From 5044806cc93aed4e5762eb0555d3d5be9918cfbe Mon Sep 17 00:00:00 2001 From: Hare Sudhan Date: Sun, 12 Nov 2023 19:51:39 -0500 Subject: [PATCH] FreeBSD Cleanup --- atomics/T1003.007/T1003.007.yaml | 73 ++++++++------------------------ atomics/T1003.008/T1003.008.yaml | 11 ++++- atomics/T1007/T1007.yaml | 22 ++++------ atomics/T1016/T1016.yaml | 21 +++------ atomics/T1027/T1027.yaml | 43 +++++-------------- atomics/T1036.006/T1036.006.yaml | 23 +++------- atomics/T1037.004/T1037.004.yaml | 25 +++-------- atomics/T1046/T1046.yaml | 41 +----------------- atomics/T1048.003/T1048.003.yaml | 12 +----- atomics/T1053.002/T1053.002.yaml | 42 +++--------------- bin/generate_labels.py | 2 - 11 files changed, 70 insertions(+), 245 deletions(-) diff --git a/atomics/T1003.007/T1003.007.yaml b/atomics/T1003.007/T1003.007.yaml index 7da4e77557..f69fd73b2a 100644 --- a/atomics/T1003.007/T1003.007.yaml +++ b/atomics/T1003.007/T1003.007.yaml @@ -39,62 +39,23 @@ atomic_tests: command: | sh #{script_path} PID=$(pgrep -n -f "#{pid_term}") - HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1) - MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1)))) - MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2)))) - MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START))) - dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE" - grep -i "PASS" "#{output_file}" - cleanup_command: | - rm -f "#{output_file}" - -- name: Dump individual process memory with sh on FreeBSD (Local) - auto_generated_guid: fa37b633-e097-4415-b2b8-c5bf4c86e423 - description: | - Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to - copy process memory to an external file so it can be searched or exfiltrated later. - On FreeBSD procfs must be mounted. - supported_platforms: - - linux - - input_arguments: - output_file: - description: Path where captured results will be placed - type: path - default: /tmp/T1003.007.bin - script_path: - description: Path to script generating the target process - type: path - default: /tmp/T1003.007.sh - pid_term: - description: Unique string to use to identify target process - type: string - default: T1003.007 - - dependencies: - - description: | - Script to launch target process must exist - prereq_command: | - test -f #{script_path} - grep "#{pid_term}" #{script_path} - get_prereq_command: | - echo '#!/bin/sh' > #{script_path} - echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} - - executor: - name: sh - elevation_required: true - command: | - sh #{script_path} - PID=$(pgrep -n -f "#{pid_term}") - MEM_START=$(head -n 5 /proc/"${PID}"/map | tail -1 | cut -d' ' -f1) - MEM_STOP=$(head -n 5 /proc/"${PID}"/map | tail -1 | cut -d' ' -f2) - MEM_SIZE=$(echo $(($MEM_STOP-$MEM_START))) - dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE" - strings "#{output_file}" | grep -i PASS + unamestr=$(uname) + if [ "$unamestr" = 'Linux' ]; then + HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1) + MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1)))) + MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2)))) + MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START))) + dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE" + grep -i "PASS" "#{output_file}" + elif [ "$unamestr" = 'FreeBSD' ]; then + MEM_START=$(head -n 5 /proc/"${PID}"/map | tail -1 | cut -d' ' -f1) + MEM_STOP=$(head -n 5 /proc/"${PID}"/map | tail -1 | cut -d' ' -f2) + MEM_SIZE=$(echo $(($MEM_STOP-$MEM_START))) + dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE" + strings "#{output_file}" | grep -i PASS + fi cleanup_command: | rm -f "#{output_file}" - - name: Dump individual process memory with Python (Local) auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63 description: | @@ -188,13 +149,13 @@ atomic_tests: prereq_command: | if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi; get_prereq_command: | - sudo apt-get -y install python2 + sudo apt-get -y install python2 - description: | Libc-bin must be installed prereq_command: | if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi; get_prereq_command: | - sudo apt-get -y install libc-bin + sudo apt-get -y install libc-bin executor: command: | sudo #{MimiPenguin_Location} > #{output_file} diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml index 7feb79d209..ace508650b 100644 --- a/atomics/T1003.008/T1003.008.yaml +++ b/atomics/T1003.008/T1003.008.yaml @@ -70,7 +70,12 @@ atomic_tests: default: /tmp/T1003.008.txt executor: command: | - echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file} + unamestr=$(uname) + if [ "$unamestr" = 