From 13665af6efb3c446c8df58e782ad85c9b2d86d20 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Sun, 21 Oct 2018 17:39:45 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1145/T1145.md | 65 ++++++++++++++++++++++++++++++++++++++++++
 atomics/index.md       |  3 ++
 atomics/index.yaml     | 54 +++++++++++++++++++++++++++++++++++
 atomics/linux-index.md |  3 ++
 atomics/macos-index.md |  2 ++
 5 files changed, 127 insertions(+)

diff --git a/atomics/T1145/T1145.md b/atomics/T1145/T1145.md
index 8037821e..fac14e36 100644
--- a/atomics/T1145/T1145.md
+++ b/atomics/T1145/T1145.md
@@ -22,6 +22,12 @@ Contributors: Itzik Kotler, SafeBreach</blockquote>
 
 - [Atomic Test #1 - Private Keys](#atomic-test-1---private-keys)
 
+- [Atomic Test #2 - Discover Private SSH Keys](#atomic-test-2---discover-private-ssh-keys)
+
+- [Atomic Test #3 - Copy Private SSH Keys with CP](#atomic-test-3---copy-private-ssh-keys-with-cp)
+
+- [Atomic Test #4 - Copy Private SSH Keys with rsync](#atomic-test-4---copy-private-ssh-keys-with-rsync)
+
 
 <br/>
 
@@ -39,3 +45,62 @@ echo "ATOMICREDTEAM" > %windir%\cert.key
 dir c:\ /b /s .key | findstr /e .key
 ```
 <br/>
+<br/>
+
+## Atomic Test #2 - Discover Private SSH Keys
+Discover private SSH keys on a macOS or Linux system.
+
+**Supported Platforms:** macOS, Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Output file containing locations of SSH key files | path | /tmp/keyfile_locations.txt|
+
+#### Run it with `sh`!
+```
+find / -name id_rsa >> #{output_file}
+find / -name id_dsa >> #{output_file}
+```
+<br/>
+<br/>
+
+## Atomic Test #3 - Copy Private SSH Keys with CP
+Copy private SSH keys on a Linux system to a staging folder using the `cp` command.
+
+**Supported Platforms:** Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging|
+
+#### Run it with `sh`!
+```
+mkdir #{output_folder}
+find / -name id_rsa -exec cp --parents {} #{output_folder} \;
+find / -name id_dsa -exec cp --parents {} #{output_folder} \;
+```
+<br/>
+<br/>
+
+## Atomic Test #4 - Copy Private SSH Keys with rsync
+Copy private SSH keys on a Linux or macOS system to a staging folder using the `rsync` command.
+
+**Supported Platforms:** macOS, Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging|
+
+#### Run it with `sh`!
+```
+mkdir #{output_folder}
+find / -name id_rsa -exec rsync -R {} #{output_folder} \;
+find / -name id_dsa -exec rsync -R {} #{output_folder} \;
+```
+<br/>
diff --git a/atomics/index.md b/atomics/index.md
index 837bfc9f..ed22d00e 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -452,6 +452,9 @@
 - T1174 Password Filter DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1145 Private Keys](./T1145/T1145.md)
   - Atomic Test #1: Private Keys [windows]
+  - Atomic Test #2: Discover Private SSH Keys [macos, linux]
+  - Atomic Test #3: Copy Private SSH Keys with CP [linux]
+  - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
 - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1167 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 1ab8b19d..1674ea9c 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -12647,6 +12647,60 @@ credential-access:
         command: |
           echo "ATOMICREDTEAM" > %windir%\cert.key
           dir c:\ /b /s .key | findstr /e .key
+    - name: Discover Private SSH Keys
+      description: 'Discover private SSH keys on a macOS or Linux system.
+
+'
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        output_file:
+          description: Output file containing locations of SSH key files
+          type: path
+          default: "/tmp/keyfile_locations.txt"
+      executor:
+        name: sh
+        command: |
+          find / -name id_rsa >> #{output_file}
+          find / -name id_dsa >> #{output_file}
+    - name: Copy Private SSH Keys with CP
+      description: 'Copy private SSH keys on a Linux system to a staging folder using
+        the `cp` command.
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        output_folder:
+          description: Output folder containing copies of SSH private key files
+          type: path
+          default: "/tmp/art-staging"
+      executor:
+        name: sh
+        command: |
+          mkdir #{output_folder}
+          find / -name id_rsa -exec cp --parents {} #{output_folder} \;
+          find / -name id_dsa -exec cp --parents {} #{output_folder} \;
+    - name: Copy Private SSH Keys with rsync
+      description: 'Copy private SSH keys on a Linux or macOS system to a staging
+        folder using the `rsync` command.
+
+'
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        output_folder:
+          description: Output folder containing copies of SSH private key files
+          type: path
+          default: "/tmp/art-staging"
+      executor:
+        name: sh
+        command: |
+          mkdir #{output_folder}
+          find / -name id_rsa -exec rsync -R {} #{output_folder} \;
+          find / -name id_dsa -exec rsync -R {} #{output_folder} \;
 execution:
   T1155:
     technique:
diff --git a/atomics/linux-index.md b/atomics/linux-index.md
index 392916eb..e7af431d 100644
--- a/atomics/linux-index.md
+++ b/atomics/linux-index.md
@@ -114,6 +114,9 @@
 - [T1040 Network Sniffing](./T1040/T1040.md)
   - Atomic Test #1: Packet Capture Linux [linux]
 - [T1145 Private Keys](./T1145/T1145.md)
+  - Atomic Test #2: Discover Private SSH Keys [macos, linux]
+  - Atomic Test #3: Copy Private SSH Keys with CP [linux]
+  - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
 - T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 
 # defense-evasion
diff --git a/atomics/macos-index.md b/atomics/macos-index.md
index 0fcb3e78..a5c212f9 100644
--- a/atomics/macos-index.md
+++ b/atomics/macos-index.md
@@ -173,6 +173,8 @@
 - [T1040 Network Sniffing](./T1040/T1040.md)
   - Atomic Test #2: Packet Capture MacOS [macos]
 - [T1145 Private Keys](./T1145/T1145.md)
+  - Atomic Test #2: Discover Private SSH Keys [macos, linux]
+  - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
 - T1167 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)