diff --git a/atomics/T1016/T1016.yaml b/atomics/T1016/T1016.yaml
index 43849b88..1938f5f3 100644
--- a/atomics/T1016/T1016.yaml
+++ b/atomics/T1016/T1016.yaml
@@ -122,4 +122,19 @@ atomic_tests:
     cleanup_command: |
       Remove-Item -ErrorAction ignore "#{output_file}"
     name: powershell
-
+- name: List macOS Firewall Rules
+  description: |
+    "This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows. 
+    
+    Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user. 
+    
+    Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out. 
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      sudo defaults read /Library/Preferences/com.apple.alf
+      sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
+    name: bash
+    elevation_required: true
+