diff --git a/atomics/T1102/T1102.yaml b/atomics/T1102/T1102.yaml
new file mode 100644
index 00000000..2aafb725
--- /dev/null
+++ b/atomics/T1102/T1102.yaml
@@ -0,0 +1,34 @@
+---
+attack_technique: T1102
+display_name: Web Service
+
+atomic_tests:
+- name: Reach out to C2 Pointer URLs via command_prompt
+  description: |
+    Download data from a public website using command line
+  supported_platforms:
+    - windows
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      bitsadmin.exe /transfer "DonwloadFile" http://www.stealmylogin.com/ %TEMP%\bitsadmindownload.html
+    cleanup_command: |
+      del %TEMP%\bitsadmindownload.html
+
+
+- name: Reach out to C2 Pointer URLs via powershell
+  description: |
+    Multiple download methods for files using powershell
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      Invoke-WebRequest -Uri www.twitter.com
+      $T1102 = (New-Object System.Net.WebClient).DownloadData("https://www.reddit.com/")
+      $wc = New-Object System.Net.WebClient
+      $T1102 = $wc.DownloadString("https://www.aol.com/")
+    cleanup_command: |
+      Clear-Variable T1102