundll32.exe keymgr,KRShowKeyMgr
+    name: powershell