diff --git a/atomics/T1145/T1145.md b/atomics/T1145/T1145.md
index 8037821e..fac14e36 100644
--- a/atomics/T1145/T1145.md
+++ b/atomics/T1145/T1145.md
@@ -22,6 +22,12 @@ Contributors: Itzik Kotler, SafeBreach
- [Atomic Test #1 - Private Keys](#atomic-test-1---private-keys)
+- [Atomic Test #2 - Discover Private SSH Keys](#atomic-test-2---discover-private-ssh-keys)
+
+- [Atomic Test #3 - Copy Private SSH Keys with CP](#atomic-test-3---copy-private-ssh-keys-with-cp)
+
+- [Atomic Test #4 - Copy Private SSH Keys with rsync](#atomic-test-4---copy-private-ssh-keys-with-rsync)
+
@@ -39,3 +45,62 @@ echo "ATOMICREDTEAM" > %windir%\cert.key
dir c:\ /b /s .key | findstr /e .key
```
+
+
+## Atomic Test #2 - Discover Private SSH Keys
+Discover private SSH keys on a macOS or Linux system.
+
+**Supported Platforms:** macOS, Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Output file containing locations of SSH key files | path | /tmp/keyfile_locations.txt|
+
+#### Run it with `sh`!
+```
+find / -name id_rsa >> #{output_file}
+find / -name id_dsa >> #{output_file}
+```
+
+
+
+## Atomic Test #3 - Copy Private SSH Keys with CP
+Copy private SSH keys on a Linux system to a staging folder using the `cp` command.
+
+**Supported Platforms:** Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging|
+
+#### Run it with `sh`!
+```
+mkdir #{output_folder}
+find / -name id_rsa -exec cp --parents {} #{output_folder} \;
+find / -name id_dsa -exec cp --parents {} #{output_folder} \;
+```
+
+
+
+## Atomic Test #4 - Copy Private SSH Keys with rsync
+Copy private SSH keys on a Linux or macOS system to a staging folder using the `rsync` command.
+
+**Supported Platforms:** macOS, Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging|
+
+#### Run it with `sh`!
+```
+mkdir #{output_folder}
+find / -name id_rsa -exec rsync -R {} #{output_folder} \;
+find / -name id_dsa -exec rsync -R {} #{output_folder} \;
+```
+
diff --git a/atomics/index.md b/atomics/index.md
index 837bfc9f..ed22d00e 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -452,6 +452,9 @@
- T1174 Password Filter DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1145 Private Keys](./T1145/T1145.md)
- Atomic Test #1: Private Keys [windows]
+ - Atomic Test #2: Discover Private SSH Keys [macos, linux]
+ - Atomic Test #3: Copy Private SSH Keys with CP [linux]
+ - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1167 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 1ab8b19d..1674ea9c 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -12647,6 +12647,60 @@ credential-access:
command: |
echo "ATOMICREDTEAM" > %windir%\cert.key
dir c:\ /b /s .key | findstr /e .key
+ - name: Discover Private SSH Keys
+ description: 'Discover private SSH keys on a macOS or Linux system.
+
+'
+ supported_platforms:
+ - macos
+ - linux
+ input_arguments:
+ output_file:
+ description: Output file containing locations of SSH key files
+ type: path
+ default: "/tmp/keyfile_locations.txt"
+ executor:
+ name: sh
+ command: |
+ find / -name id_rsa >> #{output_file}
+ find / -name id_dsa >> #{output_file}
+ - name: Copy Private SSH Keys with CP
+ description: 'Copy private SSH keys on a Linux system to a staging folder using
+ the `cp` command.
+
+'
+ supported_platforms:
+ - linux
+ input_arguments:
+ output_folder:
+ description: Output folder containing copies of SSH private key files
+ type: path
+ default: "/tmp/art-staging"
+ executor:
+ name: sh
+ command: |
+ mkdir #{output_folder}
+ find / -name id_rsa -exec cp --parents {} #{output_folder} \;
+ find / -name id_dsa -exec cp --parents {} #{output_folder} \;
+ - name: Copy Private SSH Keys with rsync
+ description: 'Copy private SSH keys on a Linux or macOS system to a staging
+ folder using the `rsync` command.
+
+'
+ supported_platforms:
+ - macos
+ - linux
+ input_arguments:
+ output_folder:
+ description: Output folder containing copies of SSH private key files
+ type: path
+ default: "/tmp/art-staging"
+ executor:
+ name: sh
+ command: |
+ mkdir #{output_folder}
+ find / -name id_rsa -exec rsync -R {} #{output_folder} \;
+ find / -name id_dsa -exec rsync -R {} #{output_folder} \;
execution:
T1155:
technique:
diff --git a/atomics/linux-index.md b/atomics/linux-index.md
index 392916eb..e7af431d 100644
--- a/atomics/linux-index.md
+++ b/atomics/linux-index.md
@@ -114,6 +114,9 @@
- [T1040 Network Sniffing](./T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- [T1145 Private Keys](./T1145/T1145.md)
+ - Atomic Test #2: Discover Private SSH Keys [macos, linux]
+ - Atomic Test #3: Copy Private SSH Keys with CP [linux]
+ - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# defense-evasion
diff --git a/atomics/macos-index.md b/atomics/macos-index.md
index 0fcb3e78..a5c212f9 100644
--- a/atomics/macos-index.md
+++ b/atomics/macos-index.md
@@ -173,6 +173,8 @@
- [T1040 Network Sniffing](./T1040/T1040.md)
- Atomic Test #2: Packet Capture MacOS [macos]
- [T1145 Private Keys](./T1145/T1145.md)
+ - Atomic Test #2: Discover Private SSH Keys [macos, linux]
+ - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- T1167 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)