From 0dec35561f3a8de3342fc128e1e2f394b03bcb10 Mon Sep 17 00:00:00 2001 From: Hare Sudhan Date: Thu, 2 Nov 2023 21:07:16 -0400 Subject: [PATCH 1/2] freebsd changes --- atomics/Indexes/index.yaml | 454 +++++++++++------------ atomics/Indexes/linux-index.yaml | 222 +++++------ atomics/Indexes/macos-index.yaml | 146 ++++---- atomics/Indexes/windows-index.yaml | 6 +- atomics/T1003.007/T1003.007.yaml | 4 +- atomics/T1003.008/T1003.008.yaml | 8 +- atomics/T1007/T1007.yaml | 2 +- atomics/T1016/T1016.yaml | 2 +- atomics/T1018/T1018.yaml | 6 +- atomics/T1027.001/T1027.001.yaml | 4 +- atomics/T1027.004/T1027.004.yaml | 6 +- atomics/T1027/T1027.yaml | 2 +- atomics/T1030/T1030.yaml | 2 +- atomics/T1033/T1033.yaml | 2 +- atomics/T1036.003/T1036.003.yaml | 2 +- atomics/T1036.005/T1036.005.yaml | 2 +- atomics/T1036.006/T1036.006.yaml | 2 +- atomics/T1037.004/T1037.004.yaml | 2 +- atomics/T1040/T1040.yaml | 6 +- atomics/T1046/T1046.yaml | 4 +- atomics/T1048.002/T1048.002.yaml | 2 +- atomics/T1048.003/T1048.003.yaml | 6 +- atomics/T1048/T1048.yaml | 4 +- atomics/T1049/T1049.yaml | 2 +- atomics/T1053.002/T1053.002.yaml | 2 +- atomics/T1053.003/T1053.003.yaml | 4 +- atomics/T1056.001/T1056.001.yaml | 4 +- atomics/T1057/T1057.yaml | 2 +- atomics/T1059.004/T1059.004.yaml | 20 +- atomics/T1059.006/T1059.006.yaml | 8 +- atomics/T1069.001/T1069.001.yaml | 2 +- atomics/T1070.002/T1070.002.yaml | 10 +- atomics/T1070.003/T1070.003.yaml | 14 +- atomics/T1070.004/T1070.004.yaml | 6 +- atomics/T1070.006/T1070.006.yaml | 8 +- atomics/T1071.001/T1071.001.yaml | 2 +- atomics/T1074.001/T1074.001.yaml | 2 +- atomics/T1078.003/T1078.003.yaml | 6 +- atomics/T1082/T1082.yaml | 10 +- atomics/T1083/T1083.yaml | 4 +- atomics/T1087.001/T1087.001.yaml | 12 +- atomics/T1090.001/T1090.001.yaml | 2 +- atomics/T1090.003/T1090.003.yaml | 2 +- atomics/T1098.004/T1098.004.yaml | 2 +- atomics/T1105/T1105.yaml | 14 +- atomics/T1110.001/T1110.001.yaml | 2 +- atomics/T1110.004/T1110.004.yaml | 2 +- atomics/T1113/T1113.yaml | 4 +- atomics/T1124/T1124.yaml | 2 +- atomics/T1132.001/T1132.001.yaml | 2 +- atomics/T1135/T1135.yaml | 2 +- atomics/T1136.001/T1136.001.yaml | 4 +- atomics/T1140/T1140.yaml | 10 +- atomics/T1176/T1176.yaml | 6 +- atomics/T1201/T1201.yaml | 2 +- atomics/T1217/T1217.yaml | 4 +- atomics/T1222.002/T1222.002.yaml | 16 +- atomics/T1485/T1485.yaml | 2 +- atomics/T1486/T1486.yaml | 8 +- atomics/T1496/T1496.yaml | 2 +- atomics/T1497.001/T1497.001.yaml | 2 +- atomics/T1518.001/T1518.001.yaml | 2 +- atomics/T1529/T1529.yaml | 14 +- atomics/T1543.002/T1543.002.yaml | 2 +- atomics/T1546.004/T1546.004.yaml | 6 +- atomics/T1546.005/T1546.005.yaml | 4 +- atomics/T1548.001/T1548.001.yaml | 10 +- atomics/T1548.003/T1548.003.yaml | 6 +- atomics/T1552.001/T1552.001.yaml | 6 +- atomics/T1552.003/T1552.003.yaml | 2 +- atomics/T1552.004/T1552.004.yaml | 8 +- atomics/T1553.004/T1553.004.yaml | 2 +- atomics/T1556.003/T1556.003.yaml | 2 +- atomics/T1560.001/T1560.001.yaml | 6 +- atomics/T1560.002/T1560.002.yaml | 8 +- atomics/T1562.001/T1562.001.yaml | 4 +- atomics/T1562.003/T1562.003.yaml | 6 +- atomics/T1562.004/T1562.004.yaml | 4 +- atomics/T1562.006/T1562.006.yaml | 4 +- atomics/T1564.001/T1564.001.yaml | 2 +- atomics/T1571/T1571.yaml | 2 +- atomics/T1614.001/T1614.001.yaml | 4 +- bin/validate/atomic-red-team.schema.yaml | 2 +- 83 files changed, 605 insertions(+), 605 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index d8f02284a0..e7d0d73575 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -1037,7 +1037,7 @@ defense-evasion: Upon successful execution, this test will insert a rule that allows every user to su to root without a password. supported_platforms: - - freebsd + - linux:freebsd input_arguments: path_to_pam_conf: description: PAM config file to modify. @@ -1311,7 +1311,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -1335,7 +1335,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -1359,7 +1359,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -1383,7 +1383,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -1460,7 +1460,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -1523,7 +1523,7 @@ defense-evasion: Remove's a file's `immutable` attribute using `chflags`. This technique was used by the threat actor Rocke during the compromise of Linux web servers. supported_platforms: - - freebsd + - linux:freebsd input_arguments: file_to_modify: description: Path of the file @@ -1572,7 +1572,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: source_file: description: Path of c source file @@ -1636,7 +1636,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: source_file: description: Path of c source file @@ -3164,7 +3164,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: 'Check if sudo is installed. @@ -3203,7 +3203,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: 'Check if sudo is installed. @@ -3242,7 +3242,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: 'Check if sudo is installed. @@ -3852,7 +3852,7 @@ defense-evasion: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: test_message: description: Test message to echo out to the screen @@ -4787,7 +4787,7 @@ defense-evasion: Detects execution in a virtualized environment. At boot, dmesg stores a log if a hypervisor is detected. supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true @@ -4938,7 +4938,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: | rm -rf /var/log/messages @@ -4997,7 +4997,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: "truncate -s 0 /var/log/messages #size parameter shorthand\ntruncate --size=0 /var/log/security #size parameter \n" @@ -5042,7 +5042,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: | cat /dev/null > /var/log/messages #truncating the file to zero bytes @@ -5116,7 +5116,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: 'echo '''' > /var/log/messages @@ -5172,7 +5172,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: 'unlink /var/log/messages @@ -7414,7 +7414,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: 'rm ~/.sh_history @@ -7438,7 +7438,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: 'echo "" > ~/.sh_history @@ -7463,7 +7463,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: 'cat /dev/null > ~/.sh_history @@ -7488,7 +7488,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: 'ln -sf /dev/null ~/.sh_history @@ -7512,7 +7512,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: 'truncate -s0 ~/.sh_history @@ -7540,7 +7540,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: | unset HISTFILE @@ -7618,7 +7618,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd dependencies: - description: 'Install sshpass and create user account used for excuting @@ -7961,7 +7961,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -7999,7 +7999,7 @@ defense-evasion: description: "Use Perl to decode a base64-encoded text string and echo it to the console \n" supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -8067,7 +8067,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: message: description: Message to print to the screen @@ -8098,7 +8098,7 @@ defense-evasion: Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it. \n" supported_platforms: - - freebsd + - linux:freebsd input_arguments: bash_encoded: description: Encoded @@ -8141,7 +8141,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -9755,7 +9755,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -9787,7 +9787,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -9822,7 +9822,7 @@ defense-evasion: Setting the creation timestamp requires changing the system clock and reverting. Sudo or root privileges are required to change date. Use with caution. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -9849,7 +9849,7 @@ defense-evasion: This technique was used by the threat actor Rocke during the compromise of Linux web servers. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -11175,7 +11175,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: 'Check if pfctl is installed on the machine. @@ -11283,7 +11283,7 @@ defense-evasion: description: "Add and delete a rule on the Packet Filter (PF) if installed and enabled. \n" supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: 'Check if pf is installed on the machine and enabled. @@ -13706,7 +13706,7 @@ defense-evasion: Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -13741,7 +13741,7 @@ defense-evasion: Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -14938,7 +14938,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: payload: description: hello.c payload @@ -14986,7 +14986,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: file_to_setuid: description: Path of file to set SetUID flag @@ -15031,7 +15031,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: file_to_setuid: description: Path of file to set SetGID flag @@ -15100,7 +15100,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: 'find /usr/bin -perm -4000 @@ -15114,7 +15114,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: 'find /usr/bin -perm -2000 @@ -16041,7 +16041,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: auditd_config_file_name: description: The name of the auditd configuration file to be changed @@ -16105,7 +16105,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: syslog_config_file_name: description: The name of the syslog configuration file to be changed @@ -18898,7 +18898,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: evil_command: description: Command to run after shell history collection is disabled @@ -18997,7 +18997,7 @@ defense-evasion: Note: we don't wish to log out, so we are just confirming the value of HISTSIZE. In this test we 1. echo HISTSIZE 2. set it to zero 3. confirm that HISTSIZE is set to zero. supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: false @@ -19036,7 +19036,7 @@ defense-evasion: Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null. supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: false @@ -20688,7 +20688,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: | service syslogd stop @@ -21582,7 +21582,7 @@ defense-evasion: as an additional \npayload to the compromised host and to make sure that there will be no recoverable data due to swap feature of FreeBSD/linux.\n" supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: "swapon -a \nsleep 2\nswapoff -a\nsync\n" @@ -22425,7 +22425,7 @@ defense-evasion: a base64 encoded command, that echoes `Hello from the Atomic Red Team` \nand uname -v\n" supported_platforms: - - freebsd + - linux:freebsd input_arguments: shell_command: description: command to encode @@ -23742,7 +23742,7 @@ defense-evasion: Upon successful execution, sh is renamed to `crond` and executed. supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: | @@ -24702,7 +24702,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: cert_filename: description: Path of the CA certificate we create @@ -25021,7 +25021,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -25053,7 +25053,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -25084,7 +25084,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -27350,7 +27350,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -27388,7 +27388,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -27577,7 +27577,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: | chflags -R 0 / @@ -28397,7 +28397,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd executor: name: sh command: "mkdir -p /tmp/atomic-test-T1036.006\ncd /tmp/atomic-test-T1036.006\nmkdir @@ -29406,7 +29406,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -31261,7 +31261,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true @@ -31302,7 +31302,7 @@ defense-evasion: the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.\n" supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true @@ -31344,7 +31344,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true @@ -33926,7 +33926,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: 'Check if sudo is installed. @@ -33965,7 +33965,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: 'Check if sudo is installed. @@ -34004,7 +34004,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: 'Check if sudo is installed. @@ -35196,7 +35196,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -35256,7 +35256,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: command: description: Command to execute @@ -38063,7 +38063,7 @@ privilege-escalation: Launch bash shell with command arg to create TRAP on EXIT. The trap executes script that writes to /tmp/art-fish.txt supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: 'Check if bash is installed. @@ -38106,7 +38106,7 @@ privilege-escalation: Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal. The trap executes script that writes to /tmp/art-fish.txt supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: 'Check if bash is installed. @@ -38865,7 +38865,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: payload: description: hello.c payload @@ -38913,7 +38913,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: file_to_setuid: description: Path of file to set SetUID flag @@ -38958,7 +38958,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: file_to_setuid: description: Path of file to set SetGID flag @@ -39027,7 +39027,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: 'find /usr/bin -perm -4000 @@ -39041,7 +39041,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: 'find /usr/bin -perm -2000 @@ -43596,7 +43596,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: command_to_add: description: Command to add to the .shrc file @@ -43617,7 +43617,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: text_to_append: @@ -43640,7 +43640,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: text_to_append: @@ -45568,7 +45568,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true @@ -45864,7 +45864,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: rc_service_path: description: Path to rc service file @@ -47322,7 +47322,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: time_spec: description: Time specification of when the command should run @@ -47866,7 +47866,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true @@ -47907,7 +47907,7 @@ privilege-escalation: the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.\n" supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true @@ -47949,7 +47949,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true @@ -50010,7 +50010,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -50070,7 +50070,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: command: description: Command to execute @@ -53084,7 +53084,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -53109,7 +53109,7 @@ execution: Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`. supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -53203,7 +53203,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: name: sh @@ -53223,7 +53223,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: name: sh @@ -53241,7 +53241,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: name: sh @@ -53256,7 +53256,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: name: sh @@ -53290,7 +53290,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: false @@ -53337,7 +53337,7 @@ execution: with a /bin/sh shell, changes the users shell to sh, then deletes the art user. \n" supported_platforms: - - freebsd + - linux:freebsd dependencies: - description: 'chsh - change login shell, must be installed @@ -53389,7 +53389,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: false @@ -53450,7 +53450,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: remote_url: description: url of remote payload @@ -54089,7 +54089,7 @@ execution: description: Download and execute shell script and write to file then execute locally using Python -c (command mode) supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: script_url: @@ -54131,7 +54131,7 @@ execution: description: Create Python file (.py) that downloads and executes shell script via executor arguments supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: python_script_name: @@ -54189,7 +54189,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: python_script_name: @@ -54254,7 +54254,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd - linux dependencies: - description: 'Verify if python is in the environment variable path and attempt @@ -55573,7 +55573,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: time_spec: description: Time specification of when the command should run @@ -56632,7 +56632,7 @@ persistence: Upon successful execution, this test will insert a rule that allows every user to su to root without a password. supported_platforms: - - freebsd + - linux:freebsd input_arguments: path_to_pam_conf: description: PAM config file to modify. @@ -58667,7 +58667,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -58727,7 +58727,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: command: description: Command to execute @@ -60348,7 +60348,7 @@ persistence: description: Turn on Chrome/Chromium developer mode and Load Extension found in the src directory supported_platforms: - - freebsd + - linux:freebsd - linux - windows - macos @@ -60366,7 +60366,7 @@ persistence: auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f description: Install the "Minimum Viable Malicious Extension" Chrome extension supported_platforms: - - freebsd + - linux:freebsd - linux - windows - macos @@ -60383,7 +60383,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd - linux - windows - macos @@ -62672,7 +62672,7 @@ persistence: Launch bash shell with command arg to create TRAP on EXIT. The trap executes script that writes to /tmp/art-fish.txt supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: 'Check if bash is installed. @@ -62715,7 +62715,7 @@ persistence: Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal. The trap executes script that writes to /tmp/art-fish.txt supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: 'Check if bash is installed. @@ -63061,7 +63061,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: username: description: Username of the user to create @@ -63184,7 +63184,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: username: description: Username of the user to create @@ -64042,7 +64042,7 @@ persistence: persistence on victim host. \nIf the user is able to save the same contents in the authorized_keys file, it shows user can modify the file.\n" supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: @@ -70371,7 +70371,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: command_to_add: description: Command to add to the .shrc file @@ -70392,7 +70392,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: text_to_append: @@ -70415,7 +70415,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: text_to_append: @@ -72694,7 +72694,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true @@ -73032,7 +73032,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: rc_service_path: description: Path to rc service file @@ -74533,7 +74533,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: time_spec: description: Time specification of when the command should run @@ -75168,7 +75168,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true @@ -75209,7 +75209,7 @@ persistence: the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.\n" supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true @@ -75251,7 +75251,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true @@ -75631,7 +75631,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: destination_url: description: Destination URL to post encoded data. @@ -77896,7 +77896,7 @@ command-and-control: with add-ons in order to provide onion routing functionality.\nUpon successful execution, the tor proxy service will be launched. \n" supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: "Tor must be installed on the machine \n" @@ -78050,7 +78050,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -78810,7 +78810,7 @@ command-and-control: This test simulates an infected host beaconing to command and control. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -78899,7 +78899,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -78939,7 +78939,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -78978,7 +78978,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -79009,7 +79009,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -79040,7 +79040,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -79071,7 +79071,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -79280,7 +79280,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -79937,7 +79937,7 @@ command-and-control: Note that this test may conflict with pre-existing system configuration. