diff --git a/atomics/T1002/T1002.md b/atomics/T1002/T1002.md
index 4c55af49..956d1344 100644
--- a/atomics/T1002/T1002.md
+++ b/atomics/T1002/T1002.md
@@ -8,7 +8,11 @@
- [Atomic Test #2 - Compress Data for Exfiltration With Rar](#atomic-test-2---compress-data-for-exfiltration-with-rar)
-- [Atomic Test #3 - Data Compressed - nix](#atomic-test-3---data-compressed---nix)
+- [Atomic Test #3 - Data Compressed - nix - zip](#atomic-test-3---data-compressed---nix---zip)
+
+- [Atomic Test #4 - Data Compressed - nix - gzip Single File](#atomic-test-4---data-compressed---nix---gzip-single-file)
+
+- [Atomic Test #5 - Data Compressed - nix - tar Folder or File](#atomic-test-5---data-compressed---nix---tar-folder-or-file)
@@ -51,22 +55,57 @@ rar a -r #{output_file} #{input_file}
-## Atomic Test #3 - Data Compressed - nix
-An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
+## Atomic Test #3 - Data Compressed - nix - zip
+An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
**Supported Platforms:** Linux, macOS
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| input_files | Path that should be compressed into our output file, may include wildcards | Path | /tmp/victim-files/*|
+| output_file | Path that should be output as a zip archive | Path | /tmp/victim-files.zip|
+
#### Run it with `sh`!
```
-mkdir /tmp/victim-files
-cd /tmp/victim-files
-touch a b c d e f g
-echo "This file will be gzipped" > /tmp/victim-gzip.txt
-echo "This file will be tarred" > /tmp/victim-tar.txt
-zip /tmp/victim-files.zip /tmp/victim-files/*
-gzip -f /tmp/victim-gzip.txt
-tar -cvzf /tmp/victim-files.tar.gz /tmp/victim-files/
-tar -cvzf /tmp/victim-tar.tar.gz
+zip #{output_file} #{input_files}
+```
+
+
+
+## Atomic Test #4 - Data Compressed - nix - gzip Single File
+An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
+
+**Supported Platforms:** Linux, macOS
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| input_file | Path that should be compressed | Path | /tmp/victim-gzip.txt|
+
+#### Run it with `sh`!
+```
+gzip -f #{input_file}
+```
+
+
+
+## Atomic Test #5 - Data Compressed - nix - tar Folder or File
+An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
+
+**Supported Platforms:** Linux, macOS
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| input_file_folder | Path that should be compressed | Path | /tmp/victim-files/|
+| output_file | File that should be output | Path | /tmp/victim-files.tar.gz|
+
+#### Run it with `sh`!
+```
+tar -cvzf #{output_file} #{input_file_folder}
```
diff --git a/atomics/index.md b/atomics/index.md
index f4306352..191a101e 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -675,7 +675,9 @@
- [T1002 Data Compressed](./T1002/T1002.md)
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- Atomic Test #2: Compress Data for Exfiltration With Rar [windows]
- - Atomic Test #3: Data Compressed - nix [linux, macos]
+ - Atomic Test #3: Data Compressed - nix - zip [linux, macos]
+ - Atomic Test #4: Data Compressed - nix - gzip Single File [linux, macos]
+ - Atomic Test #5: Data Compressed - nix - tar Folder or File [linux, macos]
- [T1022 Data Encrypted](./T1022/T1022.md)
- Atomic Test #1: Data Encrypted [macos, centos, ubuntu, linux]
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index fc34c5d9..5d70c721 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -18407,24 +18407,67 @@ exfiltration:
command: 'rar a -r #{output_file} #{input_file}
'
- - name: Data Compressed - nix
- description: "An adversary may compress data (e.g., sensitive documents) that
- is collected prior to exfiltration \n"
+ - name: Data Compressed - nix - zip
+ description: 'An adversary may compress data (e.g., sensitive documents) that
+ is collected prior to exfiltration. This test uses standard zip compression.
