diff --git a/atomics/T1036/T1036.yaml b/atomics/T1036/T1036.yaml
new file mode 100644
index 00000000..218a4461
--- /dev/null
+++ b/atomics/T1036/T1036.yaml
@@ -0,0 +1,30 @@
+---
+attack_technique: T1036
+display_name: Masquerading
+
+atomic_tests:
+- name: Masquerading as Windows LSASS process
+  description: |
+    Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: command_prompt
+    command: |
+      cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
+      cmd.exe /c %SystemRoot%\Temp\lsass.exe
+
+- name: Masquerading as Linux crond process.
+  description: |
+    Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
+
+  supported_platforms:
+    - linux
+
+  executor:
+    name: sh
+    command: |
+      cp /bin/sh /tmp/crond
+      /tmp/crond