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -80502,7 +80502,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -80532,7 +80532,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -80569,7 +80569,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -80789,7 +80789,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: output_file: description: Output file path @@ -80851,7 +80851,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: output_file: description: Output file path @@ -81207,7 +81207,7 @@ collection: syslog.\n\nTo gain persistence the command could be added to the users .shrc or .profile \n" supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: 'This test requires to be run in a bash shell and that logger @@ -81241,7 +81241,7 @@ collection: persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ \n" supported_platforms: - - freebsd + - linux:freebsd - linux dependency_executor_name: sh dependencies: @@ -81828,7 +81828,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: output_file: description: Location to save downloaded discovery.bat file @@ -82719,7 +82719,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: path_to_input_file: @@ -82756,7 +82756,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: path_to_input_file: @@ -82793,7 +82793,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: path_to_input_file: @@ -82830,7 +82830,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: path_to_input_file: @@ -87659,7 +87659,7 @@ credential-access: Upon successful execution, this test will insert a rule that allows every user to su to root without a password. supported_platforms: - - freebsd + - linux:freebsd input_arguments: path_to_pam_conf: description: PAM config file to modify. @@ -87935,7 +87935,7 @@ credential-access: syslog.\n\nTo gain persistence the command could be added to the users .shrc or .profile \n" supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: 'This test requires to be run in a bash shell and that logger @@ -87969,7 +87969,7 @@ credential-access: persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ \n" supported_platforms: - - freebsd + - linux:freebsd - linux dependency_executor_name: sh dependencies: @@ -88448,7 +88448,7 @@ credential-access: the sudo_bruteforce.sh which brute force guesses the password, then deletes the user\n" supported_platforms: - - freebsd + - linux:freebsd input_arguments: remote_url: description: url of remote payload @@ -90117,7 +90117,7 @@ credential-access: copy process memory to an external file so it can be searched or exfiltrated later. On FreeBSD procfs must be mounted. supported_platforms: - - freebsd + - linux:freebsd input_arguments: output_file: description: Path where captured results will be placed @@ -90162,7 +90162,7 @@ credential-access: copy a process's heap memory to an external file so it can be searched or exfiltrated later. On FreeBSD procfs must be mounted. supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: output_file: @@ -90468,7 +90468,7 @@ credential-access: Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33. supported_platforms: - - freebsd + - linux:freebsd input_arguments: interface: description: Specify interface to perform PCAP on. @@ -90706,7 +90706,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: ifname: description: Specify interface to perform PCAP on. @@ -90747,7 +90747,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: ifname: description: Specify interface to perform PCAP on. @@ -92871,7 +92871,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -92924,7 +92924,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: search_path: description: Path where to start searching from. @@ -92986,7 +92986,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: search_path: description: Path where to start searching from. @@ -93048,7 +93048,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: search_path: description: Path where to start searching from @@ -95022,7 +95022,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: output_file: description: Path where captured results will be placed @@ -95128,7 +95128,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -95158,7 +95158,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -95204,7 +95204,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -96457,7 +96457,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: target_host: description: IP Address / Hostname you want to target. @@ -97138,7 +97138,7 @@ credential-access: auto_generated_guid: 5076874f-a8e6-4077-8ace-9e5ab54114a5 description: "/etc/master.passwd file is accessed in FreeBSD environments\n" supported_platforms: - - freebsd + - linux:freebsd input_arguments: output_file: description: Path where captured results will be placed @@ -97157,7 +97157,7 @@ credential-access: auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d description: "/etc/passwd file is accessed in FreeBSD and Linux environments\n" supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: output_file: @@ -97179,7 +97179,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: output_file: @@ -97203,7 +97203,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: output_file: @@ -99059,7 +99059,7 @@ discovery: Upon successful execution, sh will stdout list of usernames. supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -100288,7 +100288,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: output_file: @@ -100307,7 +100307,7 @@ discovery: auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2 description: "(requires root)\n" supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -100331,7 +100331,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -100354,7 +100354,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -100411,7 +100411,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: output_file: description: Path where captured results will be placed @@ -100431,7 +100431,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -100614,7 +100614,7 @@ discovery: Detects execution in a virtualized environment. At boot, dmesg stores a log if a hypervisor is detected. supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true @@ -101153,7 +101153,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: 'service -e @@ -101283,7 +101283,7 @@ discovery: Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33. supported_platforms: - - freebsd + - linux:freebsd input_arguments: interface: description: Specify interface to perform PCAP on. @@ -101521,7 +101521,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: ifname: description: Specify interface to perform PCAP on. @@ -101562,7 +101562,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: ifname: description: Specify interface to perform PCAP on. @@ -101861,7 +101861,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: package_checker: description: Package checking command. pkg info -x samba @@ -102197,7 +102197,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -102258,7 +102258,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: | kldstat | grep -i "vmm" @@ -102283,7 +102283,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -102357,7 +102357,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: @@ -102588,7 +102588,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: | kldstat @@ -103128,7 +103128,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: output_file: @@ -103193,7 +103193,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd input_arguments: output_file: description: Path where captured results will be placed. @@ -103405,7 +103405,7 @@ discovery: Upon successful execution, sh will spawn multiple commands and output will be via stdout. supported_platforms: - - freebsd + - linux:freebsd executor: command: | if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi; @@ -104003,7 +104003,7 @@ discovery: https://perishablepress.com/list-files-folders-recursively-terminal/ supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -104031,7 +104031,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -104225,7 +104225,7 @@ discovery: Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout. supported_platforms: - - freebsd + - linux:freebsd - linux - macos dependency_executor_name: sh @@ -104575,7 +104575,7 @@ discovery: Upon successful execution, sh will execute ps and output to /tmp/loot.txt. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -104793,7 +104793,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: @@ -105024,7 +105024,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: 'cat /etc/pam.d/passwd @@ -105305,7 +105305,7 @@ discovery: Upon successful execution, the output will contain the environment variables that indicate the 5 character locale that can be looked up to correlate the language and territory. supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: 'locale @@ -105363,7 +105363,7 @@ discovery: also used as a builtin command that does not generate syscall telemetry but does provide a list of the environment variables. supported_platforms: - - freebsd + - linux:freebsd - linux dependency_executor_name: sh dependencies: @@ -105739,7 +105739,7 @@ discovery: Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running. supported_platforms: - - freebsd + - linux:freebsd executor: command: 'pgrep -l ''bareos-fd|icinga2|cbagentd|wazuh-agent|packetbeat|filebeat|osqueryd'' @@ -106104,7 +106104,7 @@ discovery: Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout. supported_platforms: - - freebsd + - linux:freebsd - linux - macos dependency_executor_name: sh @@ -106130,7 +106130,7 @@ discovery: Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -106324,7 +106324,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: 'netstat -r | grep default @@ -106603,7 +106603,7 @@ discovery: Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout. supported_platforms: - - freebsd + - linux:freebsd input_arguments: host: description: Host to scan. @@ -107186,7 +107186,7 @@ discovery: description: "Identify system time. Upon execution, the local computer system time and timezone will be displayed. \n" supported_platforms: - - freebsd + - linux:freebsd - macos executor: command: 'date @@ -113671,7 +113671,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: pwd_for_encrypted_file: @@ -113717,7 +113717,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: pwd_for_encrypted_file: @@ -113756,7 +113756,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: cped_file_path: @@ -113807,7 +113807,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: private_key_path: @@ -114349,7 +114349,7 @@ impact: This test simulates a high CPU load as you might observe during cryptojacking attacks. End the test by using CTRL/CMD+C to break. supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: @@ -114549,7 +114549,7 @@ impact: Overwrites and deletes a file using DD. To stop the test, break the command with CTRL/CMD+C. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -115231,7 +115231,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -115251,7 +115251,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -115271,7 +115271,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: @@ -115286,7 +115286,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: 'halt -p @@ -115300,7 +115300,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: 'halt -r @@ -115326,7 +115326,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: 'poweroff @@ -115340,7 +115340,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd executor: command: 'poweroff -r 3 @@ -117508,7 +117508,7 @@ initial-access: ' supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true @@ -117549,7 +117549,7 @@ initial-access: the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.\n" supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true @@ -117591,7 +117591,7 @@ initial-access: ' supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true @@ -118137,7 +118137,7 @@ exfiltration: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: input_file: description: Test file to upload @@ -118316,7 +118316,7 @@ exfiltration: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: domain: description: target SSH domain @@ -118338,7 +118338,7 @@ exfiltration: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: user_name: description: username for domain @@ -118738,7 +118738,7 @@ exfiltration: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: file_name: description: File name @@ -119022,7 +119022,7 @@ exfiltration: supported_platforms: - macos - linux - - freebsd + - linux:freebsd executor: steps: | 1. Victim System Configuration: @@ -119069,7 +119069,7 @@ exfiltration: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: steps: "1. On the adversary machine run the below command.\n\n tshark -f @@ -119253,7 +119253,7 @@ exfiltration: ' supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: false diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml index 218d4da65d..a4d91cbd89 100644 --- a/atomics/Indexes/linux-index.yaml +++ b/atomics/Indexes/linux-index.yaml @@ -921,7 +921,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -945,7 +945,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -969,7 +969,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -993,7 +993,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -1070,7 +1070,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -2602,7 +2602,7 @@ defense-evasion: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: test_message: description: Test message to echo out to the screen @@ -4562,7 +4562,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -4600,7 +4600,7 @@ defense-evasion: description: "Use Perl to decode a base64-encoded text string and echo it to the console \n" supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -4668,7 +4668,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -5579,7 +5579,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -5611,7 +5611,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -5646,7 +5646,7 @@ defense-evasion: Setting the creation timestamp requires changing the system clock and reverting. Sudo or root privileges are required to change date. Use with caution. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -5673,7 +5673,7 @@ defense-evasion: This technique was used by the threat actor Rocke during the compromise of Linux web servers. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -7620,7 +7620,7 @@ defense-evasion: Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -7655,7 +7655,7 @@ defense-evasion: Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -8681,7 +8681,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: 'find /usr/bin -perm -4000 @@ -8695,7 +8695,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: 'find /usr/bin -perm -2000 @@ -12732,7 +12732,7 @@ defense-evasion: as an additional \npayload to the compromised host and to make sure that there will be no recoverable data due to swap feature of FreeBSD/linux.\n" supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: "swapon -a \nsleep 2\nswapoff -a\nsync\n" @@ -14047,7 +14047,7 @@ defense-evasion: Upon successful execution, sh is renamed to `crond` and executed. supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: | @@ -14786,7 +14786,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -14818,7 +14818,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -14849,7 +14849,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -16496,7 +16496,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -16534,7 +16534,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -17923,7 +17923,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -21218,7 +21218,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -24003,7 +24003,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: 'find /usr/bin -perm -4000 @@ -24017,7 +24017,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: 'find /usr/bin -perm -2000 @@ -26947,7 +26947,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: text_to_append: @@ -26970,7 +26970,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: text_to_append: @@ -30849,7 +30849,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -33103,7 +33103,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -33128,7 +33128,7 @@ execution: Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`. supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -33222,7 +33222,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: name: sh @@ -33242,7 +33242,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: name: sh @@ -33260,7 +33260,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: name: sh @@ -33275,7 +33275,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: name: sh @@ -33830,7 +33830,7 @@ execution: description: Download and execute shell script and write to file then execute locally using Python -c (command mode) supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: script_url: @@ -33872,7 +33872,7 @@ execution: description: Create Python file (.py) that downloads and executes shell script via executor arguments supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: python_script_name: @@ -33930,7 +33930,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: python_script_name: @@ -33995,7 +33995,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd - linux dependencies: - description: 'Verify if python is in the environment variable path and attempt @@ -37154,7 +37154,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -38232,7 +38232,7 @@ persistence: description: Turn on Chrome/Chromium developer mode and Load Extension found in the src directory supported_platforms: - - freebsd + - linux:freebsd - linux - windows - macos @@ -38250,7 +38250,7 @@ persistence: auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f description: Install the "Minimum Viable Malicious Extension" Chrome extension supported_platforms: - - freebsd + - linux:freebsd - linux - windows - macos @@ -38267,7 +38267,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd - linux - windows - macos @@ -41065,7 +41065,7 @@ persistence: persistence on victim host. \nIf the user is able to save the same contents in the authorized_keys file, it shows user can modify the file.\n" supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: @@ -44855,7 +44855,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: text_to_append: @@ -44878,7 +44878,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: text_to_append: @@ -50213,7 +50213,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -50794,7 +50794,7 @@ command-and-control: This test simulates an infected host beaconing to command and control. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -50883,7 +50883,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -50923,7 +50923,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -50962,7 +50962,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -50993,7 +50993,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -51024,7 +51024,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -51055,7 +51055,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -51086,7 +51086,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -51301,7 +51301,7 @@ command-and-control: Note that this test may conflict with pre-existing system configuration. