diff --git a/atomics/T1193/T1193.yaml b/atomics/T1193/T1193.yaml
index dec1e631..172a5753 100644
--- a/atomics/T1193/T1193.yaml
+++ b/atomics/T1193/T1193.yaml
@@ -5,7 +5,7 @@ display_name: Spearphishing Attachment
 atomic_tests:
 - name: Download Phishing Attachment - VBScript
   description: |
-    The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com). 
+    The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com).
     The below will successfully download the macro-enabled Excel file to the current location.
   supported_platforms:
     - windows
@@ -17,11 +17,23 @@ atomic_tests:
         return 'Please install Microsoft Excel before running this test.'
       }
       else{
-        $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingAttachment.xlsm'
+        $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/bin/PhishingAttachment.xlsm'
         $fileName = 'PhishingAttachment.xlsm'
         New-Item -Type File -Force -Path $fileName | out-null
         $wc = New-Object System.Net.WebClient
         $wc.Encoding = [System.Text.Encoding]::UTF8
         [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
         ($wc.DownloadString("$url")) | Out-File $fileName
-      }
\ No newline at end of file
+      }
+
+- name: Word spawned a command shell and used an IP address in the command line
+  description: |
+    Opens a word document that will run powershell and perform an nslookup on the IP 192.168.1.1 and a sleep command
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: powershell
+    command: |
+      Start-Process PathToAtomicsFolder\T1193\src\PowerShell_IP_Doc.doc
diff --git a/atomics/T1193/PhishingAttachment.xlsm b/atomics/T1193/bin/PhishingAttachment.xlsm
old mode 100755
new mode 100644
similarity index 100%
rename from atomics/T1193/PhishingAttachment.xlsm
rename to atomics/T1193/bin/PhishingAttachment.xlsm
diff --git a/atomics/T1193/bin/PowerShell_IP_Doc.doc b/atomics/T1193/bin/PowerShell_IP_Doc.doc
new file mode 100644
index 00000000..c8695e40
Binary files /dev/null and b/atomics/T1193/bin/PowerShell_IP_Doc.doc differ