diff --git a/atomics/T1014/T1014.md b/atomics/T1014/T1014.md
index 615c5df0..8481e449 100644
--- a/atomics/T1014/T1014.md
+++ b/atomics/T1014/T1014.md
@@ -22,6 +22,8 @@ Permissions Required: Administrator, SYSTEM, root</blockquote>
 
 - [Atomic Test #3 - LD_PRELOAD based Rootkit](#atomic-test-3---ld_preload-based-rootkit)
 
+- [Atomic Test #4 - Windows Driver Exploit To Load Rootkit](#atomic-test-4---windows-driver-exploit-to-load-rootkit)
+
 
 <br/>
 
@@ -72,3 +74,26 @@ LD_PRELOAD based Rootkit
 export LD_PRELOAD=$PWD/#{rootkit_file}
 ```
 <br/>
+<br/>
+
+## Atomic Test #4 - Windows Driver Exploit To Load Rootkit
+We will leverage a signed vulnerable driver to test this.
+You are responsible for obtaining the specific driver for the test.
+SHA1 for puppetstrings.exe DD8DA630C00953B6D5182AA66AF999B1E117F441
+Fullcredit for this test here:
+https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html
+Signed Driver Hash: C1D5CF8C43E7679B782630E93F5E6420CA1749A7
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| capcom_path | Path to vulnerable CapCom Driver | Path | C:\Drivers\CapCom.sys|
+
+#### Run it with `command_prompt`!
+```
+puppetstrings.exe #{capcom_path}
+```
+<br/>
diff --git a/atomics/index.md b/atomics/index.md
index e6983303..1152255b 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -242,6 +242,7 @@
   - Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
   - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
   - Atomic Test #3: LD_PRELOAD based Rootkit [linux]
+  - Atomic Test #4: Windows Driver Exploit To Load Rootkit [windows]
 - [T1085 Rundll32](./T1085/T1085.md)
   - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
 - T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index ad162f79..cb87281e 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -76,6 +76,7 @@
   - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
   - Atomic Test #3: Regsvr32 local DLL execution [windows]
 - [T1014 Rootkit](./T1014/T1014.md)
+  - Atomic Test #4: Windows Driver Exploit To Load Rootkit [windows]
 - [T1085 Rundll32](./T1085/T1085.md)
   - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
 - T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)