From 119ffdf03f62cc343ddbc35e707f866ebfe999f5 Mon Sep 17 00:00:00 2001
From: Carrie Roberts <clr2of8@gmail.com>
Date: Wed, 22 Jan 2020 20:37:46 -0700
Subject: [PATCH] move emond test into correct T# (#791)

Co-authored-by: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
---
 atomics/T1165/T1165.yaml                      | 23 ----------------
 atomics/T1519/T1519.yaml                      | 27 +++++++++++++++++++
 .../src/T1519_emond.plist}                    |  0
 3 files changed, 27 insertions(+), 23 deletions(-)
 create mode 100644 atomics/T1519/T1519.yaml
 rename atomics/{T1165/src/T1165_emond.plist => T1519/src/T1519_emond.plist} (100%)

diff --git a/atomics/T1165/T1165.yaml b/atomics/T1165/T1165.yaml
index 0af7ea3d..bb371d2e 100644
--- a/atomics/T1165/T1165.yaml
+++ b/atomics/T1165/T1165.yaml
@@ -19,26 +19,3 @@ atomic_tests:
       sudo touch /Library/StartupItems/EvilStartup.plist
     cleanup_command: |
       sudo rm /Library/StartupItems/EvilStartup.plist
-
-- name: Persistance with Event Monitor - emond
-  description: |
-    Establish persistence via a rule run by OSX's emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
-
-  supported_platforms:
-    - macos
-
-  input_arguments:
-    plist:
-      description: Path to attacker emond plist file
-      type: path
-      default: $PathToAtomics/T1165/src/T1165_emond.plist
-
-  executor:
-    name: sh
-    elevation_required: true
-    command: |
-      sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
-      sudo touch /private/var/db/emondClients/T1165
-    cleanup_command: |
-      sudo rm /etc/emond.d/rules/T1165_emond.plist
-      sudo rm /private/var/db/emondClients/T1165
diff --git a/atomics/T1519/T1519.yaml b/atomics/T1519/T1519.yaml
new file mode 100644
index 00000000..d1b37f26
--- /dev/null
+++ b/atomics/T1519/T1519.yaml
@@ -0,0 +1,27 @@
+---
+attack_technique: T1519
+display_name: Emond
+
+atomic_tests:
+- name: Persistance with Event Monitor - emond
+  description: |
+    Establish persistence via a rule run by OSX's emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
+
+  supported_platforms:
+    - macos
+
+  input_arguments:
+    plist:
+      description: Path to attacker emond plist file
+      type: path
+      default: PathToAtomicsFolder/T1519/src/T1519_emond.plist
+
+  executor:
+    name: sh
+    elevation_required: true
+    command: |
+      sudo cp "#{plist}" /etc/emond.d/rules/T1519_emond.plist
+      sudo touch /private/var/db/emondClients/T1519
+    cleanup_command: |
+      sudo rm /etc/emond.d/rules/T1519_emond.plist
+      sudo rm /private/var/db/emondClients/T1519
diff --git a/atomics/T1165/src/T1165_emond.plist b/atomics/T1519/src/T1519_emond.plist
similarity index 100%
rename from atomics/T1165/src/T1165_emond.plist
rename to atomics/T1519/src/T1519_emond.plist