diff --git a/atomics/T1140/T1140.md b/atomics/T1140/T1140.md
index ab95b4f9..f3df3046 100644
--- a/atomics/T1140/T1140.md
+++ b/atomics/T1140/T1140.md
@@ -26,6 +26,8 @@ Contributors: Matthew Demaske, Adaptforward, Red Canary</blockquote>
 
 - [Atomic Test #1 - Deobfuscate/Decode Files Or Information](#atomic-test-1---deobfuscatedecode-files-or-information)
 
+- [Atomic Test #2 - Certutil Rename and Decode](#atomic-test-2---certutil-rename-and-decode)
+
 
 <br/>
 
@@ -46,3 +48,22 @@ certutil.exe -encode #{executable} file.txt
 certutil.exe -decode file.txt #{executable}
 ```
 <br/>
+<br/>
+
+## Atomic Test #2 - Certutil Rename and Decode
+Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| executable | name of executable/file to decode | path | c:\file.exe|
+
+#### Run it with `command_prompt`!
+```
+cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp
+cmd.exe /c %temp%tcm.tmp -decode #{executable}
+```
+<br/>
diff --git a/atomics/T1140/T1140.yaml b/atomics/T1140/T1140.yaml
index d2547722..bcc7e463 100644
--- a/atomics/T1140/T1140.yaml
+++ b/atomics/T1140/T1140.yaml
@@ -21,3 +21,22 @@ atomic_tests:
     command: |
       certutil.exe -encode #{executable} file.txt
       certutil.exe -decode file.txt #{executable}
+
+- name: Certutil Rename and Decode
+  description: |
+    Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    executable:
+      description: name of executable/file to decode
+      type: path
+      default: c:\file.exe
+
+  executor:
+    name: command_prompt
+    command: |
+      cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp
+      cmd.exe /c %temp%tcm.tmp -decode #{executable}
diff --git a/atomics/index.md b/atomics/index.md
index fb1afe2e..c423c08e 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -149,6 +149,7 @@
 - T1073 DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1140 Deobfuscate/Decode Files or Information](./T1140/T1140.md)
   - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
+  - Atomic Test #2: Certutil Rename and Decode [windows]
 - [T1089 Disabling Security Tools](./T1089/T1089.md)
   - Atomic Test #1: Disable iptables firewall [linux]
   - Atomic Test #2: Disable syslog [linux]
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 460857b5..e16c7ac8 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -21,6 +21,7 @@
 - T1073 DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1140 Deobfuscate/Decode Files or Information](./T1140/T1140.md)
   - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
+  - Atomic Test #2: Certutil Rename and Decode [windows]
 - [T1089 Disabling Security Tools](./T1089/T1089.md)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)