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -51633,7 +51633,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -51663,7 +51663,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -51700,7 +51700,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -52148,7 +52148,7 @@ collection: persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ \n" supported_platforms: - - freebsd + - linux:freebsd - linux dependency_executor_name: sh dependencies: @@ -53110,7 +53110,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: path_to_input_file: @@ -53147,7 +53147,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: path_to_input_file: @@ -53184,7 +53184,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: path_to_input_file: @@ -53221,7 +53221,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: path_to_input_file: @@ -57242,7 +57242,7 @@ credential-access: persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ \n" supported_platforms: - - freebsd + - linux:freebsd - linux dependency_executor_name: sh dependencies: @@ -58481,7 +58481,7 @@ credential-access: copy a process's heap memory to an external file so it can be searched or exfiltrated later. On FreeBSD procfs must be mounted. supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: output_file: @@ -60072,7 +60072,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -61017,7 +61017,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -61036,7 +61036,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -61056,7 +61056,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -62563,7 +62563,7 @@ credential-access: auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d description: "/etc/passwd file is accessed in FreeBSD and Linux environments\n" supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: output_file: @@ -62585,7 +62585,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: output_file: @@ -62609,7 +62609,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: output_file: @@ -63692,7 +63692,7 @@ discovery: Upon successful execution, sh will stdout list of usernames. supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -64280,7 +64280,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: output_file: @@ -64299,7 +64299,7 @@ discovery: auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2 description: "(requires root)\n" supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -64323,7 +64323,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -64346,7 +64346,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -64403,7 +64403,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -65162,7 +65162,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -65223,7 +65223,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -65238,7 +65238,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: @@ -65679,7 +65679,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: output_file: @@ -66006,7 +66006,7 @@ discovery: https://perishablepress.com/list-files-folders-recursively-terminal/ supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -66034,7 +66034,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -66139,7 +66139,7 @@ discovery: Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout. supported_platforms: - - freebsd + - linux:freebsd - linux - macos dependency_executor_name: sh @@ -66423,7 +66423,7 @@ discovery: Upon successful execution, sh will execute ps and output to /tmp/loot.txt. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -66575,7 +66575,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: @@ -66819,7 +66819,7 @@ discovery: Upon successful execution, the output will contain the environment variables that indicate the 5 character locale that can be looked up to correlate the language and territory. supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: 'locale @@ -66877,7 +66877,7 @@ discovery: also used as a builtin command that does not generate syscall telemetry but does provide a list of the environment variables. supported_platforms: - - freebsd + - linux:freebsd - linux dependency_executor_name: sh dependencies: @@ -67242,7 +67242,7 @@ discovery: Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout. supported_platforms: - - freebsd + - linux:freebsd - linux - macos dependency_executor_name: sh @@ -67268,7 +67268,7 @@ discovery: Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -73810,7 +73810,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: pwd_for_encrypted_file: @@ -73856,7 +73856,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: pwd_for_encrypted_file: @@ -73895,7 +73895,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: cped_file_path: @@ -73946,7 +73946,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: private_key_path: @@ -74364,7 +74364,7 @@ impact: This test simulates a high CPU load as you might observe during cryptojacking attacks. End the test by using CTRL/CMD+C to break. supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: @@ -74529,7 +74529,7 @@ impact: Overwrites and deletes a file using DD. To stop the test, break the command with CTRL/CMD+C. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -74928,7 +74928,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -74948,7 +74948,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -74968,7 +74968,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: @@ -74983,7 +74983,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: 'halt -p @@ -75010,7 +75010,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: 'poweroff @@ -77126,7 +77126,7 @@ exfiltration: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: input_file: description: Test file to upload @@ -77283,7 +77283,7 @@ exfiltration: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: domain: description: target SSH domain @@ -77305,7 +77305,7 @@ exfiltration: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: user_name: description: username for domain @@ -77565,7 +77565,7 @@ exfiltration: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: file_name: description: File name @@ -77849,7 +77849,7 @@ exfiltration: supported_platforms: - macos - linux - - freebsd + - linux:freebsd executor: steps: | 1. Victim System Configuration: @@ -77872,7 +77872,7 @@ exfiltration: ' supported_platforms: - - freebsd + - linux:freebsd - linux executor: steps: "1. On the adversary machine run the below command.\n\n tshark -f diff --git a/atomics/Indexes/macos-index.yaml b/atomics/Indexes/macos-index.yaml index d048c1de82..16801a150f 100644 --- a/atomics/Indexes/macos-index.yaml +++ b/atomics/Indexes/macos-index.yaml @@ -829,7 +829,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -853,7 +853,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -877,7 +877,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -901,7 +901,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -978,7 +978,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -2329,7 +2329,7 @@ defense-evasion: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: test_message: description: Test message to echo out to the screen @@ -4480,7 +4480,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -4518,7 +4518,7 @@ defense-evasion: description: "Use Perl to decode a base64-encoded text string and echo it to the console \n" supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -4586,7 +4586,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -5449,7 +5449,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -5481,7 +5481,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -5516,7 +5516,7 @@ defense-evasion: Setting the creation timestamp requires changing the system clock and reverting. Sudo or root privileges are required to change date. Use with caution. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -5543,7 +5543,7 @@ defense-evasion: This technique was used by the threat actor Rocke during the compromise of Linux web servers. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -7190,7 +7190,7 @@ defense-evasion: Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -7225,7 +7225,7 @@ defense-evasion: Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -13976,7 +13976,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -14008,7 +14008,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -14039,7 +14039,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -15686,7 +15686,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -15724,7 +15724,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -17093,7 +17093,7 @@ defense-evasion: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -20447,7 +20447,7 @@ privilege-escalation: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -29881,7 +29881,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -32038,7 +32038,7 @@ execution: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -32063,7 +32063,7 @@ execution: Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`. supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -35452,7 +35452,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -36503,7 +36503,7 @@ persistence: description: Turn on Chrome/Chromium developer mode and Load Extension found in the src directory supported_platforms: - - freebsd + - linux:freebsd - linux - windows - macos @@ -36521,7 +36521,7 @@ persistence: auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f description: Install the "Minimum Viable Malicious Extension" Chrome extension supported_platforms: - - freebsd + - linux:freebsd - linux - windows - macos @@ -36538,7 +36538,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd - linux - windows - macos @@ -39368,7 +39368,7 @@ persistence: persistence on victim host. \nIf the user is able to save the same contents in the authorized_keys file, it shows user can modify the file.\n" supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: @@ -48279,7 +48279,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -48860,7 +48860,7 @@ command-and-control: This test simulates an infected host beaconing to command and control. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -48949,7 +48949,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -48989,7 +48989,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -49028,7 +49028,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -49059,7 +49059,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -49090,7 +49090,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -49121,7 +49121,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -49152,7 +49152,7 @@ command-and-control: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -49342,7 +49342,7 @@ command-and-control: Note that this test may conflict with pre-existing system configuration. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -49703,7 +49703,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -49733,7 +49733,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -49770,7 +49770,7 @@ collection: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -57401,7 +57401,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -58320,7 +58320,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -58350,7 +58350,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -58370,7 +58370,7 @@ credential-access: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -60879,7 +60879,7 @@ discovery: Upon successful execution, sh will stdout list of usernames. supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -61419,7 +61419,7 @@ discovery: auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2 description: "(requires root)\n" supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -61443,7 +61443,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -61466,7 +61466,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -61491,7 +61491,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -62144,7 +62144,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -62169,7 +62169,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -62184,7 +62184,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: @@ -63010,7 +63010,7 @@ discovery: https://perishablepress.com/list-files-folders-recursively-terminal/ supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -63038,7 +63038,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -63143,7 +63143,7 @@ discovery: Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout. supported_platforms: - - freebsd + - linux:freebsd - linux - macos dependency_executor_name: sh @@ -63427,7 +63427,7 @@ discovery: Upon successful execution, sh will execute ps and output to /tmp/loot.txt. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -63579,7 +63579,7 @@ discovery: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: @@ -64099,7 +64099,7 @@ discovery: Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout. supported_platforms: - - freebsd + - linux:freebsd - linux - macos dependency_executor_name: sh @@ -64125,7 +64125,7 @@ discovery: Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -64559,7 +64559,7 @@ discovery: description: "Identify system time. Upon execution, the local computer system time and timezone will be displayed. \n" supported_platforms: - - freebsd + - linux:freebsd - macos executor: command: 'date @@ -71126,7 +71126,7 @@ impact: This test simulates a high CPU load as you might observe during cryptojacking attacks. End the test by using CTRL/CMD+C to break. supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: @@ -71291,7 +71291,7 @@ impact: Overwrites and deletes a file using DD. To stop the test, break the command with CTRL/CMD+C. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -71690,7 +71690,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -71710,7 +71710,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -71730,7 +71730,7 @@ impact: ' supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: @@ -73844,7 +73844,7 @@ exfiltration: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: input_file: description: Test file to upload @@ -74001,7 +74001,7 @@ exfiltration: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: domain: description: target SSH domain @@ -74023,7 +74023,7 @@ exfiltration: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: user_name: description: username for domain @@ -74283,7 +74283,7 @@ exfiltration: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: file_name: description: File name @@ -74567,7 +74567,7 @@ exfiltration: supported_platforms: - macos - linux - - freebsd + - linux:freebsd executor: steps: | 1. Victim System Configuration: diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index b064de90d8..92756f8503 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -51018,7 +51018,7 @@ persistence: description: Turn on Chrome/Chromium developer mode and Load Extension found in the src directory supported_platforms: - - freebsd + - linux:freebsd - linux - windows - macos @@ -51036,7 +51036,7 @@ persistence: auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f description: Install the "Minimum Viable Malicious Extension" Chrome extension supported_platforms: - - freebsd + - linux:freebsd - linux - windows - macos @@ -51053,7 +51053,7 @@ persistence: ' supported_platforms: - - freebsd + - linux:freebsd - linux - windows - macos diff --git a/atomics/T1003.007/T1003.007.yaml b/atomics/T1003.007/T1003.007.yaml index fbc3e87c6e..ab695c5157 100644 --- a/atomics/T1003.007/T1003.007.yaml +++ b/atomics/T1003.007/T1003.007.yaml @@ -55,7 +55,7 @@ atomic_tests: copy process memory to an external file so it can be searched or exfiltrated later. On FreeBSD procfs must be mounted. supported_platforms: - - freebsd + - linux:freebsd input_arguments: output_file: @@ -102,7 +102,7 @@ atomic_tests: copy a process's heap memory to an external file so it can be searched or exfiltrated later. On FreeBSD procfs must be mounted. supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml index f1b78acef8..ebe44a8bdb 100644 --- a/atomics/T1003.008/T1003.008.yaml +++ b/atomics/T1003.008/T1003.008.yaml @@ -25,7 +25,7 @@ atomic_tests: description: | /etc/master.passwd file is accessed in FreeBSD environments supported_platforms: - - freebsd + - linux:freebsd input_arguments: output_file: description: Path where captured results will be placed @@ -44,7 +44,7 @@ atomic_tests: description: | /etc/passwd file is accessed in FreeBSD and Linux environments supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: output_file: @@ -63,7 +63,7 @@ atomic_tests: description: | Dump /etc/passwd, /etc/master.passwd and /etc/shadow using ed supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: output_file: @@ -82,7 +82,7 @@ atomic_tests: description: | Dump /etc/passwd, /etc/master.passwd and /etc/shadow using sh builtins supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: output_file: diff --git a/atomics/T1007/T1007.yaml b/atomics/T1007/T1007.yaml index ec138e38a2..895f33f9cc 100644 --- a/atomics/T1007/T1007.yaml +++ b/atomics/T1007/T1007.yaml @@ -50,7 +50,7 @@ atomic_tests: description: | Enumerates system service using service supported_platforms: - - freebsd + - linux:freebsd executor: command: | service -e diff --git a/atomics/T1016/T1016.yaml b/atomics/T1016/T1016.yaml index e6589ca621..84eb000c17 100644 --- a/atomics/T1016/T1016.yaml +++ b/atomics/T1016/T1016.yaml @@ -60,7 +60,7 @@ atomic_tests: Upon successful execution, sh will spawn multiple commands and output will be via stdout. supported_platforms: - - freebsd + - linux:freebsd executor: command: | if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi; diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml index 6c39251db2..fc6cc361ff 100644 --- a/atomics/T1018/T1018.yaml +++ b/atomics/T1018/T1018.yaml @@ -87,7 +87,7 @@ atomic_tests: Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout. supported_platforms: - - freebsd + - linux:freebsd - linux - macos dependency_executor_name: sh @@ -109,7 +109,7 @@ atomic_tests: Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -277,7 +277,7 @@ atomic_tests: description: | Use the netstat command to display the kernels routing tables. supported_platforms: - - freebsd + - linux:freebsd executor: command: | netstat -r | grep default diff --git a/atomics/T1027.001/T1027.001.yaml b/atomics/T1027.001/T1027.001.yaml index 9561325e96..1249620e33 100644 --- a/atomics/T1027.001/T1027.001.yaml +++ b/atomics/T1027.001/T1027.001.yaml @@ -8,7 +8,7 @@ atomic_tests: Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -40,7 +40,7 @@ atomic_tests: Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: diff --git a/atomics/T1027.004/T1027.004.yaml b/atomics/T1027.004/T1027.004.yaml index f03b4e2998..512c55407c 100644 --- a/atomics/T1027.004/T1027.004.yaml +++ b/atomics/T1027.004/T1027.004.yaml @@ -64,7 +64,7 @@ atomic_tests: description: | Compile a c file with either gcc or clang on FreeBSD, Linux or Macos. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -90,7 +90,7 @@ atomic_tests: description: | Compile a c file with either gcc or clang on FreeBSD, Linux or Macos. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -116,7 +116,7 @@ atomic_tests: description: | Compile a go file with golang on FreeBSD, Linux or Macos. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml index 4d857b7501..e13b7faadb 100644 --- a/atomics/T1027/T1027.yaml +++ b/atomics/T1027/T1027.yaml @@ -41,7 +41,7 @@ atomic_tests: Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that echoes `Hello from the Atomic Red Team` and uname -v supported_platforms: - - freebsd + - linux:freebsd input_arguments: shell_command: description: command to encode diff --git a/atomics/T1030/T1030.yaml b/atomics/T1030/T1030.yaml index 74b38b1d26..d31dfb5b11 100644 --- a/atomics/T1030/T1030.yaml +++ b/atomics/T1030/T1030.yaml @@ -8,7 +8,7 @@ atomic_tests: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: file_name: description: File name diff --git a/atomics/T1033/T1033.yaml b/atomics/T1033/T1033.yaml index 993a6cf317..d07f4bb55b 100644 --- a/atomics/T1033/T1033.yaml +++ b/atomics/T1033/T1033.yaml @@ -33,7 +33,7 @@ atomic_tests: Upon successful execution, sh will stdout list of usernames. supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: diff --git a/atomics/T1036.003/T1036.003.yaml b/atomics/T1036.003/T1036.003.yaml index 7419662ed9..55798b20b4 100644 --- a/atomics/T1036.003/T1036.003.yaml +++ b/atomics/T1036.003/T1036.003.yaml @@ -23,7 +23,7 @@ atomic_tests: Upon successful execution, sh is renamed to `crond` and executed. supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: | diff --git a/atomics/T1036.005/T1036.005.yaml b/atomics/T1036.005/T1036.005.yaml index 5014375fdf..8c00a77956 100644 --- a/atomics/T1036.005/T1036.005.yaml +++ b/atomics/T1036.005/T1036.005.yaml @@ -8,7 +8,7 @@ atomic_tests: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: test_message: description: Test message to echo out to the screen diff --git a/atomics/T1036.006/T1036.006.yaml b/atomics/T1036.006/T1036.006.yaml index f83dbea767..b28a97b6f5 100644 --- a/atomics/T1036.006/T1036.006.yaml +++ b/atomics/T1036.006/T1036.006.yaml @@ -38,7 +38,7 @@ atomic_tests: description: | Space after filename. supported_platforms: - - freebsd + - linux:freebsd executor: name: sh command: | diff --git a/atomics/T1037.004/T1037.004.yaml b/atomics/T1037.004/T1037.004.yaml index 2522bad72d..1281856bae 100644 --- a/atomics/T1037.004/T1037.004.yaml +++ b/atomics/T1037.004/T1037.004.yaml @@ -59,7 +59,7 @@ atomic_tests: Modify rc.local supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true diff --git a/atomics/T1040/T1040.yaml b/atomics/T1040/T1040.yaml index fce8c54494..241f247098 100644 --- a/atomics/T1040/T1040.yaml +++ b/atomics/T1040/T1040.yaml @@ -35,7 +35,7 @@ atomic_tests: Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33. supported_platforms: - - freebsd + - linux:freebsd input_arguments: interface: description: Specify interface to perform PCAP on. @@ -254,7 +254,7 @@ atomic_tests: description: | Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds. supported_platforms: - - freebsd + - linux:freebsd input_arguments: ifname: description: Specify interface to perform PCAP on. @@ -288,7 +288,7 @@ atomic_tests: description: | Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds. supported_platforms: - - freebsd + - linux:freebsd input_arguments: ifname: description: Specify interface to perform PCAP on. diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml index 181a534cfb..d462b9ff72 100644 --- a/atomics/T1046/T1046.yaml +++ b/atomics/T1046/T1046.yaml @@ -69,13 +69,13 @@ atomic_tests: name: sh elevation_required: true - name: Port Scan Nmap for FreeBSD - auto_generated_guid: f03d59dc-0e3b-428a-baeb-3499552c7048 + auto_generated_guid: f03d59dc-0e3b-428a-baeb-3499552c7048 description: | Scan ports to check for listening ports with Nmap. Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout. supported_platforms: - - freebsd + - linux:freebsd input_arguments: host: description: Host to scan. diff --git a/atomics/T1048.002/T1048.002.yaml b/atomics/T1048.002/T1048.002.yaml index b3cffe022e..09691e2b0b 100644 --- a/atomics/T1048.002/T1048.002.yaml +++ b/atomics/T1048.002/T1048.002.yaml @@ -46,7 +46,7 @@ atomic_tests: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: input_file: description: Test file to upload diff --git a/atomics/T1048.003/T1048.003.yaml b/atomics/T1048.003/T1048.003.yaml index 7efb1e71cb..b89faee2cf 100644 --- a/atomics/T1048.003/T1048.003.yaml +++ b/atomics/T1048.003/T1048.003.yaml @@ -10,7 +10,7 @@ atomic_tests: supported_platforms: - macos - linux - - freebsd + - linux:freebsd executor: steps: | 1. Victim System Configuration: @@ -53,7 +53,7 @@ atomic_tests: description: | Exfiltration of specified file over DNS protocol. supported_platforms: - - freebsd + - linux:freebsd - linux executor: steps: | @@ -223,7 +223,7 @@ atomic_tests: description: | An adversary may use the python3 standard library module http.server to exfiltrate data. This test checks if python3.9 is available and if so, creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds, then kills the PID and unsets the $PID variable. supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: false diff --git a/atomics/T1048/T1048.yaml b/atomics/T1048/T1048.yaml index e5c5118451..734c1fe34c 100644 --- a/atomics/T1048/T1048.yaml +++ b/atomics/T1048/T1048.yaml @@ -12,7 +12,7 @@ atomic_tests: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: domain: description: target SSH domain @@ -33,7 +33,7 @@ atomic_tests: supported_platforms: - macos - linux - - freebsd + - linux:freebsd input_arguments: user_name: description: username for domain diff --git a/atomics/T1049/T1049.yaml b/atomics/T1049/T1049.yaml index 5732637e55..eadde4bbd5 100644 --- a/atomics/T1049/T1049.yaml +++ b/atomics/T1049/T1049.yaml @@ -34,7 +34,7 @@ atomic_tests: Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout. supported_platforms: - - freebsd + - linux:freebsd - linux - macos dependency_executor_name: sh diff --git a/atomics/T1053.002/T1053.002.yaml b/atomics/T1053.002/T1053.002.yaml index dcbf5aaf4e..885e20f8ce 100644 --- a/atomics/T1053.002/T1053.002.yaml +++ b/atomics/T1053.002/T1053.002.yaml @@ -60,7 +60,7 @@ atomic_tests: This test submits a command to be run in the future by the `at` daemon. supported_platforms: - - freebsd + - linux:freebsd input_arguments: time_spec: diff --git a/atomics/T1053.003/T1053.003.yaml b/atomics/T1053.003/T1053.003.yaml index 82a92625f4..d967c0a069 100644 --- a/atomics/T1053.003/T1053.003.yaml +++ b/atomics/T1053.003/T1053.003.yaml @@ -6,7 +6,7 @@ atomic_tests: description: | This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -59,7 +59,7 @@ atomic_tests: description: | This test adds a script to /etc/cron.d folder configured to execute on a schedule. supported_platforms: - - freebsd + - linux:freebsd input_arguments: command: description: Command to execute diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml index 7409e61d9c..1855ccd466 100644 --- a/atomics/T1056.001/T1056.001.yaml +++ b/atomics/T1056.001/T1056.001.yaml @@ -95,7 +95,7 @@ atomic_tests: To gain persistence the command could be added to the users .shrc or .profile supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: | @@ -121,7 +121,7 @@ atomic_tests: To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ supported_platforms: - - freebsd + - linux:freebsd - linux dependency_executor_name: sh dependencies: diff --git a/atomics/T1057/T1057.yaml b/atomics/T1057/T1057.yaml index 9e21967c9c..9e9121372a 100644 --- a/atomics/T1057/T1057.yaml +++ b/atomics/T1057/T1057.yaml @@ -8,7 +8,7 @@ atomic_tests: Upon successful execution, sh will execute ps and output to /tmp/loot.txt. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: diff --git a/atomics/T1059.004/T1059.004.yaml b/atomics/T1059.004/T1059.004.yaml index a303aa2a30..adca5cc16d 100644 --- a/atomics/T1059.004/T1059.004.yaml +++ b/atomics/T1059.004/T1059.004.yaml @@ -6,7 +6,7 @@ atomic_tests: description: | Creates and executes a simple sh script. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -30,7 +30,7 @@ atomic_tests: Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`. supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -105,7 +105,7 @@ atomic_tests: description: | An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which results in the id command being executed. supported_platforms: - - freebsd + - linux:freebsd - linux executor: name: sh @@ -122,7 +122,7 @@ atomic_tests: description: | An adversary will want to discover what shell is running so that they can tailor their attacks accordingly. The following commands will discover what shell is running. supported_platforms: - - freebsd + - linux:freebsd - linux executor: name: sh @@ -136,7 +136,7 @@ atomic_tests: description: | An adversary may want to discover which shell's are available so that they might switch to that shell to tailor their attacks to suit that shell. The following commands will discover what shells are available on the host. supported_platforms: - - freebsd + - linux:freebsd - linux executor: name: sh @@ -148,7 +148,7 @@ atomic_tests: description: | An adversary may type in elaborate multi-line shell commands into a terminal session because they can't or don't wish to create script files on the host. The following command is a simple loop, echoing out Atomic Red Team was here! supported_platforms: - - freebsd + - linux:freebsd - linux executor: name: sh @@ -173,7 +173,7 @@ atomic_tests: description: | An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to bash, which results in the id command being executed. supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: false @@ -210,7 +210,7 @@ atomic_tests: description: | An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/sh shell, changes the users shell to sh, then deletes the art user. supported_platforms: - - freebsd + - linux:freebsd dependencies: - description: | chsh - change login shell, must be installed @@ -247,7 +247,7 @@ atomic_tests: description: | An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/sh supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: false @@ -293,7 +293,7 @@ atomic_tests: description: | An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage of this BLIND install method and selectively running extra commands in the install script for those who DO pipe to bash and not for those who DO NOT. This test uses curl to download the pipe-to-shell.sh script, the first time without piping it to bash and the second piping it into bash which executes the echo command. supported_platforms: - - freebsd + - linux:freebsd input_arguments: remote_url: description: url of remote payload diff --git a/atomics/T1059.006/T1059.006.yaml b/atomics/T1059.006/T1059.006.yaml index 755d41ffa2..dad86df24d 100644 --- a/atomics/T1059.006/T1059.006.yaml +++ b/atomics/T1059.006/T1059.006.yaml @@ -5,7 +5,7 @@ atomic_tests: auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb description: Download and execute shell script and write to file then execute locally using Python -c (command mode) supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: script_url: @@ -43,7 +43,7 @@ atomic_tests: auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 description: Create Python file (.py) that downloads and executes shell script via executor arguments supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: python_script_name: @@ -97,7 +97,7 @@ atomic_tests: description: | Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: python_script_name: @@ -156,7 +156,7 @@ atomic_tests: description: | Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence supported_platforms: - - freebsd + - linux:freebsd - linux dependencies: - description: | diff --git a/atomics/T1069.001/T1069.001.yaml b/atomics/T1069.001/T1069.001.yaml index 0a6b60a8a9..5309d8abba 100644 --- a/atomics/T1069.001/T1069.001.yaml +++ b/atomics/T1069.001/T1069.001.yaml @@ -6,7 +6,7 @@ atomic_tests: description: | Permission Groups Discovery supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml index 4ce8a27dc4..52706eae27 100644 --- a/atomics/T1070.002/T1070.002.yaml +++ b/atomics/T1070.002/T1070.002.yaml @@ -37,7 +37,7 @@ atomic_tests: description: | Delete messages and security logs supported_platforms: - - freebsd + - linux:freebsd executor: command: | rm -rf /var/log/messages @@ -86,7 +86,7 @@ atomic_tests: description: | This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content supported_platforms: - - freebsd + - linux:freebsd executor: command: | truncate -s 0 /var/log/messages #size parameter shorthand @@ -124,7 +124,7 @@ atomic_tests: description: | The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility supported_platforms: - - freebsd + - linux:freebsd executor: command: | cat /dev/null > /var/log/messages #truncating the file to zero bytes @@ -187,7 +187,7 @@ atomic_tests: description: | This test overwrites the contents of system log file with an empty string using echo utility supported_platforms: - - freebsd + - linux:freebsd executor: command: | echo '' > /var/log/messages @@ -234,7 +234,7 @@ atomic_tests: description: | This test deletes the messages log file using unlink utility supported_platforms: - - freebsd + - linux:freebsd executor: command: | unlink /var/log/messages diff --git a/atomics/T1070.003/T1070.003.yaml b/atomics/T1070.003/T1070.003.yaml index 1dea212516..c8edb60584 100644 --- a/atomics/T1070.003/T1070.003.yaml +++ b/atomics/T1070.003/T1070.003.yaml @@ -17,7 +17,7 @@ atomic_tests: description: | Clears sh history via rm supported_platforms: - - freebsd + - linux:freebsd executor: command: | rm ~/.sh_history @@ -38,7 +38,7 @@ atomic_tests: description: | Clears sh history via echo supported_platforms: - - freebsd + - linux:freebsd executor: command: | echo "" > ~/.sh_history @@ -59,7 +59,7 @@ atomic_tests: description: | Clears sh history via cat /dev/null supported_platforms: - - freebsd + - linux:freebsd executor: command: | cat /dev/null > ~/.sh_history @@ -81,7 +81,7 @@ atomic_tests: description: | Clears sh history via a symlink to /dev/null supported_platforms: - - freebsd + - linux:freebsd executor: command: | ln -sf /dev/null ~/.sh_history @@ -101,7 +101,7 @@ atomic_tests: description: | Clears sh history via truncate supported_platforms: - - freebsd + - linux:freebsd executor: command: | truncate -s0 ~/.sh_history @@ -124,7 +124,7 @@ atomic_tests: description: | Clears the history of a bunch of different shell types by setting the history size to zero supported_platforms: - - freebsd + - linux:freebsd executor: command: | unset HISTFILE @@ -192,7 +192,7 @@ atomic_tests: description: | Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog supported_platforms: - - freebsd + - linux:freebsd dependencies: - description: | Install sshpass and create user account used for excuting diff --git a/atomics/T1070.004/T1070.004.yaml b/atomics/T1070.004/T1070.004.yaml index 450ff34495..8050b77c35 100644 --- a/atomics/T1070.004/T1070.004.yaml +++ b/atomics/T1070.004/T1070.004.yaml @@ -6,7 +6,7 @@ atomic_tests: description: | Delete a single file from the temporary directory supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -37,7 +37,7 @@ atomic_tests: description: | Recursively delete the temporary directory and all files contained within it supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -182,7 +182,7 @@ atomic_tests: description: | This test deletes the entire root filesystem of a FreeBSD system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment. supported_platforms: - - freebsd + - linux:freebsd executor: command: | chflags -R 0 / diff --git a/atomics/T1070.006/T1070.006.yaml b/atomics/T1070.006/T1070.006.yaml index dbf3ec2a48..9921290648 100644 --- a/atomics/T1070.006/T1070.006.yaml +++ b/atomics/T1070.006/T1070.006.yaml @@ -6,7 +6,7 @@ atomic_tests: description: | Stomps on the access timestamp of a file supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -33,7 +33,7 @@ atomic_tests: description: | Stomps on the modification timestamp of a file supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -62,7 +62,7 @@ atomic_tests: Setting the creation timestamp requires changing the system clock and reverting. Sudo or root privileges are required to change date. Use with caution. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -88,7 +88,7 @@ atomic_tests: This technique was used by the threat actor Rocke during the compromise of Linux web servers. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: diff --git a/atomics/T1071.001/T1071.001.yaml b/atomics/T1071.001/T1071.001.yaml index d36408fe06..d21f2f0b09 100644 --- a/atomics/T1071.001/T1071.001.yaml +++ b/atomics/T1071.001/T1071.001.yaml @@ -66,7 +66,7 @@ atomic_tests: This test simulates an infected host beaconing to command and control. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: diff --git a/atomics/T1074.001/T1074.001.yaml b/atomics/T1074.001/T1074.001.yaml index e88d880fc7..da568bcedd 100644 --- a/atomics/T1074.001/T1074.001.yaml +++ b/atomics/T1074.001/T1074.001.yaml @@ -40,7 +40,7 @@ atomic_tests: description: | Utilize curl to download discovery.sh and execute a basic information gathering shell script supported_platforms: - - freebsd + - linux:freebsd input_arguments: output_file: description: Location to save downloaded discovery.bat file diff --git a/atomics/T1078.003/T1078.003.yaml b/atomics/T1078.003/T1078.003.yaml index 364f82b090..53c750520e 100644 --- a/atomics/T1078.003/T1078.003.yaml +++ b/atomics/T1078.003/T1078.003.yaml @@ -123,7 +123,7 @@ atomic_tests: description: | An adversary may wish to create an account with admin privileges to work with. In this test we create a "art" user with the password art, switch to art, execute whoami, exit and delete the art user. supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true @@ -164,7 +164,7 @@ atomic_tests: In this test we create a "art" user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account. supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true @@ -206,7 +206,7 @@ atomic_tests: description: | An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin. supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true diff --git a/atomics/T1082/T1082.yaml b/atomics/T1082/T1082.yaml index 1e1bf18f58..b2da7557a3 100644 --- a/atomics/T1082/T1082.yaml +++ b/atomics/T1082/T1082.yaml @@ -28,7 +28,7 @@ atomic_tests: description: | Identify System Info supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -85,7 +85,7 @@ atomic_tests: description: | Identify virtual machine host kernel modules. supported_platforms: - - freebsd + - linux:freebsd executor: command: | kldstat | grep -i "vmm" @@ -106,7 +106,7 @@ atomic_tests: description: | Identify system hostname for FreeBSD, Linux and macOS systems. supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -165,7 +165,7 @@ atomic_tests: description: | Identify all environment variables. Upon execution, environments variables and your path info will be displayed. supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: @@ -369,7 +369,7 @@ atomic_tests: description: | Enumerate kernel modules loaded. Upon successful execution stdout will display kernel modules loaded, followed by list of modules matching 'vmm' if present. supported_platforms: - - freebsd + - linux:freebsd executor: command: | kldstat diff --git a/atomics/T1083/T1083.yaml b/atomics/T1083/T1083.yaml index 0bb52bc2a9..a593753c79 100644 --- a/atomics/T1083/T1083.yaml +++ b/atomics/T1083/T1083.yaml @@ -47,7 +47,7 @@ atomic_tests: https://perishablepress.com/list-files-folders-recursively-terminal/ supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -73,7 +73,7 @@ atomic_tests: description: | Find or discover files on the file system supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: diff --git a/atomics/T1087.001/T1087.001.yaml b/atomics/T1087.001/T1087.001.yaml index b26b750812..1412ea6089 100644 --- a/atomics/T1087.001/T1087.001.yaml +++ b/atomics/T1087.001/T1087.001.yaml @@ -6,7 +6,7 @@ atomic_tests: description: | Enumerate all accounts by copying /etc/passwd to another file supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: output_file: @@ -25,7 +25,7 @@ atomic_tests: description: | (requires root) supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -47,7 +47,7 @@ atomic_tests: description: | View accounts with UID 0 supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -68,7 +68,7 @@ atomic_tests: description: | List opened files by user supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: @@ -114,7 +114,7 @@ atomic_tests: description: | Show if a user account has ever logged in remotely supported_platforms: - - freebsd + - linux:freebsd input_arguments: output_file: description: Path where captured results will be placed @@ -133,7 +133,7 @@ atomic_tests: description: | Utilize groups and id to enumerate users and groups supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: diff --git a/atomics/T1090.001/T1090.001.yaml b/atomics/T1090.001/T1090.001.yaml index e1993f4cb7..62a54b8403 100644 --- a/atomics/T1090.001/T1090.001.yaml +++ b/atomics/T1090.001/T1090.001.yaml @@ -8,7 +8,7 @@ atomic_tests: Note that this test may conflict with pre-existing system configuration. