diff --git a/queries/windows/os_credential_dumping.yml b/queries/windows/os_credential_dumping.yml
new file mode 100644
index 0000000..dc41220
--- /dev/null
+++ b/queries/windows/os_credential_dumping.yml
@@ -0,0 +1,15 @@
+title: OS Credential Dumping
+description: Detects NPPSpy service or credential theft through generic IndicatorName.
+author: keyboardcrunch
+date: 17/03/2021
+modified: null
+mitre: 
+   tactic: Credential Access
+   technique: T1003
+   subtechnique: null
+operating_system: linux
+query: RegistryKeyPath ContainsCIS "\Services\NPPSpy" OR IndicatorName In ( "Mimikatz", "CredsReadFromLsass", "LSASSMemoryAccessed", "DumpSAM", "PasswordSniffingViaNetworkProvider" )
+false_positives: null
+tags: null
+references:
+   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md
\ No newline at end of file