Reorganization (#2621)

Reordered so that a standard keychain dump is the first test because it seems to best fit the ATT&CK framework description. Then, separated previous list of certificate commands into 2 tests for clarity and easier use. Removed help command (security -h) and reorganized comments for clarity.

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1555.001/T1555.001.yaml

@@ -1,20 +1,30 @@
 attack_technique: T1555.001
 display_name: 'Credentials from Password Stores: Keychain'
 atomic_tests:
-- name: Keychain
+
+- name: Keychain Dump 
+  auto_generated_guid: 88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6
+  description: |-
+    This command will dump keychain credential information from login.keychain. 
+    Source: https://www.loobins.io/binaries/security/
+
+    ### Keychain File path
+      ~/Library/Keychains/
+      /Library/Keychains/
+      /Network/Library/Keychains/
+      [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)
+      
+  supported_platforms:
+  - macos
+  executor:
+    command: sudo security dump-keychain -d login.keychain
+    name: sh
+    elevation_required: true
+
+- name: Export Certificate Item(s)
   auto_generated_guid: 1864fdec-ff86-4452-8c30-f12507582a93
   description: |
-    ### Keychain Files
-
-      ~/Library/Keychains/
-
-      /Library/Keychains/
-
-      /Network/Library/Keychains/
-
-      [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)
-
-      [Keychain dumper](https://github.com/juuso/keychaindump)
+    This command finds all certificate items and sends the output to local file in pem format.
   supported_platforms:
   - macos
   input_arguments:
@@ -24,19 +34,23 @@ atomic_tests:
       default: /tmp/certs.pem
   executor:
     command: |
-      security -h
       security find-certificate -a -p > #{cert_export}
-      security import #{cert_export} -k
+    cleanup_command: 'rm #{cert_export}'
     name: sh
+    elevation_required: false
 
-- name: Keychain Dump 
-  auto_generated_guid: 88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6
-  description: |-
-    This command will dump keychain credential information from login.keychain. 
-    Source: https://www.loobins.io/binaries/security/
+- name: Import Certificate Item(s) into Keychain
+  description: |
+    This command will import a certificate pem file into a keychain.
   supported_platforms:
   - macos
+  input_arguments:
+    cert_export:
+      description: Specify the path of the pem certificate file to import.
+      type: path
+      default: /tmp/certs.pem
   executor:
-    command: sudo security dump-keychain -d login.keychain
+    command: |
+      security import #{cert_export} -k
     name: sh
-    elevation_required: true
+    elevation_required: false