diff --git a/atomics/T1195/T1195.yml b/atomics/T1195/T1195.yml
new file mode 100644
index 00000000..dde8c5bb
--- /dev/null
+++ b/atomics/T1195/T1195.yml
@@ -0,0 +1,33 @@
+attack_technique: T1195
+display_name: Supply Chain Compromise 
+atomic_tests:
+- name: Octopus Scanner Malware Open Source Supply Chain
+  auto_generated_guid: 3c73d728-75fb-4180-a12f-6712864d7421
+  description: |
+    This test simulates an adversary Octupus drop the RAT dropper ExplorerSync.db
+    [octopus-scanner-malware-open-source-supply-chain](https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain/)
+    [the-supreme-backdoor-factory](https://www.dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/)
+  supported_platforms:
+  - windows
+  input_arguments:
+    rat_payload:
+      description: RAT dropper ExplorerSync.db
+      type: Path
+      default: $env:TEMP\ExplorerSync.db
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      ExplorerSync.db must exist on disk at specified location (#{rat_payload})
+    prereq_command: |
+      if (Test-Path #{rat_payload}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Out-File -FilePath "#{rat_payload}"
+  executor:
+    command: |
+      copy %temp%\ExplorerSync.db %temp%\..\Microsoft\ExplorerSync.db
+      schtasks /create /tn ExplorerSync /tr "javaw -jar %temp%\..\Microsoft\ExplorerSync.db" /sc MINUTE /f
+    cleanup_command: |
+      schtasks /delete /tn ExplorerSync /F 2>null
+      del %temp%\..\Microsoft\ExplorerSync.db 2>null
+      del %temp%\ExplorerSync.db 2>null
+    name: command_prompt