+
+'
supported_platforms:
- linux
- macos
+ input_arguments:
+ input_files:
+ description: Path that should be compressed into our output file, may include
+ wildcards
+ type: Path
+ default: "/tmp/victim-files/*"
+ output_file:
+ description: Path that should be output as a zip archive
+ type: Path
+ default: "/tmp/victim-files.zip"
executor:
name: sh
- command: |
- mkdir /tmp/victim-files
- cd /tmp/victim-files
- touch a b c d e f g
- echo "This file will be gzipped" > /tmp/victim-gzip.txt
- echo "This file will be tarred" > /tmp/victim-tar.txt
- zip /tmp/victim-files.zip /tmp/victim-files/*
- gzip -f /tmp/victim-gzip.txt
- tar -cvzf /tmp/victim-files.tar.gz /tmp/victim-files/
- tar -cvzf /tmp/victim-tar.tar.gz
+ command: 'zip #{output_file} #{input_files}
+
+'
+ - name: Data Compressed - nix - gzip Single File
+ description: 'An adversary may compress data (e.g., sensitive documents) that
+ is collected prior to exfiltration. This test uses standard gzip compression.
+
+'
+ supported_platforms:
+ - linux
+ - macos
+ input_arguments:
+ input_file:
+ description: Path that should be compressed
+ type: Path
+ default: "/tmp/victim-gzip.txt"
+ executor:
+ name: sh
+ command: 'gzip -f #{input_file}
+
+'
+ - name: Data Compressed - nix - tar Folder or File
+ description: 'An adversary may compress data (e.g., sensitive documents) that
+ is collected prior to exfiltration. This test uses standard gzip compression.
+
+'
+ supported_platforms:
+ - linux
+ - macos
+ input_arguments:
+ input_file_folder:
+ description: Path that should be compressed
+ type: Path
+ default: "/tmp/victim-files/"
+ output_file:
+ description: File that should be output
+ type: Path
+ default: "/tmp/victim-files.tar.gz"
+ executor:
+ name: sh
+ command: 'tar -cvzf #{output_file} #{input_file_folder}'
T1022:
technique:
id: attack-pattern--d54416bd-0803-41ca-870a-ce1af7c05638
diff --git a/atomics/linux-index.md b/atomics/linux-index.md
index 956ba491..fbd5f5fc 100644
--- a/atomics/linux-index.md
+++ b/atomics/linux-index.md
@@ -100,7 +100,9 @@
# exfiltration
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1002 Data Compressed](./T1002/T1002.md)
- - Atomic Test #3: Data Compressed - nix [linux, macos]
+ - Atomic Test #3: Data Compressed - nix - zip [linux, macos]
+ - Atomic Test #4: Data Compressed - nix - gzip Single File [linux, macos]
+ - Atomic Test #5: Data Compressed - nix - tar Folder or File [linux, macos]
- [T1022 Data Encrypted](./T1022/T1022.md)
- Atomic Test #1: Data Encrypted [macos, centos, ubuntu, linux]
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
diff --git a/atomics/macos-index.md b/atomics/macos-index.md
index 5b43610d..0b5ef359 100644
--- a/atomics/macos-index.md
+++ b/atomics/macos-index.md
@@ -155,7 +155,9 @@
# exfiltration
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1002 Data Compressed](./T1002/T1002.md)
- - Atomic Test #3: Data Compressed - nix [linux, macos]
+ - Atomic Test #3: Data Compressed - nix - zip [linux, macos]
+ - Atomic Test #4: Data Compressed - nix - gzip Single File [linux, macos]
+ - Atomic Test #5: Data Compressed - nix - tar Folder or File [linux, macos]
- [T1022 Data Encrypted](./T1022/T1022.md)
- Atomic Test #1: Data Encrypted [macos, centos, ubuntu, linux]
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)