diff --git a/atomics/T1505.005/T1505.005.yaml b/atomics/T1505.005/T1505.005.yaml
new file mode 100644
index 00000000..1dcd124c
--- /dev/null
+++ b/atomics/T1505.005/T1505.005.yaml
@@ -0,0 +1,24 @@
+attack_technique: T1505.005
+display_name: 'Server Software Component: Terminal Services DLL'
+atomic_tests:
+- name: Simulate Patching termsrv.dll
+  description: |
+    Simulates patching of termsrv.dll by making a benign change to the file and replacing it with the original afterwards.
+    Before we can make the modifications we need to take ownership of the file and grant ourselves the necessary permissions.
+  supported_platforms:
+  - windows
+  executor:
+    elevation_required: true
+    command: |
+      $ACL = Get-Acl $fileName
+      $permission = "Administrators","FullControl","Allow"
+      $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
+      $ACL.SetAccessRule($accessRule)
+      Set-Acl -Path $fileName -AclObject $ACL
+
+      Copy-Item -Path "C:\Windows\System32\termsrv.dll" -Destination "C:\Windows\System32\termsrv_backup.dll" -ErrorAction Ignore
+      Add-Content -Path "C:\Windows\System32\termsrv.dll" -Value "`n" -NoNewline -ErrorAction Ignore
+      Move-Item -Path "C:\Windows\System32\termsrv_backup.dll" -Destination "C:\Windows\System32\termsrv.dll" -Force -ErrorAction Ignore
+    cleanup_command: |
+      Move-Item -Path "C:\Windows\System32\termsrv_backup.dll" -Destination "C:\Windows\System32\termsrv.dll" -Force -ErrorAction Ignore
+    name: powershell