diff --git a/atomics/T1609/T1609.yaml b/atomics/T1609/T1609.yaml
index bf7cf744..195367a1 100644
--- a/atomics/T1609/T1609.yaml
+++ b/atomics/T1609/T1609.yaml
@@ -31,3 +31,33 @@ atomic_tests:
       kubectl delete pod busybox -n #{namespace}
     name: bash
     elevation_required: false
+- name: DockerExecIntoContainer
+  auto_generated_guid: 
+  description: |
+    Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“docker exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “docker exec”.
+
+  supported_platforms:
+   - containers
+  input_arguments:
+    command:
+      description: Command to run
+      type: String
+      default: cat
+  dependencies:
+  - description: |
+      docker must be installed
+    get_prereq_command: |
+      if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
+    prereq_command: |
+      which docker
+  executor:
+    command: |
+      docker build -t t1609  /home/kali/test/atomic-red-team/atomics/T1609/src/ 
+      docker run --name t1609_container --rm -itd t1609 bash /tmp/script.sh
+      docker exec -i t1609_container bash -c "cat /tmp/output.txt"
+    cleanup_command: |
+      docker stop t1609_container
+      docker rmi -f t1609:latest 
+    name: bash
+    elevation_required: false
+
diff --git a/atomics/T1609/src/dockerfile b/atomics/T1609/src/dockerfile
new file mode 100644
index 00000000..e210c05f
--- /dev/null
+++ b/atomics/T1609/src/dockerfile
@@ -0,0 +1,5 @@
+FROM ubuntu
+ARG DEBIAN_FRONTEND=noninteractive
+
+RUN  echo "1" > /tmp/output.txt && \
+     echo ' bin/sh -c "while true; do sleep 30;done;"' > /tmp/script.sh && chmod +x /tmp/script.sh
\ No newline at end of file