diff --git a/atomics/T1074/T1074.md b/atomics/T1074/T1074.md
index 0f9c3933..7bd96bc7 100644
--- a/atomics/T1074/T1074.md
+++ b/atomics/T1074/T1074.md
@@ -10,7 +10,7 @@ Interactive command shells may be used, and common functionality within [cmd](ht
- [Atomic Test #2 - Stage data from Discovery.sh](#atomic-test-2---stage-data-from-discoverysh)
-- [Atomic Test #3 - Zip a Folder with PowerShell](#atomic-test-3---zip-a-folder-with-powershell)
+- [Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp](#atomic-test-3---zip-a-folder-with-powershell-for-staging-in-temp)
@@ -47,21 +47,21 @@ curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ato
-## Atomic Test #3 - Zip a Folder with PowerShell
-use living off the land tools to encrypt and zip a file for exfiltration
+## Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp
+Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration.
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
-Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_encrypt -DestinationPath $env:TEMP\Folder_to_encrypt.zip
+Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_zip -DestinationPath $env:TEMP\Folder_to_zip.zip
```
#### Cleanup Commands:
```
-Remove-Item -Path $env:TEMP\Folder_to_encrypt.zip
+Remove-Item -Path $env:TEMP\Folder_to_zip.zip
```
diff --git a/atomics/index.md b/atomics/index.md
index ddea9b38..7e3b0336 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -886,7 +886,7 @@
- [T1074 Data Staged](./T1074/T1074.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- - Atomic Test #3: Zip a Folder with PowerShell [windows]
+ - Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1005 Data from Local System](./T1005/T1005.md)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index f5f1e806..8202e6f1 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -25644,8 +25644,9 @@ collection:
| bash -s > /tmp/discovery.log
'
- - name: Zip a Folder with PowerShell
- description: 'use living off the land tools to encrypt and zip a file for exfiltration
+ - name: Zip a Folder with PowerShell for Staging in Temp
+ description: 'Use living off the land tools to zip a file and stage it in the
+ Windows temporary folder for later exfiltration.
'
supported_platforms:
@@ -25653,11 +25654,11 @@ collection:
executor:
name: powershell
elevation_required: false
- command: 'Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_encrypt
- -DestinationPath $env:TEMP\Folder_to_encrypt.zip
+ command: 'Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_zip
+ -DestinationPath $env:TEMP\Folder_to_zip.zip
'
- cleanup_command: 'Remove-Item -Path $env:TEMP\Folder_to_encrypt.zip
+ cleanup_command: 'Remove-Item -Path $env:TEMP\Folder_to_zip.zip
'
'':
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 7bf79de9..565a938b 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -556,7 +556,7 @@
- Atomic Test #2: PowerShell [windows]
- [T1074 Data Staged](./T1074/T1074.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
- - Atomic Test #3: Zip a Folder with PowerShell [windows]
+ - Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1005 Data from Local System](./T1005/T1005.md)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)