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: diff --git a/atomics/T1090.003/T1090.003.yaml b/atomics/T1090.003/T1090.003.yaml index f1bb3ab70e..965252f8a8 100644 --- a/atomics/T1090.003/T1090.003.yaml +++ b/atomics/T1090.003/T1090.003.yaml @@ -124,7 +124,7 @@ atomic_tests: This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality. Upon successful execution, the tor proxy service will be launched. supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: | diff --git a/atomics/T1098.004/T1098.004.yaml b/atomics/T1098.004/T1098.004.yaml index c3b718a043..a37f88d382 100644 --- a/atomics/T1098.004/T1098.004.yaml +++ b/atomics/T1098.004/T1098.004.yaml @@ -9,7 +9,7 @@ atomic_tests: Modify contents of /.ssh/authorized_keys to maintain persistence on victim host. If the user is able to save the same contents in the authorized_keys file, it shows user can modify the file. supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index 49e132c414..591aee455d 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -6,7 +6,7 @@ atomic_tests: description: | Utilize rsync to perform a remote file copy (push) supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -44,7 +44,7 @@ atomic_tests: description: | Utilize rsync to perform a remote file copy (pull) supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -81,7 +81,7 @@ atomic_tests: description: | Utilize scp to perform a remote file copy (push) supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -110,7 +110,7 @@ atomic_tests: description: | Utilize scp to perform a remote file copy (pull) supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -139,7 +139,7 @@ atomic_tests: description: | Utilize sftp to perform a remote file copy (push) supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -168,7 +168,7 @@ atomic_tests: description: | Utilize sftp to perform a remote file copy (pull) supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -359,7 +359,7 @@ atomic_tests: description: | Download a remote file using the whois utility supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: diff --git a/atomics/T1110.001/T1110.001.yaml b/atomics/T1110.001/T1110.001.yaml index de382e14ba..9bf5e671e3 100644 --- a/atomics/T1110.001/T1110.001.yaml +++ b/atomics/T1110.001/T1110.001.yaml @@ -234,7 +234,7 @@ atomic_tests: This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user supported_platforms: - - freebsd + - linux:freebsd input_arguments: remote_url: description: url of remote payload diff --git a/atomics/T1110.004/T1110.004.yaml b/atomics/T1110.004/T1110.004.yaml index 88c4dfc6dc..0f7c263ec5 100644 --- a/atomics/T1110.004/T1110.004.yaml +++ b/atomics/T1110.004/T1110.004.yaml @@ -69,7 +69,7 @@ atomic_tests: Using username,password combination from a password dump to login over SSH. supported_platforms: - - freebsd + - linux:freebsd input_arguments: target_host: diff --git a/atomics/T1113/T1113.yaml b/atomics/T1113/T1113.yaml index 49c80bdebf..32e2adf16e 100644 --- a/atomics/T1113/T1113.yaml +++ b/atomics/T1113/T1113.yaml @@ -74,7 +74,7 @@ atomic_tests: description: | Use xwd command to collect a full desktop screenshot and review file with xwud supported_platforms: - - freebsd + - linux:freebsd input_arguments: output_file: description: Output file path @@ -126,7 +126,7 @@ atomic_tests: description: | Use import command from ImageMagick to collect a full desktop screenshot supported_platforms: - - freebsd + - linux:freebsd input_arguments: output_file: description: Output file path diff --git a/atomics/T1124/T1124.yaml b/atomics/T1124/T1124.yaml index d5f09415d1..77f3faf7e1 100644 --- a/atomics/T1124/T1124.yaml +++ b/atomics/T1124/T1124.yaml @@ -32,7 +32,7 @@ atomic_tests: description: | Identify system time. Upon execution, the local computer system time and timezone will be displayed. supported_platforms: - - freebsd + - linux:freebsd - macos executor: command: | diff --git a/atomics/T1132.001/T1132.001.yaml b/atomics/T1132.001/T1132.001.yaml index 644da9a3e3..b66dbba8cc 100644 --- a/atomics/T1132.001/T1132.001.yaml +++ b/atomics/T1132.001/T1132.001.yaml @@ -27,7 +27,7 @@ atomic_tests: description: | Utilizing a common technique for posting base64 encoded data. supported_platforms: - - freebsd + - linux:freebsd input_arguments: destination_url: description: Destination URL to post encoded data. diff --git a/atomics/T1135/T1135.yaml b/atomics/T1135/T1135.yaml index b34b398743..ecf813ed65 100644 --- a/atomics/T1135/T1135.yaml +++ b/atomics/T1135/T1135.yaml @@ -51,7 +51,7 @@ atomic_tests: description: | Network Share Discovery using smbstatus supported_platforms: - - freebsd + - linux:freebsd input_arguments: package_checker: description: Package checking command. pkg info -x samba diff --git a/atomics/T1136.001/T1136.001.yaml b/atomics/T1136.001/T1136.001.yaml index 6055d81e03..f662fc1c66 100644 --- a/atomics/T1136.001/T1136.001.yaml +++ b/atomics/T1136.001/T1136.001.yaml @@ -24,7 +24,7 @@ atomic_tests: description: | Create a user via pw supported_platforms: - - freebsd + - linux:freebsd input_arguments: username: description: Username of the user to create @@ -134,7 +134,7 @@ atomic_tests: description: | Creates a new user in FreeBSD and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. supported_platforms: - - freebsd + - linux:freebsd input_arguments: username: description: Username of the user to create diff --git a/atomics/T1140/T1140.yaml b/atomics/T1140/T1140.yaml index 8c40db5f81..6b0017903f 100644 --- a/atomics/T1140/T1140.yaml +++ b/atomics/T1140/T1140.yaml @@ -47,7 +47,7 @@ atomic_tests: description: | Use Python to decode a base64-encoded text string and echo it to the console supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -82,7 +82,7 @@ atomic_tests: description: | Use Perl to decode a base64-encoded text string and echo it to the console supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -143,7 +143,7 @@ atomic_tests: description: | Use common shell utilities to decode a base64-encoded text string and echo it to the console supported_platforms: - - freebsd + - linux:freebsd input_arguments: message: description: Message to print to the screen @@ -170,7 +170,7 @@ atomic_tests: description: | Using b64decode shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it. supported_platforms: - - freebsd + - linux:freebsd input_arguments: bash_encoded: description: Encoded #!/bin/bash script @@ -208,7 +208,7 @@ atomic_tests: description: | Use common shell utilities to decode a hex-encoded text string and echo it to the console supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: diff --git a/atomics/T1176/T1176.yaml b/atomics/T1176/T1176.yaml index 5e320a2e52..20582b88b6 100644 --- a/atomics/T1176/T1176.yaml +++ b/atomics/T1176/T1176.yaml @@ -5,7 +5,7 @@ atomic_tests: auto_generated_guid: 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 description: Turn on Chrome/Chromium developer mode and Load Extension found in the src directory supported_platforms: - - freebsd + - linux:freebsd - linux - windows - macos @@ -23,7 +23,7 @@ atomic_tests: auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f description: Install the "Minimum Viable Malicious Extension" Chrome extension supported_platforms: - - freebsd + - linux:freebsd - linux - windows - macos @@ -39,7 +39,7 @@ atomic_tests: description: | Create a file called test.wma, with the duration of 30 seconds supported_platforms: - - freebsd + - linux:freebsd - linux - windows - macos diff --git a/atomics/T1201/T1201.yaml b/atomics/T1201/T1201.yaml index bb17bdb9f5..562ee35af7 100644 --- a/atomics/T1201/T1201.yaml +++ b/atomics/T1201/T1201.yaml @@ -16,7 +16,7 @@ atomic_tests: description: | Lists the password complexity policy to console on FreeBSD. supported_platforms: - - freebsd + - linux:freebsd executor: command: | cat /etc/pam.d/passwd diff --git a/atomics/T1217/T1217.yaml b/atomics/T1217/T1217.yaml index f9000d9a5a..121a87e0fc 100644 --- a/atomics/T1217/T1217.yaml +++ b/atomics/T1217/T1217.yaml @@ -6,7 +6,7 @@ atomic_tests: description: | Searches for Mozilla Firefox's places.sqlite file (on FreeBSD or Linux distributions) that contains bookmarks and lists any found instances to a text file. supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: output_file: @@ -61,7 +61,7 @@ atomic_tests: description: | Searches for Google Chromium's Bookmark file (on FreeBSD) that contains bookmarks in JSON format and lists any found instances to a text file. supported_platforms: - - freebsd + - linux:freebsd input_arguments: output_file: description: Path where captured results will be placed. diff --git a/atomics/T1222.002/T1222.002.yaml b/atomics/T1222.002/T1222.002.yaml index f2f061cc94..aaafdd542f 100644 --- a/atomics/T1222.002/T1222.002.yaml +++ b/atomics/T1222.002/T1222.002.yaml @@ -6,7 +6,7 @@ atomic_tests: description: | Changes a file or folder's permissions using chmod and a specified numeric mode. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -27,7 +27,7 @@ atomic_tests: description: | Changes a file or folder's permissions using chmod and a specified symbolic mode. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -48,7 +48,7 @@ atomic_tests: description: | Changes a file or folder's permissions recursively using chmod and a specified numeric mode. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -69,7 +69,7 @@ atomic_tests: description: | Changes a file or folder's permissions recursively using chmod and a specified symbolic mode. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -138,7 +138,7 @@ atomic_tests: description: | Changes a file or folder's ownership only using chown. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -197,7 +197,7 @@ atomic_tests: Remove's a file's `immutable` attribute using `chflags`. This technique was used by the threat actor Rocke during the compromise of Linux web servers. supported_platforms: - - freebsd + - linux:freebsd input_arguments: file_to_modify: description: Path of the file @@ -242,7 +242,7 @@ atomic_tests: description: | chmods a file using a c script supported_platforms: - - freebsd + - linux:freebsd input_arguments: source_file: description: Path of c source file @@ -299,7 +299,7 @@ atomic_tests: description: | chowns a file to root using a c script supported_platforms: - - freebsd + - linux:freebsd input_arguments: source_file: description: Path of c source file diff --git a/atomics/T1485/T1485.yaml b/atomics/T1485/T1485.yaml index 066d2394d9..9ecac31b46 100644 --- a/atomics/T1485/T1485.yaml +++ b/atomics/T1485/T1485.yaml @@ -39,7 +39,7 @@ atomic_tests: Overwrites and deletes a file using DD. To stop the test, break the command with CTRL/CMD+C. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: diff --git a/atomics/T1486/T1486.yaml b/atomics/T1486/T1486.yaml index e4a1ffb9c8..bb50c6bcee 100644 --- a/atomics/T1486/T1486.yaml +++ b/atomics/T1486/T1486.yaml @@ -6,7 +6,7 @@ atomic_tests: description: | Uses gpg to encrypt a file supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: pwd_for_encrypted_file: @@ -46,7 +46,7 @@ atomic_tests: description: | Uses 7z to encrypt a file supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: pwd_for_encrypted_file: @@ -83,7 +83,7 @@ atomic_tests: description: | Attempts to encrypt data on target systems as root to simulate an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory. supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: cped_file_path: @@ -126,7 +126,7 @@ atomic_tests: description: | Uses openssl to encrypt a file supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: private_key_path: diff --git a/atomics/T1496/T1496.yaml b/atomics/T1496/T1496.yaml index 22639ed13e..52908f08ba 100644 --- a/atomics/T1496/T1496.yaml +++ b/atomics/T1496/T1496.yaml @@ -7,7 +7,7 @@ atomic_tests: This test simulates a high CPU load as you might observe during cryptojacking attacks. End the test by using CTRL/CMD+C to break. supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: diff --git a/atomics/T1497.001/T1497.001.yaml b/atomics/T1497.001/T1497.001.yaml index 4db33c25ba..77aa1cc6f7 100644 --- a/atomics/T1497.001/T1497.001.yaml +++ b/atomics/T1497.001/T1497.001.yaml @@ -21,7 +21,7 @@ atomic_tests: Detects execution in a virtualized environment. At boot, dmesg stores a log if a hypervisor is detected. supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: true diff --git a/atomics/T1518.001/T1518.001.yaml b/atomics/T1518.001/T1518.001.yaml index 9d2af25e5b..652e39eeb1 100644 --- a/atomics/T1518.001/T1518.001.yaml +++ b/atomics/T1518.001/T1518.001.yaml @@ -79,7 +79,7 @@ atomic_tests: Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running. supported_platforms: - - freebsd + - linux:freebsd executor: command: | pgrep -l 'bareos-fd|icinga2|cbagentd|wazuh-agent|packetbeat|filebeat|osqueryd' diff --git a/atomics/T1529/T1529.yaml b/atomics/T1529/T1529.yaml index 15d9e49d4f..b30c5899c1 100644 --- a/atomics/T1529/T1529.yaml +++ b/atomics/T1529/T1529.yaml @@ -38,7 +38,7 @@ atomic_tests: description: | This test restarts a FreeBSD/macOS/Linux system. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -56,7 +56,7 @@ atomic_tests: description: | This test shuts down a FreeBSD/macOS/Linux system using a halt. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -74,7 +74,7 @@ atomic_tests: description: | This test restarts a FreeBSD/macOS/Linux system via `reboot`. supported_platforms: - - freebsd + - linux:freebsd - macos - linux executor: @@ -87,7 +87,7 @@ atomic_tests: description: | This test shuts down a FreeBSD/Linux system using `halt`. supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: | @@ -99,7 +99,7 @@ atomic_tests: description: | This test restarts a FreeBSD system using `halt`. supported_platforms: - - freebsd + - linux:freebsd executor: command: | halt -r @@ -121,7 +121,7 @@ atomic_tests: description: | This test shuts down a FreeBSD/Linux system using `poweroff`. supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: | @@ -133,7 +133,7 @@ atomic_tests: description: | This test restarts a FreeBSD system using `poweroff`. supported_platforms: - - freebsd + - linux:freebsd executor: command: | poweroff -r 3 diff --git a/atomics/T1543.002/T1543.002.yaml b/atomics/T1543.002/T1543.002.yaml index 90cd2d339e..c980cc74be 100644 --- a/atomics/T1543.002/T1543.002.yaml +++ b/atomics/T1543.002/T1543.002.yaml @@ -70,7 +70,7 @@ atomic_tests: description: | This test creates a SysV service unit file and enables it as a service. supported_platforms: - - freebsd + - linux:freebsd input_arguments: rc_service_path: description: Path to rc service file diff --git a/atomics/T1546.004/T1546.004.yaml b/atomics/T1546.004/T1546.004.yaml index 6905ff2207..26c9f27f36 100644 --- a/atomics/T1546.004/T1546.004.yaml +++ b/atomics/T1546.004/T1546.004.yaml @@ -44,7 +44,7 @@ atomic_tests: description: | Adds a command to the .shrc file of the current user supported_platforms: - - freebsd + - linux:freebsd input_arguments: command_to_add: description: Command to add to the .shrc file @@ -62,7 +62,7 @@ atomic_tests: description: | An adversary may wish to establish persistence by executing malicious commands from the systems /etc/profile every time "any" user logs in. supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: text_to_append: @@ -81,7 +81,7 @@ atomic_tests: description: | An adversary may wish to establish persistence by executing malicious commands from the users ~/.profile every time the "user" logs in. supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: text_to_append: diff --git a/atomics/T1546.005/T1546.005.yaml b/atomics/T1546.005/T1546.005.yaml index d294cf3480..a2341e0e2c 100644 --- a/atomics/T1546.005/T1546.005.yaml +++ b/atomics/T1546.005/T1546.005.yaml @@ -21,7 +21,7 @@ atomic_tests: Launch bash shell with command arg to create TRAP on EXIT. The trap executes script that writes to /tmp/art-fish.txt supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: | @@ -56,7 +56,7 @@ atomic_tests: Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal. The trap executes script that writes to /tmp/art-fish.txt supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: | diff --git a/atomics/T1548.001/T1548.001.yaml b/atomics/T1548.001/T1548.001.yaml index bb1863e2b9..b302c28428 100644 --- a/atomics/T1548.001/T1548.001.yaml +++ b/atomics/T1548.001/T1548.001.yaml @@ -31,7 +31,7 @@ atomic_tests: description: | Make, change owner, and change file attributes on a C source code file supported_platforms: - - freebsd + - linux:freebsd input_arguments: payload: description: hello.c payload @@ -76,7 +76,7 @@ atomic_tests: description: | This test sets the SetUID flag on a file in FreeBSD. supported_platforms: - - freebsd + - linux:freebsd input_arguments: file_to_setuid: description: Path of file to set SetUID flag @@ -117,7 +117,7 @@ atomic_tests: description: | This test sets the SetGID flag on a file in FreeBSD. supported_platforms: - - freebsd + - linux:freebsd input_arguments: file_to_setuid: description: Path of file to set SetGID flag @@ -180,7 +180,7 @@ atomic_tests: description: | This test simulates a command that can be run to enumerate files that have the setuid bit set supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: | @@ -191,7 +191,7 @@ atomic_tests: description: | This test simulates a command that can be run to enumerate files that have the setgid bit set supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: | diff --git a/atomics/T1548.003/T1548.003.yaml b/atomics/T1548.003/T1548.003.yaml index a78f343b1a..bbff4124d6 100644 --- a/atomics/T1548.003/T1548.003.yaml +++ b/atomics/T1548.003/T1548.003.yaml @@ -26,7 +26,7 @@ atomic_tests: Common Sudo enumeration methods. supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: @@ -68,7 +68,7 @@ atomic_tests: Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system. supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: @@ -109,7 +109,7 @@ atomic_tests: Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system. supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: diff --git a/atomics/T1552.001/T1552.001.yaml b/atomics/T1552.001/T1552.001.yaml index b57b6da5ea..fe4632f85d 100644 --- a/atomics/T1552.001/T1552.001.yaml +++ b/atomics/T1552.001/T1552.001.yaml @@ -6,7 +6,7 @@ atomic_tests: description: | Find local AWS credentials from file, defaults to using / as the look path. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -34,7 +34,7 @@ atomic_tests: description: | Extracting credentials from files supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -78,7 +78,7 @@ atomic_tests: This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: diff --git a/atomics/T1552.003/T1552.003.yaml b/atomics/T1552.003/T1552.003.yaml index 8f3b8091b0..05e3b589f4 100644 --- a/atomics/T1552.003/T1552.003.yaml +++ b/atomics/T1552.003/T1552.003.yaml @@ -30,7 +30,7 @@ atomic_tests: description: | Search through sh history for specifice commands we want to capture supported_platforms: - - freebsd + - linux:freebsd input_arguments: output_file: description: Path where captured results will be placed diff --git a/atomics/T1552.004/T1552.004.yaml b/atomics/T1552.004/T1552.004.yaml index 87acc196e4..4ab1fd9413 100644 --- a/atomics/T1552.004/T1552.004.yaml +++ b/atomics/T1552.004/T1552.004.yaml @@ -18,7 +18,7 @@ atomic_tests: description: | Discover private SSH keys on a FreeBSD, macOS or Linux system. supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: @@ -65,7 +65,7 @@ atomic_tests: description: | Copy private SSH keys on a FreeBSD system to a staging folder using the `cp` command. supported_platforms: - - freebsd + - linux:freebsd input_arguments: search_path: description: Path where to start searching from. @@ -119,7 +119,7 @@ atomic_tests: description: | Copy private SSH keys on a FreeBSD system to a staging folder using the `rsync` command. supported_platforms: - - freebsd + - linux:freebsd input_arguments: search_path: description: Path where to start searching from. @@ -173,7 +173,7 @@ atomic_tests: description: | Copy the users GnuPG (.gnupg) directory on a FreeBSD system to a staging folder using the `rsync` command. supported_platforms: - - freebsd + - linux:freebsd input_arguments: search_path: description: Path where to start searching from diff --git a/atomics/T1553.004/T1553.004.yaml b/atomics/T1553.004/T1553.004.yaml index f02b11a4b1..9038978bf5 100644 --- a/atomics/T1553.004/T1553.004.yaml +++ b/atomics/T1553.004/T1553.004.yaml @@ -32,7 +32,7 @@ atomic_tests: description: | Creates a root CA with openssl supported_platforms: - - freebsd + - linux:freebsd input_arguments: cert_filename: description: Path of the CA certificate we create diff --git a/atomics/T1556.003/T1556.003.yaml b/atomics/T1556.003/T1556.003.yaml index eef4f74f9d..663698d015 100644 --- a/atomics/T1556.003/T1556.003.yaml +++ b/atomics/T1556.003/T1556.003.yaml @@ -36,7 +36,7 @@ atomic_tests: Upon successful execution, this test will insert a rule that allows every user to su to root without a password. supported_platforms: - - freebsd + - linux:freebsd input_arguments: path_to_pam_conf: description: PAM config file to modify. diff --git a/atomics/T1560.001/T1560.001.yaml b/atomics/T1560.001/T1560.001.yaml index e9aa604c9f..63840fe083 100644 --- a/atomics/T1560.001/T1560.001.yaml +++ b/atomics/T1560.001/T1560.001.yaml @@ -193,7 +193,7 @@ atomic_tests: description: | An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -217,7 +217,7 @@ atomic_tests: description: | An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: @@ -248,7 +248,7 @@ atomic_tests: description: | Encrypt data for exiltration supported_platforms: - - freebsd + - linux:freebsd - macos - linux input_arguments: diff --git a/atomics/T1560.002/T1560.002.yaml b/atomics/T1560.002/T1560.002.yaml index 524ad293ab..04c2cd67fc 100644 --- a/atomics/T1560.002/T1560.002.yaml +++ b/atomics/T1560.002/T1560.002.yaml @@ -7,7 +7,7 @@ atomic_tests: description: | Uses GZip from Python to compress files supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: path_to_input_file: @@ -39,7 +39,7 @@ atomic_tests: description: | Uses bz2 from Python to compress files supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: path_to_input_file: @@ -71,7 +71,7 @@ atomic_tests: description: | Uses zipfile from Python to compress files supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: path_to_input_file: @@ -103,7 +103,7 @@ atomic_tests: description: | Uses tarfile from