diff --git a/atomics/T1098.004/T1098.004.yaml b/atomics/T1098.004/T1098.004.yaml
new file mode 100644
index 00000000..f8256cd3
--- /dev/null
+++ b/atomics/T1098.004/T1098.004.yaml
@@ -0,0 +1,19 @@
+---
+attack_technique: T1098.004
+display_name: SSH Authorized Keys
+
+atomic_tests:
+- name: Modify SSH Authorized Keys
+  description: |
+    Modify contents of <user-home>/.ssh/authorized_keys to maintain persistence on victim host. 
+    If the user is able to save the same contents in the authorized_keys file, it shows user can modify the file.
+  supported_platforms:
+    - macos
+    - linux
+  executor:
+    name: sh
+    elevation_required: true 
+    command: | 
+      if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys=$(cat ~/.ssh/authorized_keys); echo $ssh_authorized_keys > ~/.ssh/authorized_keys; fi;
+    cleanup_command: | 
+      unset ssh_authorized_keys
\ No newline at end of file