diff --git a/Indian/APT/SideWinder/25-12-19/JSON/MITRE_ref.json b/Indian/APT/SideWinder/25-12-19/JSON/MITRE_ref.json
index deb8d77..09c89cc 100644
--- a/Indian/APT/SideWinder/25-12-19/JSON/MITRE_ref.json
+++ b/Indian/APT/SideWinder/25-12-19/JSON/MITRE_ref.json
@@ -13,6 +13,13 @@
         "Description":  "Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account\u0027s associated permissions level.",
         "URL":  "https://attack.mitre.org/techniques/T1060/"
     },
+    {
+        "Id":  "T1081",
+        "Name":  "Credentials in Files",
+        "Type":  "Credential Access ",
+        "Description":  "Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.",
+        "URL":  "https://attack.mitre.org/techniques/T1081/"
+    },
     {
         "Id":  "T1129",
         "Name":  "Execution through Module Load",