diff --git a/atomics/T1014/T1014.md b/atomics/T1014/T1014.md
index 8481e449..615c5df0 100644
--- a/atomics/T1014/T1014.md
+++ b/atomics/T1014/T1014.md
@@ -22,8 +22,6 @@ Permissions Required: Administrator, SYSTEM, root</blockquote>
 
 - [Atomic Test #3 - LD_PRELOAD based Rootkit](#atomic-test-3---ld_preload-based-rootkit)
 
-- [Atomic Test #4 - Windows Driver Exploit To Load Rootkit](#atomic-test-4---windows-driver-exploit-to-load-rootkit)
-
 
 <br/>
 
@@ -74,26 +72,3 @@ LD_PRELOAD based Rootkit
 export LD_PRELOAD=$PWD/#{rootkit_file}
 ```
 <br/>
-<br/>
-
-## Atomic Test #4 - Windows Driver Exploit To Load Rootkit
-We will leverage a signed vulnerable driver to test this.
-You are responsible for obtaining the specific driver for the test.
-SHA1 for puppetstrings.exe DD8DA630C00953B6D5182AA66AF999B1E117F441
-Fullcredit for this test here:
-https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html
-Signed Driver Hash: C1D5CF8C43E7679B782630E93F5E6420CA1749A7
-
-**Supported Platforms:** Windows
-
-
-#### Inputs
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| capcom_path | Path to vulnerable CapCom Driver | Path | C:\Drivers\CapCom.sys|
-
-#### Run it with `command_prompt`!
-```
-puppetstrings.exe #{capcom_path}
-```
-<br/>
diff --git a/atomics/T1014/T1014.yaml b/atomics/T1014/T1014.yaml
index 05523a60..ecb4eda8 100644
--- a/atomics/T1014/T1014.yaml
+++ b/atomics/T1014/T1014.yaml
@@ -48,3 +48,28 @@ atomic_tests:
     name: sh
     command: |
       export LD_PRELOAD=$PWD/#{rootkit_file}
+
+- name: Windows Signed Driver Rootkit Test
+  description: |
+    This test exploits a signed driver to execute code in Kernel.
+    SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7
+    We leverage the work done here:
+    https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html
+    The hash of our PoC Exploit is
+    SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441
+    This will simulate hiding a process.
+    It would be wise if you only run this in a test environment
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    driver_path:
+      description: Path to the vulnerable driver
+      type: Path
+      default: C:\Drivers\driver.sys
+      
+  executor:
+    name: command_prompt
+    command: |
+      puppetstrings #{driver_path}
diff --git a/atomics/T1014/bin/puppetstrings.exe b/atomics/T1014/bin/puppetstrings.exe
new file mode 100755
index 00000000..2ea91e29
Binary files /dev/null and b/atomics/T1014/bin/puppetstrings.exe differ
diff --git a/atomics/index.md b/atomics/index.md
index 1152255b..e6983303 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -242,7 +242,6 @@
   - Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
   - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
   - Atomic Test #3: LD_PRELOAD based Rootkit [linux]
-  - Atomic Test #4: Windows Driver Exploit To Load Rootkit [windows]
 - [T1085 Rundll32](./T1085/T1085.md)
   - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
 - T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index cb87281e..ad162f79 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -76,7 +76,6 @@
   - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
   - Atomic Test #3: Regsvr32 local DLL execution [windows]
 - [T1014 Rootkit](./T1014/T1014.md)
-  - Atomic Test #4: Windows Driver Exploit To Load Rootkit [windows]
 - [T1085 Rundll32](./T1085/T1085.md)
   - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
 - T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)