diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml
index b2e84e93..39758ed2 100644
--- a/atomics/T1056.001/T1056.001.yaml
+++ b/atomics/T1056.001/T1056.001.yaml
@@ -26,7 +26,7 @@ atomic_tests:
     elevation_required: true
 - name: Living off the land Terminal Input Capture on Linux with pam.d
   description: |
-    Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log.  
+    Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log.  All terminal activity would then be archived and readable to an adversary with elevated credentials.
 
     Passwords hidden by the console can also be logged, with 'log_passwd' as in this example.  If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command).
    
@@ -45,13 +45,13 @@ atomic_tests:
       sudo echo "session    required    pam_tty_audit.so enable=* log_password" >> /etc/pam.d/system-auth
       sudo pam-auth-update --package --force
     cleanup_command: |
-      sudo mv /tmp/password-auth.bk /etc/pam.d/password-auth
-      sudo mv /tmp/system-auth.bk /etc/pam.d/system-auth
+      sudo cp -f /tmp/password-auth.bk /etc/pam.d/password-auth
+      sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth
     name: bash
     elevation_required: true
 - name: Living off the land Terminal Input Capture on Linux with pam.d for shell
   description: |
-    This is the same as test 2, only without the bashisms:  Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log.  
+    This is the same as test 2, only without the bashisms:  Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log.  All terminal activity would then be archived and readable by an adversary with elevated privledges.
 
     Passwords hidden by the console can also be logged, with 'log_passwd' as in this example.  If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command).
    
@@ -70,7 +70,7 @@ atomic_tests:
       sudo echo "session    required    pam_tty_audit.so enable=* log_password" >> /etc/pam.d/system-auth
       sudo pam-auth-update --package --force
     cleanup_command: |
-      sudo mv /tmp/password-auth.bk /etc/pam.d/password-auth
-      sudo mv /tmp/system-auth.bk /etc/pam.d/system-auth
+      sudo cp -f /tmp/password-auth.bk /etc/pam.d/password-auth
+      sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth
     name: sh
     elevation_required: true