'Linux' ]; then + echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file} + elif [ "$unamestr" = 'FreeBSD' ]; then + echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file} + fi cleanup_command: | rm -f #{output_file} name: sh @@ -89,8 +94,10 @@ atomic_tests: executor: command: | testcat(){ (while read line; do echo $line >> #{output_file}; done < $1) } + if [ $(uname) = 'FreeBSD' ]; then + testcat /etc/master.passwd + fi testcat /etc/passwd - testcat /etc/master.passwd testcat /etc/shadow cleanup_command: | rm -f #{output_file} diff --git a/atomics/T1007/T1007.yaml b/atomics/T1007/T1007.yaml index 373a48aa8c..86d6931c3e 100644 --- a/atomics/T1007/T1007.yaml +++ b/atomics/T1007/T1007.yaml @@ -35,23 +35,17 @@ atomic_tests: cleanup_command: | del /f /q /s #{output_file} >nul 2>&1 name: command_prompt -- name: System Service Discovery - systemctl +- name: System Service Discovery - systemctl/service auto_generated_guid: f4b26bce-4c2c-46c0-bcc5-fce062d38bef description: | - Enumerates system service using systemctl + Enumerates system service using systemctl/service supported_platforms: - linux executor: command: | - systemctl --type=service - name: bash -- name: System Service Discovery - service - auto_generated_guid: b2e1c734-7336-40f9-b970-b04731cbaf8a - description: | - Enumerates system service using service - supported_platforms: - - linux - executor: - command: | - service -e - name: sh + if [ $(uname) = 'FreeBSD' ]; then + service -e + else + systemctl --type=service + fi + name: bash \ No newline at end of file diff --git a/atomics/T1016/T1016.yaml b/atomics/T1016/T1016.yaml index 6c9da3119b..e31439e635 100644 --- a/atomics/T1016/T1016.yaml +++ b/atomics/T1016/T1016.yaml @@ -33,7 +33,6 @@ atomic_tests: auto_generated_guid: c141bbdb-7fca-4254-9fd6-f47e79447e17 description: | Identify network configuration information. - Upon successful execution, sh will spawn multiple commands and output will be via stdout. supported_platforms: - macos @@ -51,21 +50,11 @@ atomic_tests: if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi; if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi; if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi; - if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi; - name: sh -- name: System Network Configuration Discovery (freebsd) - auto_generated_guid: 7625b978-4efd-47de-8744-add270374bee - description: | - Identify network configuration information. - - Upon successful execution, sh will spawn multiple commands and output will be via stdout. - supported_platforms: - - linux - executor: - command: | - if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi; - if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi; - if [ -x "$(command -v netstat)" ]; then netstat -Sp tcp | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi; + if [ $(uname) = 'FreeBSD' ]; then + if [ -x "$(command -v netstat)" ]; then netstat -Sp tcp | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi; + else + if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi; + fi; name: sh - name: System Network Configuration Discovery (TrickBot Style) auto_generated_guid: dafaf052-5508-402d-bf77-51e0700c02e2 diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml index 51be5ebb25..1358f9eca4 100644 --- a/atomics/T1027/T1027.yaml +++ b/atomics/T1027/T1027.yaml @@ -23,41 +23,18 @@ atomic_tests: prereq_command: | if [ -e "/tmp/encoded.dat" ]; then exit 0; else exit 1; fi get_prereq_command: | - echo "#{shell_command}" | base64 > /tmp/encoded.dat + if [ $(uname) = 'FreeBSD' ]; then + echo "#{shell_command}" | b64encode -r - > /tmp/encoded.dat + else + echo "#{shell_command}" | base64 > /tmp/encoded.dat + fi executor: command: | - cat /tmp/encoded.dat | base64 -d > /tmp/art.sh - chmod +x /tmp/art.sh - /tmp/art.sh - cleanup_command: | - rm /tmp/encoded.dat - rm /tmp/art.sh - name: sh -- name: Decode base64 Data into Script - auto_generated_guid: 197ed693-08e6-4958-bfd8-5974e291be6c - description: | - Creates a base64-encoded data file and decodes it into an executable shell script - - Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that echoes `Hello from the Atomic Red Team` - and uname -v - supported_platforms: - - linux - input_arguments: - shell_command: - description: command to encode - type: string - default: "echo Hello from the Atomic Red Team && uname -v" - dependency_executor_name: sh - dependencies: - - description: | - encode the command into base64 file - prereq_command: | - exit 1 - get_prereq_command: | - echo "#{shell_command}" | b64encode -r - > /tmp/encoded.dat - executor: - command: | - cat /tmp/encoded.dat | b64decode -r > /tmp/art.sh + if [ $(uname) = 'FreeBSD' ]; then + cat /tmp/encoded.dat | b64decode -r > /tmp/art.sh + else + cat /tmp/encoded.dat | base64 -d > /tmp/art.sh + fi; chmod +x /tmp/art.sh /tmp/art.sh cleanup_command: | diff --git a/atomics/T1036.006/T1036.006.yaml b/atomics/T1036.006/T1036.006.yaml index 535d2af819..f1618525d6 100644 --- a/atomics/T1036.006/T1036.006.yaml +++ b/atomics/T1036.006/T1036.006.yaml @@ -22,30 +22,17 @@ atomic_tests: supported_platforms: - macos - linux - executor: - name: bash - command: | - mkdir -p /tmp/atomic-test-T1036.006 - cd /tmp/atomic-test-T1036.006 - mkdir -p 'testdirwithspaceend ' - /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init '/;\nqx/'.\/init ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null - chmod +x 'testdirwithspaceend /init ' - './testdirwithspaceend /init ' - cleanup_command: - rm -rf /tmp/atomic-test-T1036.006 -- name: Space After Filename (FreeBSD) - auto_generated_guid: cfc1fbb5-caae-4f4c-bfa8-1b7c8b5cc4e8 - description: | - Space after filename. - supported_platforms: - - linux executor: name: sh command: | mkdir -p /tmp/atomic-test-T1036.006 cd /tmp/atomic-test-T1036.006 mkdir -p 'testdirwithspaceend ' - /bin/echo "#\!/bin/sh" > "testdirwithspaceend /init " && echo 'echo "print(\"running T1035.006 with space after filename to masquerade init\")" | python3.9' >> "testdirwithspaceend /init " && echo "exit" >> "testdirwithspaceend /init " + if [ $(uname) = 'FreeBSD' ]; then + /bin/echo "#\!/bin/sh" > "testdirwithspaceend /init " && echo 'echo "print(\"running T1035.006 with space after filename to masquerade init\")" | python3.9' >> "testdirwithspaceend /init " && echo "exit" >> "testdirwithspaceend /init " + else + /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init '/;\nqx/'.\/init ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null + fi; chmod +x 'testdirwithspaceend /init ' './testdirwithspaceend /init ' cleanup_command: diff --git a/atomics/T1037.004/T1037.004.yaml b/atomics/T1037.004/T1037.004.yaml index c171f9912e..d344591d53 100644 --- a/atomics/T1037.004/T1037.004.yaml +++ b/atomics/T1037.004/T1037.004.yaml @@ -47,27 +47,14 @@ atomic_tests: elevation_required: true command: | filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi - printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local + if [ $(uname) = 'FreeBSD' ]; then + alias python3=python3.9; + printf '%s\n' '#\!/usr/local/bin/bash' | sudo tee /etc/rc.local + else + printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local + fi; echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local sudo chmod +x /etc/rc.local cleanup_command: | origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi -- name: rc.local (FreeBSD) - auto_generated_guid: 2015fb48-8ab6-4fbf-928b-0b62de5c9476 - description: | - Modify rc.local - - supported_platforms: - - linux - executor: - name: sh - elevation_required: true - command: | - filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi - printf '%s\n' '#\!/usr/local/bin/bash' | sudo tee /etc/rc.local - echo 'python3.9 -c "import os, base64;exec(base64.b64decode(\"aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo=\"))"' | sudo tee -a /etc/rc.local - printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local - sudo chmod +x /etc/rc.local - cleanup_command: | - origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml index e7ff37cbac..321f9c27fa 100644 --- a/atomics/T1046/T1046.yaml +++ b/atomics/T1046/T1046.yaml @@ -23,7 +23,6 @@ atomic_tests: auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f description: | Scan ports to check for listening ports with Nmap. - Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout. supported_platforms: - linux @@ -48,13 +47,13 @@ atomic_tests: prereq_command: | if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi; get_prereq_command: | - (which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap) + (which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which pkg && pkg install -y nmap) - description: | Check if nc command exists on the machine prereq_command: | if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi; get_prereq_command: | - (which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat) + (which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)||(which pkg && pkg install -y netcat) - description: | Check if telnet command exists on the machine prereq_command: | @@ -68,42 +67,6 @@ atomic_tests: nc -nv #{host} #{port} name: sh elevation_required: true -- name: Port Scan Nmap for FreeBSD - auto_generated_guid: f03d59dc-0e3b-428a-baeb-3499552c7048 - description: | - Scan ports to check for listening ports with Nmap. - - Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout. - supported_platforms: - - linux - input_arguments: - host: - description: Host to scan. - type: string - default: 192.168.1.1 - port: - description: Ports to scan. - type: string - default: "80" - network_range: - description: Network Range to Scan. - type: string - default: 192.168.1.0/24 - dependency_executor_name: sh - dependencies: - - description: | - Check if nmap command exists on the machine - prereq_command: | - if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi; - get_prereq_command: | - (which pkg && pkg install -y nmap) - executor: - command: | - nmap -sS #{network_range} -p #{port} - telnet #{host} #{port} - nc -nv #{host} #{port} - name: sh - elevation_required: true - name: Port Scan NMap for Windows auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df description: Scan ports to check for listening ports for the local host 127.0.0.1 diff --git a/atomics/T1048.003/T1048.003.yaml b/atomics/T1048.003/T1048.003.yaml index 1a3717718f..f8a092ba62 100644 --- a/atomics/T1048.003/T1048.003.yaml +++ b/atomics/T1048.003/T1048.003.yaml @@ -215,15 +215,5 @@ atomic_tests: name: sh elevation_required: false command: | + if [ $(uname) = 'FreeBSD' ]; then alias python3=python3.9; fi; if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi -- name: Python3 http.server (freebsd) - auto_generated_guid: 57a303a2-0bc6-400d-b144-4f3292920a0b - description: | - An adversary may use the python3 standard library module http.server to exfiltrate data. This test checks if python3.9 is available and if so, creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds, then kills the PID and unsets the $PID variable. - supported_platforms: - - linux - executor: - name: sh - elevation_required: false - command: | - if [ $(which python3.9) ]; then cd /tmp; python3.9 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi diff --git a/atomics/T1053.002/T1053.002.yaml b/atomics/T1053.002/T1053.002.yaml index 016dcd9aed..31df774995 100644 --- a/atomics/T1053.002/T1053.002.yaml +++ b/atomics/T1053.002/T1053.002.yaml @@ -39,13 +39,17 @@ atomic_tests: - description: | The `at` and `atd` executables must exist in the PATH prereq_command: | - which at && which atd + if [ $(uname) = 'FreeBSD' ]; then which at; else which at && which atd; fi; get_prereq_command: | - echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)' + if [ $(uname) = 'FreeBSD' ]; then + echo 'Please install `at` ; they were not found in the PATH (Package name: `at`)' + else + echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)' + fi; - description: | The `atd` daemon must be running prereq_command: | - systemctl status atd || service atd status + if [ $(uname) = 'Linux' ]; then systemctl status atd || service atd status; fi; get_prereq_command: | echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)' @@ -54,35 +58,3 @@ atomic_tests: elevation_required: false command: |- echo "#{at_command}" | at #{time_spec} -- name: At - Schedule a job freebsd - auto_generated_guid: 549863fb-1c91-467e-97fc-1fa32b9f356b - description: | - This test submits a command to be run in the future by the `at` daemon. - - supported_platforms: - - linux - - input_arguments: - time_spec: - description: Time specification of when the command should run - type: string - default: now + 1 minute - at_command: - description: The command to be run - type: string - default: echo Hello from Atomic Red Team - - dependency_executor_name: sh - dependencies: - - description: | - The `at` executable must exist in the PATH - prereq_command: | - which at - get_prereq_command: | - echo 'Please install `at` ; they were not found in the PATH (Package name: `at`)' - - executor: - name: sh - elevation_required: false - command: |- - echo "#{at_command}" | at #{time_spec} diff --git a/bin/generate_labels.py b/bin/generate_labels.py index 82e9b81d9c..8545ac8b3d 100644 --- a/bin/generate_labels.py +++ b/bin/generate_labels.py @@ -36,7 +36,6 @@ class GithubAPI: labels = { "windows": "windows", "macos": "macOS", - "freebsd": "freebsd", "linux": "linux", "azure-ad": "ADFS", "containers": "containers", @@ -51,7 +50,6 @@ class GithubAPI: "windows": ["clr2of8", "MHaggis"], "linux": ["josehelps", "cyberbuff"], "macos": ["josehelps", "cyberbuff"], - "freebsd": ["josehelps", "cyberbuff"], "containers": ["patel-bhavin"], "iaas:gcp": ["patel-bhavin"], "iaas:aws": ["patel-bhavin"],