From abb43d1b4ffb763f7c769dde57301d96094a33bf Mon Sep 17 00:00:00 2001
From: Tony M Lambert <tmlambert@littlefed.local>
Date: Fri, 19 Oct 2018 16:36:28 -0400
Subject: [PATCH 1/3] T1145 discover SSH keys

---
 atomics/T1145/T1145.yaml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/atomics/T1145/T1145.yaml b/atomics/T1145/T1145.yaml
index d5c2b289..e0755fc6 100644
--- a/atomics/T1145/T1145.yaml
+++ b/atomics/T1145/T1145.yaml
@@ -17,3 +17,20 @@ atomic_tests:
     command: |
       echo "ATOMICREDTEAM" > %windir%\cert.key
       dir c:\ /b /s .key | findstr /e .key
+
+- name: Discover Private SSH Keys
+  description: |
+    Discover private SSH keys on a macOS or Linux system.
+  supported_platforms:
+    - macos
+    - linux
+  input_arguments:
+    output_file:
+      description: Output file containing locations of SSH key files
+      type: path
+      default: /tmp/keyfile_locations.txt
+  executor:
+    name: sh
+    command: |
+      find / -name id_rsa > #{output_file}
+      find / -name id_dsa >> #{output_file}

From 4098cd9e092b504e4c329d54aa3e7b2411c993d2 Mon Sep 17 00:00:00 2001
From: Tony M Lambert <tmlambert@littlefed.local>
Date: Fri, 19 Oct 2018 17:27:04 -0400
Subject: [PATCH 2/3] Minor fix to syntax

---
 atomics/T1145/T1145.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/atomics/T1145/T1145.yaml b/atomics/T1145/T1145.yaml
index e0755fc6..b4911092 100644
--- a/atomics/T1145/T1145.yaml
+++ b/atomics/T1145/T1145.yaml
@@ -32,5 +32,5 @@ atomic_tests:
   executor:
     name: sh
     command: |
-      find / -name id_rsa > #{output_file}
+      find / -name id_rsa >> #{output_file}
       find / -name id_dsa >> #{output_file}

From 305e15388119abba6730a9ff2428724089b1ed2b Mon Sep 17 00:00:00 2001
From: Tony M Lambert <tmlambert@littlefed.local>
Date: Fri, 19 Oct 2018 17:42:11 -0400
Subject: [PATCH 3/3] T1145 Added tests to copy private keys using cp and rsync

---
 atomics/T1145/T1145.yaml | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/atomics/T1145/T1145.yaml b/atomics/T1145/T1145.yaml
index b4911092..be8eb158 100644
--- a/atomics/T1145/T1145.yaml
+++ b/atomics/T1145/T1145.yaml
@@ -34,3 +34,38 @@ atomic_tests:
     command: |
       find / -name id_rsa >> #{output_file}
       find / -name id_dsa >> #{output_file}
+
+- name: Copy Private SSH Keys with CP
+  description: |
+    Copy private SSH keys on a Linux system to a staging folder using the `cp` command.
+  supported_platforms:
+    - linux
+  input_arguments:
+    output_folder:
+      description: Output folder containing copies of SSH private key files
+      type: path
+      default: /tmp/art-staging
+  executor:
+    name: sh
+    command: |
+      mkdir #{output_folder}
+      find / -name id_rsa -exec cp --parents {} #{output_folder} \;
+      find / -name id_dsa -exec cp --parents {} #{output_folder} \;
+
+- name: Copy Private SSH Keys with rsync
+  description: |
+    Copy private SSH keys on a Linux or macOS system to a staging folder using the `rsync` command.
+  supported_platforms:
+    - macos
+    - linux
+  input_arguments:
+    output_folder:
+      description: Output folder containing copies of SSH private key files
+      type: path
+      default: /tmp/art-staging
+  executor:
+    name: sh
+    command: |
+      mkdir #{output_folder}
+      find / -name id_rsa -exec rsync -R {} #{output_folder} \;
+      find / -name id_dsa -exec rsync -R {} #{output_folder} \;