Python to compress files supported_platforms: - - freebsd + - linux:freebsd - linux input_arguments: path_to_input_file: diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index b7d731a610..3626006fbf 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -44,7 +44,7 @@ atomic_tests: description: | Disables syslog collection supported_platforms: - - freebsd + - linux:freebsd executor: command: | service syslogd stop @@ -850,7 +850,7 @@ atomic_tests: disable swapping of device paging that impaire the compromised host to swap data if the RAM is full. Awfulshred wiper used this technique as an additional payload to the compromised host and to make sure that there will be no recoverable data due to swap feature of FreeBSD/linux. supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: | diff --git a/atomics/T1562.003/T1562.003.yaml b/atomics/T1562.003/T1562.003.yaml index 84c68a8418..793a29fb42 100644 --- a/atomics/T1562.003/T1562.003.yaml +++ b/atomics/T1562.003/T1562.003.yaml @@ -23,7 +23,7 @@ atomic_tests: description: | Disables history collection in shells supported_platforms: - - freebsd + - linux:freebsd input_arguments: evil_command: description: Command to run after shell history collection is disabled @@ -125,7 +125,7 @@ atomic_tests: Note: we don't wish to log out, so we are just confirming the value of HISTSIZE. In this test we 1. echo HISTSIZE 2. set it to zero 3. confirm that HISTSIZE is set to zero. supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: false @@ -163,7 +163,7 @@ atomic_tests: Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null. supported_platforms: - - freebsd + - linux:freebsd executor: name: sh elevation_required: false diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml index 3e204f449d..88206d9c44 100644 --- a/atomics/T1562.004/T1562.004.yaml +++ b/atomics/T1562.004/T1562.004.yaml @@ -117,7 +117,7 @@ atomic_tests: description: | Stop the Packet Filter if installed. supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: | @@ -213,7 +213,7 @@ atomic_tests: description: | Add and delete a rule on the Packet Filter (PF) if installed and enabled. supported_platforms: - - freebsd + - linux:freebsd dependency_executor_name: sh dependencies: - description: | diff --git a/atomics/T1562.006/T1562.006.yaml b/atomics/T1562.006/T1562.006.yaml index a30e25e5a3..40627e0f7f 100644 --- a/atomics/T1562.006/T1562.006.yaml +++ b/atomics/T1562.006/T1562.006.yaml @@ -42,7 +42,7 @@ atomic_tests: description: | Emulates modification of auditd configuration files supported_platforms: - - freebsd + - linux:freebsd input_arguments: auditd_config_file_name: description: The name of the auditd configuration file to be changed @@ -102,7 +102,7 @@ atomic_tests: description: | Emulates modification of syslog configuration. supported_platforms: - - freebsd + - linux:freebsd input_arguments: syslog_config_file_name: description: The name of the syslog configuration file to be changed diff --git a/atomics/T1564.001/T1564.001.yaml b/atomics/T1564.001/T1564.001.yaml index 1d530fa07b..25f9d0bf63 100644 --- a/atomics/T1564.001/T1564.001.yaml +++ b/atomics/T1564.001/T1564.001.yaml @@ -6,7 +6,7 @@ atomic_tests: description: | Creates a hidden file inside a hidden directory supported_platforms: - - freebsd + - linux:freebsd - linux - macos executor: diff --git a/atomics/T1571/T1571.yaml b/atomics/T1571/T1571.yaml index 0f8cb3ab03..55267caee0 100644 --- a/atomics/T1571/T1571.yaml +++ b/atomics/T1571/T1571.yaml @@ -26,7 +26,7 @@ atomic_tests: description: | Testing uncommonly used port utilizing telnet. supported_platforms: - - freebsd + - linux:freebsd - linux - macos input_arguments: diff --git a/atomics/T1614.001/T1614.001.yaml b/atomics/T1614.001/T1614.001.yaml index a28e04df55..62082b6b31 100644 --- a/atomics/T1614.001/T1614.001.yaml +++ b/atomics/T1614.001/T1614.001.yaml @@ -33,7 +33,7 @@ atomic_tests: Upon successful execution, the output will contain the environment variables that indicate the 5 character locale that can be looked up to correlate the language and territory. supported_platforms: - - freebsd + - linux:freebsd - linux executor: command: | @@ -88,7 +88,7 @@ atomic_tests: also used as a builtin command that does not generate syscall telemetry but does provide a list of the environment variables. supported_platforms: - - freebsd + - linux:freebsd - linux dependency_executor_name: sh dependencies: diff --git a/bin/validate/atomic-red-team.schema.yaml b/bin/validate/atomic-red-team.schema.yaml index 5d15a90d12..0fbffa2947 100644 --- a/bin/validate/atomic-red-team.schema.yaml +++ b/bin/validate/atomic-red-team.schema.yaml @@ -46,7 +46,7 @@ $defs: - windows - macos - linux - - freebsd + - linux:freebsd - office-365 - azure-ad - google-workspace From c6211de5cac5a841b256f9510c43cce457f929c0 Mon Sep 17 00:00:00 2001 From: Hare Sudhan Date: Mon, 6 Nov 2023 17:38:09 -0500 Subject: [PATCH 2/2] renaming freebsd to linux --- atomics/T1003.007/T1003.007.yaml | 3 +-- atomics/T1003.008/T1003.008.yaml | 5 +---- atomics/T1007/T1007.yaml | 2 +- atomics/T1016/T1016.yaml | 2 +- atomics/T1018/T1018.yaml | 4 +--- atomics/T1027.001/T1027.001.yaml | 6 ++---- atomics/T1027.004/T1027.004.yaml | 3 --- atomics/T1027/T1027.yaml | 2 +- atomics/T1030/T1030.yaml | 1 - atomics/T1033/T1033.yaml | 1 - atomics/T1036.003/T1036.003.yaml | 1 - atomics/T1036.005/T1036.005.yaml | 1 - atomics/T1036.006/T1036.006.yaml | 2 +- atomics/T1037.004/T1037.004.yaml | 2 +- atomics/T1040/T1040.yaml | 6 +++--- atomics/T1046/T1046.yaml | 2 +- atomics/T1048.002/T1048.002.yaml | 1 - atomics/T1048.003/T1048.003.yaml | 4 +--- atomics/T1048/T1048.yaml | 2 -- atomics/T1049/T1049.yaml | 1 - atomics/T1053.002/T1053.002.yaml | 2 +- atomics/T1053.003/T1053.003.yaml | 5 ++--- atomics/T1056.001/T1056.001.yaml | 3 +-- atomics/T1057/T1057.yaml | 1 - atomics/T1059.004/T1059.004.yaml | 14 ++++---------- atomics/T1059.006/T1059.006.yaml | 6 +----- atomics/T1069.001/T1069.001.yaml | 3 +-- atomics/T1070.002/T1070.002.yaml | 10 +++++----- atomics/T1070.003/T1070.003.yaml | 14 +++++++------- atomics/T1070.004/T1070.004.yaml | 4 +--- atomics/T1070.006/T1070.006.yaml | 4 ---- atomics/T1071.001/T1071.001.yaml | 1 - atomics/T1074.001/T1074.001.yaml | 2 +- atomics/T1078.003/T1078.003.yaml | 6 +++--- atomics/T1082/T1082.yaml | 9 +++------ atomics/T1083/T1083.yaml | 6 ++---- atomics/T1087.001/T1087.001.yaml | 7 +------ atomics/T1090.001/T1090.001.yaml | 3 +-- atomics/T1090.003/T1090.003.yaml | 2 +- atomics/T1098.004/T1098.004.yaml | 3 +-- atomics/T1105/T1105.yaml | 7 ------- atomics/T1110.001/T1110.001.yaml | 2 +- atomics/T1110.004/T1110.004.yaml | 2 +- atomics/T1113/T1113.yaml | 4 ++-- atomics/T1124/T1124.yaml | 2 +- atomics/T1132.001/T1132.001.yaml | 2 +- atomics/T1135/T1135.yaml | 2 +- atomics/T1136.001/T1136.001.yaml | 4 ++-- atomics/T1140/T1140.yaml | 9 +++------ atomics/T1176/T1176.yaml | 3 --- atomics/T1201/T1201.yaml | 2 +- atomics/T1217/T1217.yaml | 3 +-- atomics/T1222.002/T1222.002.yaml | 21 ++++++++------------- atomics/T1485/T1485.yaml | 1 - atomics/T1486/T1486.yaml | 4 ---- atomics/T1496/T1496.yaml | 3 +-- atomics/T1497.001/T1497.001.yaml | 2 +- atomics/T1518.001/T1518.001.yaml | 2 +- atomics/T1529/T1529.yaml | 15 +++++---------- atomics/T1543.002/T1543.002.yaml | 2 +- atomics/T1546.004/T1546.004.yaml | 4 +--- atomics/T1546.005/T1546.005.yaml | 4 ++-- atomics/T1548.001/T1548.001.yaml | 8 +++----- atomics/T1548.003/T1548.003.yaml | 6 +++--- atomics/T1552.001/T1552.001.yaml | 7 ++----- atomics/T1552.003/T1552.003.yaml | 2 +- atomics/T1552.004/T1552.004.yaml | 9 ++++----- atomics/T1553.004/T1553.004.yaml | 2 +- atomics/T1556.003/T1556.003.yaml | 2 +- atomics/T1560.001/T1560.001.yaml | 5 +---- atomics/T1560.002/T1560.002.yaml | 4 ---- atomics/T1562.001/T1562.001.yaml | 3 +-- atomics/T1562.003/T1562.003.yaml | 6 +++--- atomics/T1562.004/T1562.004.yaml | 4 ++-- atomics/T1562.006/T1562.006.yaml | 4 ++-- atomics/T1564.001/T1564.001.yaml | 1 - atomics/T1571/T1571.yaml | 1 - atomics/T1614.001/T1614.001.yaml | 2 -- bin/validate/atomic-red-team.schema.yaml | 1 - 79 files changed, 109 insertions(+), 214 deletions(-) diff --git a/atomics/T1003.007/T1003.007.yaml b/atomics/T1003.007/T1003.007.yaml index ab695c5157..7da4e77557 100644 --- a/atomics/T1003.007/T1003.007.yaml +++ b/atomics/T1003.007/T1003.007.yaml @@ -55,7 +55,7 @@ atomic_tests: copy process memory to an external file so it can be searched or exfiltrated later. On FreeBSD procfs must be mounted. supported_platforms: - - linux:freebsd + - linux input_arguments: output_file: @@ -102,7 +102,6 @@ atomic_tests: copy a process's heap memory to an external file so it can be searched or exfiltrated later. On FreeBSD procfs must be mounted. supported_platforms: - - linux:freebsd - linux input_arguments: diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml index ebe44a8bdb..7feb79d209 100644 --- a/atomics/T1003.008/T1003.008.yaml +++ b/atomics/T1003.008/T1003.008.yaml @@ -25,7 +25,7 @@ atomic_tests: description: | /etc/master.passwd file is accessed in FreeBSD environments supported_platforms: - - linux:freebsd + - linux input_arguments: output_file: description: Path where captured results will be placed @@ -44,7 +44,6 @@ atomic_tests: description: | /etc/passwd file is accessed in FreeBSD and Linux environments supported_platforms: - - linux:freebsd - linux input_arguments: output_file: @@ -63,7 +62,6 @@ atomic_tests: description: | Dump /etc/passwd, /etc/master.passwd and /etc/shadow using ed supported_platforms: - - linux:freebsd - linux input_arguments: output_file: @@ -82,7 +80,6 @@ atomic_tests: description: | Dump /etc/passwd, /etc/master.passwd and /etc/shadow using sh builtins supported_platforms: - - linux:freebsd - linux input_arguments: output_file: diff --git a/atomics/T1007/T1007.yaml b/atomics/T1007/T1007.yaml index 895f33f9cc..373a48aa8c 100644 --- a/atomics/T1007/T1007.yaml +++ b/atomics/T1007/T1007.yaml @@ -50,7 +50,7 @@ atomic_tests: description: | Enumerates system service using service supported_platforms: - - linux:freebsd + - linux executor: command: | service -e diff --git a/atomics/T1016/T1016.yaml b/atomics/T1016/T1016.yaml index 84eb000c17..6c9da3119b 100644 --- a/atomics/T1016/T1016.yaml +++ b/atomics/T1016/T1016.yaml @@ -60,7 +60,7 @@ atomic_tests: Upon successful execution, sh will spawn multiple commands and output will be via stdout. supported_platforms: - - linux:freebsd + - linux executor: command: | if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi; diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml index fc6cc361ff..f33069e68c 100644 --- a/atomics/T1018/T1018.yaml +++ b/atomics/T1018/T1018.yaml @@ -87,7 +87,6 @@ atomic_tests: Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout. supported_platforms: - - linux:freebsd - linux - macos dependency_executor_name: sh @@ -109,7 +108,6 @@ atomic_tests: Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -277,7 +275,7 @@ atomic_tests: description: | Use the netstat command to display the kernels routing tables. supported_platforms: - - linux:freebsd + - linux executor: command: | netstat -r | grep default diff --git a/atomics/T1027.001/T1027.001.yaml b/atomics/T1027.001/T1027.001.yaml index 1249620e33..71e1bd24b5 100644 --- a/atomics/T1027.001/T1027.001.yaml +++ b/atomics/T1027.001/T1027.001.yaml @@ -8,9 +8,8 @@ atomic_tests: Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: file_to_pad: description: Path of binary to be padded @@ -40,9 +39,8 @@ atomic_tests: Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: file_to_pad: description: Path of binary to be padded diff --git a/atomics/T1027.004/T1027.004.yaml b/atomics/T1027.004/T1027.004.yaml index 512c55407c..316339b776 100644 --- a/atomics/T1027.004/T1027.004.yaml +++ b/atomics/T1027.004/T1027.004.yaml @@ -64,7 +64,6 @@ atomic_tests: description: | Compile a c file with either gcc or clang on FreeBSD, Linux or Macos. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -90,7 +89,6 @@ atomic_tests: description: | Compile a c file with either gcc or clang on FreeBSD, Linux or Macos. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -116,7 +114,6 @@ atomic_tests: description: | Compile a go file with golang on FreeBSD, Linux or Macos. supported_platforms: - - linux:freebsd - linux - macos input_arguments: diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml index e13b7faadb..51be5ebb25 100644 --- a/atomics/T1027/T1027.yaml +++ b/atomics/T1027/T1027.yaml @@ -41,7 +41,7 @@ atomic_tests: Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that echoes `Hello from the Atomic Red Team` and uname -v supported_platforms: - - linux:freebsd + - linux input_arguments: shell_command: description: command to encode diff --git a/atomics/T1030/T1030.yaml b/atomics/T1030/T1030.yaml index d31dfb5b11..1497fb077a 100644 --- a/atomics/T1030/T1030.yaml +++ b/atomics/T1030/T1030.yaml @@ -8,7 +8,6 @@ atomic_tests: supported_platforms: - macos - linux - - linux:freebsd input_arguments: file_name: description: File name diff --git a/atomics/T1033/T1033.yaml b/atomics/T1033/T1033.yaml index d07f4bb55b..0190155b26 100644 --- a/atomics/T1033/T1033.yaml +++ b/atomics/T1033/T1033.yaml @@ -33,7 +33,6 @@ atomic_tests: Upon successful execution, sh will stdout list of usernames. supported_platforms: - - linux:freebsd - linux - macos executor: diff --git a/atomics/T1036.003/T1036.003.yaml b/atomics/T1036.003/T1036.003.yaml index 55798b20b4..d2b155a515 100644 --- a/atomics/T1036.003/T1036.003.yaml +++ b/atomics/T1036.003/T1036.003.yaml @@ -23,7 +23,6 @@ atomic_tests: Upon successful execution, sh is renamed to `crond` and executed. supported_platforms: - - linux:freebsd - linux executor: command: | diff --git a/atomics/T1036.005/T1036.005.yaml b/atomics/T1036.005/T1036.005.yaml index 8c00a77956..e8b05be4d9 100644 --- a/atomics/T1036.005/T1036.005.yaml +++ b/atomics/T1036.005/T1036.005.yaml @@ -8,7 +8,6 @@ atomic_tests: supported_platforms: - macos - linux - - linux:freebsd input_arguments: test_message: description: Test message to echo out to the screen diff --git a/atomics/T1036.006/T1036.006.yaml b/atomics/T1036.006/T1036.006.yaml index b28a97b6f5..535d2af819 100644 --- a/atomics/T1036.006/T1036.006.yaml +++ b/atomics/T1036.006/T1036.006.yaml @@ -38,7 +38,7 @@ atomic_tests: description: | Space after filename. supported_platforms: - - linux:freebsd + - linux executor: name: sh command: | diff --git a/atomics/T1037.004/T1037.004.yaml b/atomics/T1037.004/T1037.004.yaml index 1281856bae..c171f9912e 100644 --- a/atomics/T1037.004/T1037.004.yaml +++ b/atomics/T1037.004/T1037.004.yaml @@ -59,7 +59,7 @@ atomic_tests: Modify rc.local supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true diff --git a/atomics/T1040/T1040.yaml b/atomics/T1040/T1040.yaml index 241f247098..3e10176637 100644 --- a/atomics/T1040/T1040.yaml +++ b/atomics/T1040/T1040.yaml @@ -35,7 +35,7 @@ atomic_tests: Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33. supported_platforms: - - linux:freebsd + - linux input_arguments: interface: description: Specify interface to perform PCAP on. @@ -254,7 +254,7 @@ atomic_tests: description: | Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds. supported_platforms: - - linux:freebsd + - linux input_arguments: ifname: description: Specify interface to perform PCAP on. @@ -288,7 +288,7 @@ atomic_tests: description: | Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds. supported_platforms: - - linux:freebsd + - linux input_arguments: ifname: description: Specify interface to perform PCAP on. diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml index d462b9ff72..e7ff37cbac 100644 --- a/atomics/T1046/T1046.yaml +++ b/atomics/T1046/T1046.yaml @@ -75,7 +75,7 @@ atomic_tests: Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout. supported_platforms: - - linux:freebsd + - linux input_arguments: host: description: Host to scan. diff --git a/atomics/T1048.002/T1048.002.yaml b/atomics/T1048.002/T1048.002.yaml index 09691e2b0b..fe46ee7229 100644 --- a/atomics/T1048.002/T1048.002.yaml +++ b/atomics/T1048.002/T1048.002.yaml @@ -46,7 +46,6 @@ atomic_tests: supported_platforms: - macos - linux - - linux:freebsd input_arguments: input_file: description: Test file to upload diff --git a/atomics/T1048.003/T1048.003.yaml b/atomics/T1048.003/T1048.003.yaml index b89faee2cf..1a3717718f 100644 --- a/atomics/T1048.003/T1048.003.yaml +++ b/atomics/T1048.003/T1048.003.yaml @@ -10,7 +10,6 @@ atomic_tests: supported_platforms: - macos - linux - - linux:freebsd executor: steps: | 1. Victim System Configuration: @@ -53,7 +52,6 @@ atomic_tests: description: | Exfiltration of specified file over DNS protocol. supported_platforms: - - linux:freebsd - linux executor: steps: | @@ -223,7 +221,7 @@ atomic_tests: description: | An adversary may use the python3 standard library module http.server to exfiltrate data. This test checks if python3.9 is available and if so, creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds, then kills the PID and unsets the $PID variable. supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: false diff --git a/atomics/T1048/T1048.yaml b/atomics/T1048/T1048.yaml index 734c1fe34c..867d8b04b8 100644 --- a/atomics/T1048/T1048.yaml +++ b/atomics/T1048/T1048.yaml @@ -12,7 +12,6 @@ atomic_tests: supported_platforms: - macos - linux - - linux:freebsd input_arguments: domain: description: target SSH domain @@ -33,7 +32,6 @@ atomic_tests: supported_platforms: - macos - linux - - linux:freebsd input_arguments: user_name: description: username for domain diff --git a/atomics/T1049/T1049.yaml b/atomics/T1049/T1049.yaml index eadde4bbd5..c91298bd66 100644 --- a/atomics/T1049/T1049.yaml +++ b/atomics/T1049/T1049.yaml @@ -34,7 +34,6 @@ atomic_tests: Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout. supported_platforms: - - linux:freebsd - linux - macos dependency_executor_name: sh diff --git a/atomics/T1053.002/T1053.002.yaml b/atomics/T1053.002/T1053.002.yaml index 885e20f8ce..016dcd9aed 100644 --- a/atomics/T1053.002/T1053.002.yaml +++ b/atomics/T1053.002/T1053.002.yaml @@ -60,7 +60,7 @@ atomic_tests: This test submits a command to be run in the future by the `at` daemon. supported_platforms: - - linux:freebsd + - linux input_arguments: time_spec: diff --git a/atomics/T1053.003/T1053.003.yaml b/atomics/T1053.003/T1053.003.yaml index d967c0a069..f5fc56e82c 100644 --- a/atomics/T1053.003/T1053.003.yaml +++ b/atomics/T1053.003/T1053.003.yaml @@ -6,9 +6,8 @@ atomic_tests: description: | This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: command: description: Command to execute @@ -59,7 +58,7 @@ atomic_tests: description: | This test adds a script to /etc/cron.d folder configured to execute on a schedule. supported_platforms: - - linux:freebsd + - linux input_arguments: command: description: Command to execute diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml index 1855ccd466..bf1b8b7d87 100644 --- a/atomics/T1056.001/T1056.001.yaml +++ b/atomics/T1056.001/T1056.001.yaml @@ -95,7 +95,7 @@ atomic_tests: To gain persistence the command could be added to the users .shrc or .profile supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: | @@ -121,7 +121,6 @@ atomic_tests: To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ supported_platforms: - - linux:freebsd - linux dependency_executor_name: sh dependencies: diff --git a/atomics/T1057/T1057.yaml b/atomics/T1057/T1057.yaml index 9e9121372a..47baf4ab45 100644 --- a/atomics/T1057/T1057.yaml +++ b/atomics/T1057/T1057.yaml @@ -8,7 +8,6 @@ atomic_tests: Upon successful execution, sh will execute ps and output to /tmp/loot.txt. supported_platforms: - - linux:freebsd - linux - macos input_arguments: diff --git a/atomics/T1059.004/T1059.004.yaml b/atomics/T1059.004/T1059.004.yaml index adca5cc16d..fb25a141e8 100644 --- a/atomics/T1059.004/T1059.004.yaml +++ b/atomics/T1059.004/T1059.004.yaml @@ -6,7 +6,6 @@ atomic_tests: description: | Creates and executes a simple sh script. