From 661e2beb3dfeeaef3a25c90dcd5301b7f3cb354b Mon Sep 17 00:00:00 2001
From: ezr <ezr@users.noreply.github.com>
Date: Wed, 26 Feb 2020 15:58:45 -0600
Subject: [PATCH] Correct markdown formatting for test #3 (#835)

* Correct markdown formatting for test #3

* Move XML data into its own file rather than try to display inline

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1168/T1168.md                | 36 +++------------------------
 atomics/T1168/src/atomicredteam.plist | 32 ++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 33 deletions(-)
 create mode 100644 atomics/T1168/src/atomicredteam.plist

diff --git a/atomics/T1168/T1168.md b/atomics/T1168/T1168.md
index bad88389..8d0c11da 100644
--- a/atomics/T1168/T1168.md
+++ b/atomics/T1168/T1168.md
@@ -85,39 +85,9 @@ This test adds persistence via a plist to execute via the macOS Event Monitor Da
 **Supported Platforms:** macOS, Linux
 
 
-#### Run it with these steps! 1. Place this file in /etc/emond.d/rules/atomicredteam.plist
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<array>
-    <dict>
-        <key>name</key>
-        <string>atomicredteam</string>
-        <key>enabled</key>
-        <true/>
-        <key>eventTypes</key>
-        <array>
-            <string>startup</string>
-        </array>
-        <key>actions</key>
-        <array>
-            <dict>
-                <key>command</key>
-                <string>/usr/bin/say</string>
-                <key>user</key>
-                <string>root</string>
-                <key>arguments</key>
-                    <array>
-                        <string>-v Tessa</string>
-                        <string>I am a persistent startup item.</string>
-                    </array>
-                <key>type</key>
-                <string>RunCommand</string>
-            </dict>
-        </array>
-    </dict>
-</array>
-</plist>
+#### Run it with these steps! 
+
+1. Copy src/atomicredteam.plist into /etc/emond.d/rules/atomicredteam.plist
 
 2. Place an empty file in /private/var/db/emondClients/
 
diff --git a/atomics/T1168/src/atomicredteam.plist b/atomics/T1168/src/atomicredteam.plist
new file mode 100644
index 00000000..62bdcff4
--- /dev/null
+++ b/atomics/T1168/src/atomicredteam.plist
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array>
+    <dict>
+        <key>name</key>
+        <string>atomicredteam</string>
+        <key>enabled</key>
+        <true/>
+        <key>eventTypes</key>
+        <array>
+            <string>startup</string>
+        </array>
+        <key>actions</key>
+        <array>
+            <dict>
+                <key>command</key>
+                <string>/usr/bin/say</string>
+                <key>user</key>
+                <string>root</string>
+                <key>arguments</key>
+                    <array>
+                        <string>-v Tessa</string>
+                        <string>I am a persistent startup item.</string>
+                    </array>
+                <key>type</key>
+                <string>RunCommand</string>
+            </dict>
+        </array>
+    </dict>
+</array>
+</plist>