diff --git a/atomics/T1021.005/T1021.005.yaml b/atomics/T1021.005/T1021.005.yaml
new file mode 100644
index 00000000..af1789dc
--- /dev/null
+++ b/atomics/T1021.005/T1021.005.yaml
@@ -0,0 +1,18 @@
+attack_technique: T1021.005
+display_name: 'Remote Services:VNC'
+atomic_tests:
+- name: Enable Apple Remote Desktop Agent
+  description: |
+    ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer. 
+    Adversaries can abuse ARD to gain remote code execution and perform lateral movement.
+
+    References:  https://www.mandiant.com/resources/blog/leveraging-apple-remote-desktop-for-good-and-evil
+  supported_platforms:
+  - macos
+  executor:
+    name: sh
+    command: |
+      sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -quiet
+    cleanup_command: |
+      sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop -configure -privs -none -quiet
+    elevation_required: true