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -30,7 +29,6 @@ atomic_tests: Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`. supported_platforms: - - linux:freebsd - linux - macos executor: @@ -105,7 +103,6 @@ atomic_tests: description: | An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which results in the id command being executed. supported_platforms: - - linux:freebsd - linux executor: name: sh @@ -122,7 +119,6 @@ atomic_tests: description: | An adversary will want to discover what shell is running so that they can tailor their attacks accordingly. The following commands will discover what shell is running. supported_platforms: - - linux:freebsd - linux executor: name: sh @@ -136,7 +132,6 @@ atomic_tests: description: | An adversary may want to discover which shell's are available so that they might switch to that shell to tailor their attacks to suit that shell. The following commands will discover what shells are available on the host. supported_platforms: - - linux:freebsd - linux executor: name: sh @@ -148,7 +143,6 @@ atomic_tests: description: | An adversary may type in elaborate multi-line shell commands into a terminal session because they can't or don't wish to create script files on the host. The following command is a simple loop, echoing out Atomic Red Team was here! supported_platforms: - - linux:freebsd - linux executor: name: sh @@ -173,7 +167,7 @@ atomic_tests: description: | An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to bash, which results in the id command being executed. supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: false @@ -210,7 +204,7 @@ atomic_tests: description: | An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/sh shell, changes the users shell to sh, then deletes the art user. supported_platforms: - - linux:freebsd + - linux dependencies: - description: | chsh - change login shell, must be installed @@ -247,7 +241,7 @@ atomic_tests: description: | An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/sh supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: false @@ -293,7 +287,7 @@ atomic_tests: description: | An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage of this BLIND install method and selectively running extra commands in the install script for those who DO pipe to bash and not for those who DO NOT. This test uses curl to download the pipe-to-shell.sh script, the first time without piping it to bash and the second piping it into bash which executes the echo command. supported_platforms: - - linux:freebsd + - linux input_arguments: remote_url: description: url of remote payload diff --git a/atomics/T1059.006/T1059.006.yaml b/atomics/T1059.006/T1059.006.yaml index dad86df24d..14b8c5c9cc 100644 --- a/atomics/T1059.006/T1059.006.yaml +++ b/atomics/T1059.006/T1059.006.yaml @@ -5,7 +5,6 @@ atomic_tests: auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb description: Download and execute shell script and write to file then execute locally using Python -c (command mode) supported_platforms: - - linux:freebsd - linux input_arguments: script_url: @@ -43,7 +42,6 @@ atomic_tests: auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 description: Create Python file (.py) that downloads and executes shell script via executor arguments supported_platforms: - - linux:freebsd - linux input_arguments: python_script_name: @@ -97,7 +95,6 @@ atomic_tests: description: | Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments supported_platforms: - - linux:freebsd - linux input_arguments: python_script_name: @@ -156,9 +153,8 @@ atomic_tests: description: | Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence supported_platforms: - - linux:freebsd - linux - dependencies: + dependencies: - description: | Verify if python is in the environment variable path and attempt to import requests library. prereq_command: | diff --git a/atomics/T1069.001/T1069.001.yaml b/atomics/T1069.001/T1069.001.yaml index 5309d8abba..d61032f51b 100644 --- a/atomics/T1069.001/T1069.001.yaml +++ b/atomics/T1069.001/T1069.001.yaml @@ -6,9 +6,8 @@ atomic_tests: description: | Permission Groups Discovery supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: command: | if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi; diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml index 52706eae27..f0ee2d2eb3 100644 --- a/atomics/T1070.002/T1070.002.yaml +++ b/atomics/T1070.002/T1070.002.yaml @@ -37,7 +37,7 @@ atomic_tests: description: | Delete messages and security logs supported_platforms: - - linux:freebsd + - linux executor: command: | rm -rf /var/log/messages @@ -86,7 +86,7 @@ atomic_tests: description: | This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content supported_platforms: - - linux:freebsd + - linux executor: command: | truncate -s 0 /var/log/messages #size parameter shorthand @@ -124,7 +124,7 @@ atomic_tests: description: | The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility supported_platforms: - - linux:freebsd + - linux executor: command: | cat /dev/null > /var/log/messages #truncating the file to zero bytes @@ -187,7 +187,7 @@ atomic_tests: description: | This test overwrites the contents of system log file with an empty string using echo utility supported_platforms: - - linux:freebsd + - linux executor: command: | echo '' > /var/log/messages @@ -234,7 +234,7 @@ atomic_tests: description: | This test deletes the messages log file using unlink utility supported_platforms: - - linux:freebsd + - linux executor: command: | unlink /var/log/messages diff --git a/atomics/T1070.003/T1070.003.yaml b/atomics/T1070.003/T1070.003.yaml index c8edb60584..9d2225baee 100644 --- a/atomics/T1070.003/T1070.003.yaml +++ b/atomics/T1070.003/T1070.003.yaml @@ -17,7 +17,7 @@ atomic_tests: description: | Clears sh history via rm supported_platforms: - - linux:freebsd + - linux executor: command: | rm ~/.sh_history @@ -38,7 +38,7 @@ atomic_tests: description: | Clears sh history via echo supported_platforms: - - linux:freebsd + - linux executor: command: | echo "" > ~/.sh_history @@ -59,7 +59,7 @@ atomic_tests: description: | Clears sh history via cat /dev/null supported_platforms: - - linux:freebsd + - linux executor: command: | cat /dev/null > ~/.sh_history @@ -81,7 +81,7 @@ atomic_tests: description: | Clears sh history via a symlink to /dev/null supported_platforms: - - linux:freebsd + - linux executor: command: | ln -sf /dev/null ~/.sh_history @@ -101,7 +101,7 @@ atomic_tests: description: | Clears sh history via truncate supported_platforms: - - linux:freebsd + - linux executor: command: | truncate -s0 ~/.sh_history @@ -124,7 +124,7 @@ atomic_tests: description: | Clears the history of a bunch of different shell types by setting the history size to zero supported_platforms: - - linux:freebsd + - linux executor: command: | unset HISTFILE @@ -192,7 +192,7 @@ atomic_tests: description: | Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog supported_platforms: - - linux:freebsd + - linux dependencies: - description: | Install sshpass and create user account used for excuting diff --git a/atomics/T1070.004/T1070.004.yaml b/atomics/T1070.004/T1070.004.yaml index 8050b77c35..8c3f20a206 100644 --- a/atomics/T1070.004/T1070.004.yaml +++ b/atomics/T1070.004/T1070.004.yaml @@ -6,7 +6,6 @@ atomic_tests: description: | Delete a single file from the temporary directory supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -37,7 +36,6 @@ atomic_tests: description: | Recursively delete the temporary directory and all files contained within it supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -182,7 +180,7 @@ atomic_tests: description: | This test deletes the entire root filesystem of a FreeBSD system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment. supported_platforms: - - linux:freebsd + - linux executor: command: | chflags -R 0 / diff --git a/atomics/T1070.006/T1070.006.yaml b/atomics/T1070.006/T1070.006.yaml index 9921290648..a61dc5bd20 100644 --- a/atomics/T1070.006/T1070.006.yaml +++ b/atomics/T1070.006/T1070.006.yaml @@ -6,7 +6,6 @@ atomic_tests: description: | Stomps on the access timestamp of a file supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -33,7 +32,6 @@ atomic_tests: description: | Stomps on the modification timestamp of a file supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -62,7 +60,6 @@ atomic_tests: Setting the creation timestamp requires changing the system clock and reverting. Sudo or root privileges are required to change date. Use with caution. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -88,7 +85,6 @@ atomic_tests: This technique was used by the threat actor Rocke during the compromise of Linux web servers. supported_platforms: - - linux:freebsd - linux - macos input_arguments: diff --git a/atomics/T1071.001/T1071.001.yaml b/atomics/T1071.001/T1071.001.yaml index d21f2f0b09..18b231a120 100644 --- a/atomics/T1071.001/T1071.001.yaml +++ b/atomics/T1071.001/T1071.001.yaml @@ -66,7 +66,6 @@ atomic_tests: This test simulates an infected host beaconing to command and control. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat supported_platforms: - - linux:freebsd - linux - macos input_arguments: diff --git a/atomics/T1074.001/T1074.001.yaml b/atomics/T1074.001/T1074.001.yaml index da568bcedd..d057088d3c 100644 --- a/atomics/T1074.001/T1074.001.yaml +++ b/atomics/T1074.001/T1074.001.yaml @@ -40,7 +40,7 @@ atomic_tests: description: | Utilize curl to download discovery.sh and execute a basic information gathering shell script supported_platforms: - - linux:freebsd + - linux input_arguments: output_file: description: Location to save downloaded discovery.bat file diff --git a/atomics/T1078.003/T1078.003.yaml b/atomics/T1078.003/T1078.003.yaml index 53c750520e..49eda773c1 100644 --- a/atomics/T1078.003/T1078.003.yaml +++ b/atomics/T1078.003/T1078.003.yaml @@ -123,7 +123,7 @@ atomic_tests: description: | An adversary may wish to create an account with admin privileges to work with. In this test we create a "art" user with the password art, switch to art, execute whoami, exit and delete the art user. supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true @@ -164,7 +164,7 @@ atomic_tests: In this test we create a "art" user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account. supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true @@ -206,7 +206,7 @@ atomic_tests: description: | An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin. supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true diff --git a/atomics/T1082/T1082.yaml b/atomics/T1082/T1082.yaml index b2da7557a3..5f9d9594fc 100644 --- a/atomics/T1082/T1082.yaml +++ b/atomics/T1082/T1082.yaml @@ -28,7 +28,6 @@ atomic_tests: description: | Identify System Info supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -85,7 +84,7 @@ atomic_tests: description: | Identify virtual machine host kernel modules. supported_platforms: - - linux:freebsd + - linux executor: command: | kldstat | grep -i "vmm" @@ -106,7 +105,6 @@ atomic_tests: description: | Identify system hostname for FreeBSD, Linux and macOS systems. supported_platforms: - - linux:freebsd - linux - macos executor: @@ -165,9 +163,8 @@ atomic_tests: description: | Identify all environment variables. Upon execution, environments variables and your path info will be displayed. supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: command: | env @@ -369,7 +366,7 @@ atomic_tests: description: | Enumerate kernel modules loaded. Upon successful execution stdout will display kernel modules loaded, followed by list of modules matching 'vmm' if present. supported_platforms: - - linux:freebsd + - linux executor: command: | kldstat diff --git a/atomics/T1083/T1083.yaml b/atomics/T1083/T1083.yaml index a593753c79..54474e3af0 100644 --- a/atomics/T1083/T1083.yaml +++ b/atomics/T1083/T1083.yaml @@ -47,9 +47,8 @@ atomic_tests: https://perishablepress.com/list-files-folders-recursively-terminal/ supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: output_file: description: Output file used to store the results. @@ -73,9 +72,8 @@ atomic_tests: description: | Find or discover files on the file system supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: output_file: description: Output file used to store the results. diff --git a/atomics/T1087.001/T1087.001.yaml b/atomics/T1087.001/T1087.001.yaml index 1412ea6089..95c8de0d05 100644 --- a/atomics/T1087.001/T1087.001.yaml +++ b/atomics/T1087.001/T1087.001.yaml @@ -6,7 +6,6 @@ atomic_tests: description: | Enumerate all accounts by copying /etc/passwd to another file supported_platforms: - - linux:freebsd - linux input_arguments: output_file: @@ -25,7 +24,6 @@ atomic_tests: description: | (requires root) supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -47,7 +45,6 @@ atomic_tests: description: | View accounts with UID 0 supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -68,7 +65,6 @@ atomic_tests: description: | List opened files by user supported_platforms: - - linux:freebsd - linux - macos executor: @@ -114,7 +110,7 @@ atomic_tests: description: | Show if a user account has ever logged in remotely supported_platforms: - - linux:freebsd + - linux input_arguments: output_file: description: Path where captured results will be placed @@ -133,7 +129,6 @@ atomic_tests: description: | Utilize groups and id to enumerate users and groups supported_platforms: - - linux:freebsd - linux - macos executor: diff --git a/atomics/T1090.001/T1090.001.yaml b/atomics/T1090.001/T1090.001.yaml index 62a54b8403..622397c193 100644 --- a/atomics/T1090.001/T1090.001.yaml +++ b/atomics/T1090.001/T1090.001.yaml @@ -8,9 +8,8 @@ atomic_tests: Note that this test may conflict with pre-existing system configuration. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: proxy_server: description: Proxy server URL (host:port) diff --git a/atomics/T1090.003/T1090.003.yaml b/atomics/T1090.003/T1090.003.yaml index 965252f8a8..93168879fe 100644 --- a/atomics/T1090.003/T1090.003.yaml +++ b/atomics/T1090.003/T1090.003.yaml @@ -124,7 +124,7 @@ atomic_tests: This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality. Upon successful execution, the tor proxy service will be launched. supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: | diff --git a/atomics/T1098.004/T1098.004.yaml b/atomics/T1098.004/T1098.004.yaml index a37f88d382..4fb180dd0f 100644 --- a/atomics/T1098.004/T1098.004.yaml +++ b/atomics/T1098.004/T1098.004.yaml @@ -9,9 +9,8 @@ atomic_tests: Modify contents of /.ssh/authorized_keys to maintain persistence on victim host. If the user is able to save the same contents in the authorized_keys file, it shows user can modify the file. supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: name: sh elevation_required: false diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index 591aee455d..8416aaa940 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -6,7 +6,6 @@ atomic_tests: description: | Utilize rsync to perform a remote file copy (push) supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -44,7 +43,6 @@ atomic_tests: description: | Utilize rsync to perform a remote file copy (pull) supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -81,7 +79,6 @@ atomic_tests: description: | Utilize scp to perform a remote file copy (push) supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -110,7 +107,6 @@ atomic_tests: description: | Utilize scp to perform a remote file copy (pull) supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -139,7 +135,6 @@ atomic_tests: description: | Utilize sftp to perform a remote file copy (push) supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -168,7 +163,6 @@ atomic_tests: description: | Utilize sftp to perform a remote file copy (pull) supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -359,7 +353,6 @@ atomic_tests: description: | Download a remote file using the whois utility supported_platforms: - - linux:freebsd - linux - macos input_arguments: diff --git a/atomics/T1110.001/T1110.001.yaml b/atomics/T1110.001/T1110.001.yaml index 9bf5e671e3..80a84566aa 100644 --- a/atomics/T1110.001/T1110.001.yaml +++ b/atomics/T1110.001/T1110.001.yaml @@ -234,7 +234,7 @@ atomic_tests: This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user supported_platforms: - - linux:freebsd + - linux input_arguments: remote_url: description: url of remote payload diff --git a/atomics/T1110.004/T1110.004.yaml b/atomics/T1110.004/T1110.004.yaml index 0f7c263ec5..82326fdc37 100644 --- a/atomics/T1110.004/T1110.004.yaml +++ b/atomics/T1110.004/T1110.004.yaml @@ -69,7 +69,7 @@ atomic_tests: Using username,password combination from a password dump to login over SSH. supported_platforms: - - linux:freebsd + - linux input_arguments: target_host: diff --git a/atomics/T1113/T1113.yaml b/atomics/T1113/T1113.yaml index 32e2adf16e..7aae6138cc 100644 --- a/atomics/T1113/T1113.yaml +++ b/atomics/T1113/T1113.yaml @@ -74,7 +74,7 @@ atomic_tests: description: | Use xwd command to collect a full desktop screenshot and review file with xwud supported_platforms: - - linux:freebsd + - linux input_arguments: output_file: description: Output file path @@ -126,7 +126,7 @@ atomic_tests: description: | Use import command from ImageMagick to collect a full desktop screenshot supported_platforms: - - linux:freebsd + - linux input_arguments: output_file: description: Output file path diff --git a/atomics/T1124/T1124.yaml b/atomics/T1124/T1124.yaml index 77f3faf7e1..5605e44241 100644 --- a/atomics/T1124/T1124.yaml +++ b/atomics/T1124/T1124.yaml @@ -32,7 +32,7 @@ atomic_tests: description: | Identify system time. Upon execution, the local computer system time and timezone will be displayed. supported_platforms: - - linux:freebsd + - linux - macos executor: command: | diff --git a/atomics/T1132.001/T1132.001.yaml b/atomics/T1132.001/T1132.001.yaml index b66dbba8cc..3c8f947160 100644 --- a/atomics/T1132.001/T1132.001.yaml +++ b/atomics/T1132.001/T1132.001.yaml @@ -27,7 +27,7 @@ atomic_tests: description: | Utilizing a common technique for posting base64 encoded data. supported_platforms: - - linux:freebsd + - linux input_arguments: destination_url: description: Destination URL to post encoded data. diff --git a/atomics/T1135/T1135.yaml b/atomics/T1135/T1135.yaml index ecf813ed65..a3f58a728d 100644 --- a/atomics/T1135/T1135.yaml +++ b/atomics/T1135/T1135.yaml @@ -51,7 +51,7 @@ atomic_tests: description: | Network Share Discovery using smbstatus supported_platforms: - - linux:freebsd + - linux input_arguments: package_checker: description: Package checking command. pkg info -x samba diff --git a/atomics/T1136.001/T1136.001.yaml b/atomics/T1136.001/T1136.001.yaml index f662fc1c66..eb50309e96 100644 --- a/atomics/T1136.001/T1136.001.yaml +++ b/atomics/T1136.001/T1136.001.yaml @@ -24,7 +24,7 @@ atomic_tests: description: | Create a user via pw supported_platforms: - - linux:freebsd + - linux input_arguments: username: description: Username of the user to create @@ -134,7 +134,7 @@ atomic_tests: description: | Creates a new user in FreeBSD and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. supported_platforms: - - linux:freebsd + - linux input_arguments: username: description: Username of the user to create diff --git a/atomics/T1140/T1140.yaml b/atomics/T1140/T1140.yaml index 6b0017903f..0ec9686530 100644 --- a/atomics/T1140/T1140.yaml +++ b/atomics/T1140/T1140.yaml @@ -47,8 +47,7 @@ atomic_tests: description: | Use Python to decode a base64-encoded text string and echo it to the console supported_platforms: - - linux:freebsd - - linux + - linux - macos input_arguments: message: @@ -82,7 +81,6 @@ atomic_tests: description: | Use Perl to decode a base64-encoded text string and echo it to the console supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -143,7 +141,7 @@ atomic_tests: description: | Use common shell utilities to decode a base64-encoded text string and echo it to the console supported_platforms: - - linux:freebsd + - linux input_arguments: message: description: Message to print to the screen @@ -170,7 +168,7 @@ atomic_tests: description: | Using b64decode shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it. supported_platforms: - - linux:freebsd + - linux input_arguments: bash_encoded: description: Encoded #!/bin/bash script @@ -208,7 +206,6 @@ atomic_tests: description: | Use common shell utilities to decode a hex-encoded text string and echo it to the console supported_platforms: - - linux:freebsd - linux - macos input_arguments: diff --git a/atomics/T1176/T1176.yaml b/atomics/T1176/T1176.yaml index 20582b88b6..3898871cde 100644 --- a/atomics/T1176/T1176.yaml +++ b/atomics/T1176/T1176.yaml @@ -5,7 +5,6 @@ atomic_tests: auto_generated_guid: 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 description: Turn on Chrome/Chromium developer mode and Load Extension found in the src directory supported_platforms: - - linux:freebsd - linux - windows - macos @@ -23,7 +22,6 @@ atomic_tests: auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f description: Install the "Minimum Viable Malicious Extension" Chrome extension supported_platforms: - - linux:freebsd - linux - windows - macos @@ -39,7 +37,6 @@ atomic_tests: description: | Create a file called test.wma, with the duration of 30 seconds supported_platforms: - - linux:freebsd - linux - windows - macos diff --git a/atomics/T1201/T1201.yaml b/atomics/T1201/T1201.yaml index 562ee35af7..4a193db8bf 100644 --- a/atomics/T1201/T1201.yaml +++ b/atomics/T1201/T1201.yaml @@ -16,7 +16,7 @@ atomic_tests: description: | Lists the password complexity policy to console on FreeBSD. supported_platforms: - - linux:freebsd + - linux executor: command: | cat /etc/pam.d/passwd diff --git a/atomics/T1217/T1217.yaml b/atomics/T1217/T1217.yaml index 121a87e0fc..9d3ad9f4f5 100644 --- a/atomics/T1217/T1217.yaml +++ b/atomics/T1217/T1217.yaml @@ -6,7 +6,6 @@ atomic_tests: description: | Searches for Mozilla Firefox's places.sqlite file (on FreeBSD or Linux distributions) that contains bookmarks and lists any found instances to a text file. supported_platforms: - - linux:freebsd - linux input_arguments: output_file: @@ -61,7 +60,7 @@ atomic_tests: description: | Searches for Google Chromium's Bookmark file (on FreeBSD) that contains bookmarks in JSON format and lists any found instances to a text file. supported_platforms: - - linux:freebsd + - linux input_arguments: output_file: description: Path where captured results will be placed. diff --git a/atomics/T1222.002/T1222.002.yaml b/atomics/T1222.002/T1222.002.yaml index aaafdd542f..ebc9d95990 100644 --- a/atomics/T1222.002/T1222.002.yaml +++ b/atomics/T1222.002/T1222.002.yaml @@ -6,9 +6,8 @@ atomic_tests: description: | Changes a file or folder's permissions using chmod and a specified numeric mode. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: numeric_mode: description: Specified numeric mode value @@ -27,9 +26,8 @@ atomic_tests: description: | Changes a file or folder's permissions using chmod and a specified symbolic mode. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: symbolic_mode: description: Specified symbolic mode value @@ -48,9 +46,8 @@ atomic_tests: description: | Changes a file or folder's permissions recursively using chmod and a specified numeric mode. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: numeric_mode: description: Specified numeric mode value @@ -69,9 +66,8 @@ atomic_tests: description: | Changes a file or folder's permissions recursively using chmod and a specified symbolic mode. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: symbolic_mode: description: Specified symbolic mode value @@ -138,9 +134,8 @@ atomic_tests: description: | Changes a file or folder's ownership only using chown. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: owner: description: Username of desired owner @@ -197,7 +192,7 @@ atomic_tests: Remove's a file's `immutable` attribute using `chflags`. This technique was used by the threat actor Rocke during the compromise of Linux web servers. supported_platforms: - - linux:freebsd + - linux input_arguments: file_to_modify: description: Path of the file @@ -242,7 +237,7 @@ atomic_tests: description: | chmods a file using a c script supported_platforms: - - linux:freebsd + - linux input_arguments: source_file: description: Path of c source file @@ -299,7 +294,7 @@ atomic_tests: description: | chowns a file to root using a c script supported_platforms: - - linux:freebsd + - linux input_arguments: source_file: description: Path of c source file diff --git a/atomics/T1485/T1485.yaml b/atomics/T1485/T1485.yaml index 9ecac31b46..b33d188bf1 100644 --- a/atomics/T1485/T1485.yaml +++ b/atomics/T1485/T1485.yaml @@ -39,7 +39,6 @@ atomic_tests: Overwrites and deletes a file using DD. To stop the test, break the command with CTRL/CMD+C. supported_platforms: - - linux:freebsd - linux - macos input_arguments: diff --git a/atomics/T1486/T1486.yaml b/atomics/T1486/T1486.yaml index bb50c6bcee..0e4fe2de16 100644 --- a/atomics/T1486/T1486.yaml +++ b/atomics/T1486/T1486.yaml @@ -6,7 +6,6 @@ atomic_tests: description: | Uses gpg to encrypt a file supported_platforms: - - linux:freebsd - linux input_arguments: pwd_for_encrypted_file: @@ -46,7 +45,6 @@ atomic_tests: description: | Uses 7z to encrypt a file supported_platforms: - - linux:freebsd - linux input_arguments: pwd_for_encrypted_file: @@ -83,7 +81,6 @@ atomic_tests: description: | Attempts to encrypt data on target systems as root to simulate an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory. supported_platforms: - - linux:freebsd - linux input_arguments: cped_file_path: @@ -126,7 +123,6 @@ atomic_tests: description: | Uses openssl to encrypt a file supported_platforms: - - linux:freebsd - linux input_arguments: private_key_path: diff --git a/atomics/T1496/T1496.yaml b/atomics/T1496/T1496.yaml index 52908f08ba..63f6a6194b 100644 --- a/atomics/T1496/T1496.yaml +++ b/atomics/T1496/T1496.yaml @@ -7,9 +7,8 @@ atomic_tests: This test simulates a high CPU load as you might observe during cryptojacking attacks. End the test by using CTRL/CMD+C to break. supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: command: | yes > /dev/null diff --git a/atomics/T1497.001/T1497.001.yaml b/atomics/T1497.001/T1497.001.yaml index 77aa1cc6f7..2f05435eef 100644 --- a/atomics/T1497.001/T1497.001.yaml +++ b/atomics/T1497.001/T1497.001.yaml @@ -21,7 +21,7 @@ atomic_tests: Detects execution in a virtualized environment. At boot, dmesg stores a log if a hypervisor is detected. supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true diff --git a/atomics/T1518.001/T1518.001.yaml b/atomics/T1518.001/T1518.001.yaml index 652e39eeb1..4c17901c5b 100644 --- a/atomics/T1518.001/T1518.001.yaml +++ b/atomics/T1518.001/T1518.001.yaml @@ -79,7 +79,7 @@ atomic_tests: Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running. supported_platforms: - - linux:freebsd + - linux executor: command: | pgrep -l 'bareos-fd|icinga2|cbagentd|wazuh-agent|packetbeat|filebeat|osqueryd' diff --git a/atomics/T1529/T1529.yaml b/atomics/T1529/T1529.yaml index b30c5899c1..75fef7d95c 100644 --- a/atomics/T1529/T1529.yaml +++ b/atomics/T1529/T1529.yaml @@ -38,9 +38,8 @@ atomic_tests: description: | This test restarts a FreeBSD/macOS/Linux system. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: timeout: description: Time to restart (can be minutes or specific time) @@ -56,9 +55,8 @@ atomic_tests: description: | This test shuts down a FreeBSD/macOS/Linux system using a halt. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: timeout: description: Time to shutdown (can be minutes or specific time) @@ -74,9 +72,8 @@ atomic_tests: description: | This test restarts a FreeBSD/macOS/Linux system via `reboot`. supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: command: | reboot @@ -87,7 +84,6 @@ atomic_tests: description: | This test shuts down a FreeBSD/Linux system using `halt`. supported_platforms: - - linux:freebsd - linux executor: command: | @@ -99,7 +95,7 @@ atomic_tests: description: | This test restarts a FreeBSD system using `halt`. supported_platforms: - - linux:freebsd + - linux executor: command: | halt -r @@ -121,7 +117,6 @@ atomic_tests: description: | This test shuts down a FreeBSD/Linux system using `poweroff`. supported_platforms: - - linux:freebsd - linux executor: command: | @@ -133,7 +128,7 @@ atomic_tests: description: | This test restarts a FreeBSD system using `poweroff`. supported_platforms: - - linux:freebsd + - linux executor: command: | poweroff -r 3 diff --git a/atomics/T1543.002/T1543.002.yaml b/atomics/T1543.002/T1543.002.yaml index c980cc74be..fd4e5cf2d9 100644 --- a/atomics/T1543.002/T1543.002.yaml +++ b/atomics/T1543.002/T1543.002.yaml @@ -70,7 +70,7 @@ atomic_tests: description: | This test creates a SysV service unit file and enables it as a service. supported_platforms: - - linux:freebsd + - linux input_arguments: rc_service_path: description: Path to rc service file diff --git a/atomics/T1546.004/T1546.004.yaml b/atomics/T1546.004/T1546.004.yaml index 26c9f27f36..e02fb7bd66 100644 --- a/atomics/T1546.004/T1546.004.yaml +++ b/atomics/T1546.004/T1546.004.yaml @@ -44,7 +44,7 @@ atomic_tests: description: | Adds a command to the .shrc file of the current user supported_platforms: - - linux:freebsd + - linux input_arguments: command_to_add: description: Command to add to the .shrc file @@ -62,7 +62,6 @@ atomic_tests: description: | An adversary may wish to establish persistence by executing malicious commands from the systems /etc/profile every time "any" user logs in. supported_platforms: - - linux:freebsd - linux input_arguments: text_to_append: @@ -81,7 +80,6 @@ atomic_tests: description: | An adversary may wish to establish persistence by executing malicious commands from the users ~/.profile every time the "user" logs in. supported_platforms: - - linux:freebsd - linux input_arguments: text_to_append: diff --git a/atomics/T1546.005/T1546.005.yaml b/atomics/T1546.005/T1546.005.yaml index a2341e0e2c..eec2a3cd30 100644 --- a/atomics/T1546.005/T1546.005.yaml +++ b/atomics/T1546.005/T1546.005.yaml @@ -21,7 +21,7 @@ atomic_tests: Launch bash shell with command arg to create TRAP on EXIT. The trap executes script that writes to /tmp/art-fish.txt supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: | @@ -56,7 +56,7 @@ atomic_tests: Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal. The trap executes script that writes to /tmp/art-fish.txt supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: | diff --git a/atomics/T1548.001/T1548.001.yaml b/atomics/T1548.001/T1548.001.yaml index b302c28428..984a6db73d 100644 --- a/atomics/T1548.001/T1548.001.yaml +++ b/atomics/T1548.001/T1548.001.yaml @@ -31,7 +31,7 @@ atomic_tests: description: | Make, change owner, and change file attributes on a C source code file supported_platforms: - - linux:freebsd + - linux input_arguments: payload: description: hello.c payload @@ -76,7 +76,7 @@ atomic_tests: description: | This test sets the SetUID flag on a file in FreeBSD. supported_platforms: - - linux:freebsd + - linux input_arguments: file_to_setuid: description: Path of file to set SetUID flag @@ -117,7 +117,7 @@ atomic_tests: description: | This test sets the SetGID flag on a file in FreeBSD. supported_platforms: - - linux:freebsd + - linux input_arguments: file_to_setuid: description: Path of file to set SetGID flag @@ -180,7 +180,6 @@ atomic_tests: description: | This test simulates a command that can be run to enumerate files that have the setuid bit set supported_platforms: - - linux:freebsd - linux executor: command: | @@ -191,7 +190,6 @@ atomic_tests: description: | This test simulates a command that can be run to enumerate files that have the setgid bit set supported_platforms: - - linux:freebsd - linux executor: command: | diff --git a/atomics/T1548.003/T1548.003.yaml b/atomics/T1548.003/T1548.003.yaml index bbff4124d6..4db7c0829a 100644 --- a/atomics/T1548.003/T1548.003.yaml +++ b/atomics/T1548.003/T1548.003.yaml @@ -26,7 +26,7 @@ atomic_tests: Common Sudo enumeration methods. supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: @@ -68,7 +68,7 @@ atomic_tests: Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system. supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: @@ -109,7 +109,7 @@ atomic_tests: Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system. supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: diff --git a/atomics/T1552.001/T1552.001.yaml b/atomics/T1552.001/T1552.001.yaml index fe4632f85d..b8d3ebc869 100644 --- a/atomics/T1552.001/T1552.001.yaml +++ b/atomics/T1552.001/T1552.001.yaml @@ -6,7 +6,6 @@ atomic_tests: description: | Find local AWS credentials from file, defaults to using / as the look path. supported_platforms: - - linux:freebsd - macos - linux input_arguments: @@ -34,9 +33,8 @@ atomic_tests: description: | Extracting credentials from files supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: file_path: description: Path to search @@ -78,9 +76,8 @@ atomic_tests: This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: file_path: description: Path to search diff --git a/atomics/T1552.003/T1552.003.yaml b/atomics/T1552.003/T1552.003.yaml index 05e3b589f4..31197d9e06 100644 --- a/atomics/T1552.003/T1552.003.yaml +++ b/atomics/T1552.003/T1552.003.yaml @@ -30,7 +30,7 @@ atomic_tests: description: | Search through sh history for specifice commands we want to capture supported_platforms: - - linux:freebsd + - linux input_arguments: output_file: description: Path where captured results will be placed diff --git a/atomics/T1552.004/T1552.004.yaml b/atomics/T1552.004/T1552.004.yaml index 4ab1fd9413..9e47902515 100644 --- a/atomics/T1552.004/T1552.004.yaml +++ b/atomics/T1552.004/T1552.004.yaml @@ -18,9 +18,8 @@ atomic_tests: description: | Discover private SSH keys on a FreeBSD, macOS or Linux system. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: search_path: description: Path where to start searching from. @@ -65,7 +64,7 @@ atomic_tests: description: | Copy private SSH keys on a FreeBSD system to a staging folder using the `cp` command. supported_platforms: - - linux:freebsd + - linux input_arguments: search_path: description: Path where to start searching from. @@ -119,7 +118,7 @@ atomic_tests: description: | Copy private SSH keys on a FreeBSD system to a staging folder using the `rsync` command. supported_platforms: - - linux:freebsd + - linux input_arguments: search_path: description: Path where to start searching from. @@ -173,7 +172,7 @@ atomic_tests: description: | Copy the users GnuPG (.gnupg) directory on a FreeBSD system to a staging folder using the `rsync` command. supported_platforms: - - linux:freebsd + - linux input_arguments: search_path: description: Path where to start searching from diff --git a/atomics/T1553.004/T1553.004.yaml b/atomics/T1553.004/T1553.004.yaml index 9038978bf5..cafb837ce6 100644 --- a/atomics/T1553.004/T1553.004.yaml +++ b/atomics/T1553.004/T1553.004.yaml @@ -32,7 +32,7 @@ atomic_tests: description: | Creates a root CA with openssl supported_platforms: - - linux:freebsd + - linux input_arguments: cert_filename: description: Path of the CA certificate we create diff --git a/atomics/T1556.003/T1556.003.yaml b/atomics/T1556.003/T1556.003.yaml index 663698d015..f1e91af521 100644 --- a/atomics/T1556.003/T1556.003.yaml +++ b/atomics/T1556.003/T1556.003.yaml @@ -36,7 +36,7 @@ atomic_tests: Upon successful execution, this test will insert a rule that allows every user to su to root without a password. supported_platforms: - - linux:freebsd + - linux input_arguments: path_to_pam_conf: description: PAM config file to modify. diff --git a/atomics/T1560.001/T1560.001.yaml b/atomics/T1560.001/T1560.001.yaml index 63840fe083..348d3b6ddd 100644 --- a/atomics/T1560.001/T1560.001.yaml +++ b/atomics/T1560.001/T1560.001.yaml @@ -193,7 +193,6 @@ atomic_tests: description: | An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -217,7 +216,6 @@ atomic_tests: description: | An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -248,9 +246,8 @@ atomic_tests: description: | Encrypt data for exiltration supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: test_folder: description: Path used to store files. diff --git a/atomics/T1560.002/T1560.002.yaml b/atomics/T1560.002/T1560.002.yaml index 04c2cd67fc..1fe8491105 100644 --- a/atomics/T1560.002/T1560.002.yaml +++ b/atomics/T1560.002/T1560.002.yaml @@ -7,7 +7,6 @@ atomic_tests: description: | Uses GZip from Python to compress files supported_platforms: - - linux:freebsd - linux input_arguments: path_to_input_file: @@ -39,7 +38,6 @@ atomic_tests: description: | Uses bz2 from Python to compress files supported_platforms: - - linux:freebsd - linux input_arguments: path_to_input_file: @@ -71,7 +69,6 @@ atomic_tests: description: | Uses zipfile from Python to compress files supported_platforms: - - linux:freebsd - linux input_arguments: path_to_input_file: @@ -103,7 +100,6 @@ atomic_tests: description: | Uses tarfile from Python to compress files supported_platforms: - - linux:freebsd - linux input_arguments: path_to_input_file: diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index 3626006fbf..e6f4c44c99 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -44,7 +44,7 @@ atomic_tests: description: | Disables syslog collection supported_platforms: - - linux:freebsd + - linux executor: command: | service syslogd stop @@ -850,7 +850,6 @@ atomic_tests: disable swapping of device paging that impaire the compromised host to swap data if the RAM is full. Awfulshred wiper used this technique as an additional payload to the compromised host and to make sure that there will be no recoverable data due to swap feature of FreeBSD/linux. supported_platforms: - - linux:freebsd - linux executor: command: | diff --git a/atomics/T1562.003/T1562.003.yaml b/atomics/T1562.003/T1562.003.yaml index 793a29fb42..e9e15dd362 100644 --- a/atomics/T1562.003/T1562.003.yaml +++ b/atomics/T1562.003/T1562.003.yaml @@ -23,7 +23,7 @@ atomic_tests: description: | Disables history collection in shells supported_platforms: - - linux:freebsd + - linux input_arguments: evil_command: description: Command to run after shell history collection is disabled @@ -125,7 +125,7 @@ atomic_tests: Note: we don't wish to log out, so we are just confirming the value of HISTSIZE. In this test we 1. echo HISTSIZE 2. set it to zero 3. confirm that HISTSIZE is set to zero. supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: false @@ -163,7 +163,7 @@ atomic_tests: Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null. supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: false diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml index 88206d9c44..4e0e582201 100644 --- a/atomics/T1562.004/T1562.004.yaml +++ b/atomics/T1562.004/T1562.004.yaml @@ -117,7 +117,7 @@ atomic_tests: description: | Stop the Packet Filter if installed. supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: | @@ -213,7 +213,7 @@ atomic_tests: description: | Add and delete a rule on the Packet Filter (PF) if installed and enabled. supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: | diff --git a/atomics/T1562.006/T1562.006.yaml b/atomics/T1562.006/T1562.006.yaml index 40627e0f7f..ba249b8508 100644 --- a/atomics/T1562.006/T1562.006.yaml +++ b/atomics/T1562.006/T1562.006.yaml @@ -42,7 +42,7 @@ atomic_tests: description: | Emulates modification of auditd configuration files supported_platforms: - - linux:freebsd + - linux input_arguments: auditd_config_file_name: description: The name of the auditd configuration file to be changed @@ -102,7 +102,7 @@ atomic_tests: description: | Emulates modification of syslog configuration. supported_platforms: - - linux:freebsd + - linux input_arguments: syslog_config_file_name: description: The name of the syslog configuration file to be changed diff --git a/atomics/T1564.001/T1564.001.yaml b/atomics/T1564.001/T1564.001.yaml index 25f9d0bf63..791dd0acab 100644 --- a/atomics/T1564.001/T1564.001.yaml +++ b/atomics/T1564.001/T1564.001.yaml @@ -6,7 +6,6 @@ atomic_tests: description: | Creates a hidden file inside a hidden directory supported_platforms: - - linux:freebsd - linux - macos executor: diff --git a/atomics/T1571/T1571.yaml b/atomics/T1571/T1571.yaml index 55267caee0..62e69092ec 100644 --- a/atomics/T1571/T1571.yaml +++ b/atomics/T1571/T1571.yaml @@ -26,7 +26,6 @@ atomic_tests: description: | Testing uncommonly used port utilizing telnet. supported_platforms: - - linux:freebsd - linux - macos input_arguments: diff --git a/atomics/T1614.001/T1614.001.yaml b/atomics/T1614.001/T1614.001.yaml index 62082b6b31..b3e411c31a 100644 --- a/atomics/T1614.001/T1614.001.yaml +++ b/atomics/T1614.001/T1614.001.yaml @@ -33,7 +33,6 @@ atomic_tests: Upon successful execution, the output will contain the environment variables that indicate the 5 character locale that can be looked up to correlate the language and territory. supported_platforms: - - linux:freebsd - linux executor: command: | @@ -88,7 +87,6 @@ atomic_tests: also used as a builtin command that does not generate syscall telemetry but does provide a list of the environment variables. supported_platforms: - - linux:freebsd - linux dependency_executor_name: sh dependencies: diff --git a/bin/validate/atomic-red-team.schema.yaml b/bin/validate/atomic-red-team.schema.yaml index 0fbffa2947..9f03c2bb41 100644 --- a/bin/validate/atomic-red-team.schema.yaml +++ b/bin/validate/atomic-red-team.schema.yaml @@ -46,7 +46,6 @@ $defs: - windows - macos - linux - - linux:freebsd - office-365 - azure-ad - google-workspace