redcanaryco · clr2of8 · Nov 6, 2023 · Nov 3, 2023 · Nov 6, 2023 · Nov 6, 2023
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml
diff --git a/atomics/Indexes/macos-index.yaml b/atomics/Indexes/macos-index.yaml
diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml
@@ -51018,7 +51018,7 @@ persistence:
       description: Turn on Chrome/Chromium developer mode and Load Extension found
         in the src directory
       supported_platforms:
-      - freebsd
+      - linux:freebsd
       - linux
       - windows
       - macos
@@ -51036,7 +51036,7 @@ persistence:
       auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
       description: Install the "Minimum Viable Malicious Extension" Chrome extension
       supported_platforms:
-      - freebsd
+      - linux:freebsd
       - linux
       - windows
       - macos
@@ -51053,7 +51053,7 @@ persistence:
 
         '
       supported_platforms:
-      - freebsd
+      - linux:freebsd
       - linux
       - windows
       - macos

diff --git a/atomics/T1003.007/T1003.007.yaml b/atomics/T1003.007/T1003.007.yaml
@@ -55,7 +55,7 @@ atomic_tests:
     copy process memory to an external file so it can be searched or exfiltrated later.
     On FreeBSD procfs must be mounted.
   supported_platforms:
-  - freebsd
+  - linux
 
   input_arguments:
     output_file:
@@ -102,7 +102,6 @@ atomic_tests:
     copy a process's heap memory to an external file so it can be searched or exfiltrated later.
     On FreeBSD procfs must be mounted.
   supported_platforms:
-  - freebsd
   - linux
 
   input_arguments:

diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml
@@ -25,7 +25,7 @@ atomic_tests:
   description: |
     /etc/master.passwd file is accessed in FreeBSD environments
   supported_platforms:
-  - freebsd
+  - linux
   input_arguments:
     output_file:
       description: Path where captured results will be placed
@@ -44,7 +44,6 @@ atomic_tests:
   description: |
     /etc/passwd file is accessed in FreeBSD and Linux environments
   supported_platforms:
-  - freebsd
   - linux
   input_arguments:
     output_file:
@@ -63,7 +62,6 @@ atomic_tests:
   description: |
     Dump /etc/passwd, /etc/master.passwd and /etc/shadow using ed
   supported_platforms:
-  - freebsd
   - linux
   input_arguments:
     output_file:
@@ -82,7 +80,6 @@ atomic_tests:
   description: |
     Dump /etc/passwd, /etc/master.passwd and /etc/shadow using sh builtins
   supported_platforms:
-  - freebsd
   - linux
   input_arguments:
     output_file:

diff --git a/atomics/T1007/T1007.yaml b/atomics/T1007/T1007.yaml
@@ -50,7 +50,7 @@ atomic_tests:
   description: |
     Enumerates system service using service
   supported_platforms:
-  - freebsd
+  - linux
   executor:
     command: |
       service -e

diff --git a/atomics/T1016/T1016.yaml b/atomics/T1016/T1016.yaml
@@ -60,7 +60,7 @@ atomic_tests:
 
     Upon successful execution, sh will spawn multiple commands and output will be via stdout.
   supported_platforms:
-  - freebsd
+  - linux
   executor:
     command: |
       if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;

diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml
@@ -87,7 +87,6 @@ atomic_tests:
 
     Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
   supported_platforms:
-  - freebsd
   - linux
   - macos
   dependency_executor_name: sh
@@ -109,7 +108,6 @@ atomic_tests:
 
     Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
   supported_platforms:
-  - freebsd
   - linux
   - macos
   input_arguments:
@@ -277,7 +275,7 @@ atomic_tests:
   description: |
     Use the netstat command to display the kernels routing tables.
   supported_platforms:
-  - freebsd
+  - linux
   executor:
     command: |
       netstat -r | grep default

diff --git a/atomics/T1027.001/T1027.001.yaml b/atomics/T1027.001/T1027.001.yaml
@@ -8,9 +8,8 @@ atomic_tests:
 
     Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
   supported_platforms:
-  - freebsd
-  - macos
   - linux
+  - macos
   input_arguments:
     file_to_pad:
       description: Path of binary to be padded
@@ -40,9 +39,8 @@ atomic_tests:
 
     Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.
   supported_platforms:
-  - freebsd
-  - macos
   - linux
+  - macos
   input_arguments:
     file_to_pad:
       description: Path of binary to be padded

diff --git a/atomics/T1027.004/T1027.004.yaml b/atomics/T1027.004/T1027.004.yaml
@@ -64,7 +64,6 @@ atomic_tests:
   description: |
     Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.
   supported_platforms:
-  - freebsd
   - linux
   - macos
   input_arguments:
@@ -90,7 +89,6 @@ atomic_tests:
   description: |
     Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.
   supported_platforms:
-  - freebsd
   - linux
   - macos
   input_arguments:
@@ -116,7 +114,6 @@ atomic_tests:
   description: |
     Compile a go file with golang on FreeBSD, Linux or Macos.
   supported_platforms:
-  - freebsd
   - linux
   - macos
   input_arguments:

diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml
@@ -41,7 +41,7 @@ atomic_tests:
     Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that echoes `Hello from the Atomic Red Team` 
     and uname -v
   supported_platforms:
-  - freebsd
+  - linux
   input_arguments:
     shell_command:
       description: command to encode

diff --git a/atomics/T1030/T1030.yaml b/atomics/T1030/T1030.yaml
@@ -8,7 +8,6 @@ atomic_tests:
   supported_platforms:
   - macos
   - linux
-  - freebsd
   input_arguments:
     file_name:
       description: File name

diff --git a/atomics/T1033/T1033.yaml b/atomics/T1033/T1033.yaml
@@ -33,7 +33,6 @@ atomic_tests:
 
     Upon successful execution, sh will stdout list of usernames.
   supported_platforms:
-  - freebsd
   - linux
   - macos
   executor:

diff --git a/atomics/T1036.003/T1036.003.yaml b/atomics/T1036.003/T1036.003.yaml
@@ -23,7 +23,6 @@ atomic_tests:
 
     Upon successful execution, sh is renamed to `crond` and executed.
   supported_platforms:
-  - freebsd
   - linux
   executor:
     command: |

diff --git a/atomics/T1036.005/T1036.005.yaml b/atomics/T1036.005/T1036.005.yaml
@@ -8,7 +8,6 @@ atomic_tests:
   supported_platforms:
   - macos
   - linux
-  - freebsd
   input_arguments:
     test_message:
       description: Test message to echo out to the screen

diff --git a/atomics/T1036.006/T1036.006.yaml b/atomics/T1036.006/T1036.006.yaml
@@ -38,7 +38,7 @@ atomic_tests:
   description: |
     Space after filename.
   supported_platforms:
-  - freebsd
+  - linux
   executor:
     name: sh
     command: |

diff --git a/atomics/T1037.004/T1037.004.yaml b/atomics/T1037.004/T1037.004.yaml
@@ -59,7 +59,7 @@ atomic_tests:
     Modify rc.local
 
   supported_platforms:
-    - freebsd
+    - linux
   executor:
     name: sh
     elevation_required: true 

diff --git a/atomics/T1040/T1040.yaml b/atomics/T1040/T1040.yaml
@@ -35,7 +35,7 @@ atomic_tests:
 
     Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
   supported_platforms:
-  - freebsd
+  - linux
   input_arguments:
     interface:
       description: Specify interface to perform PCAP on.
@@ -254,7 +254,7 @@ atomic_tests:
   description: |
     Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.
   supported_platforms:
-  - freebsd
+  - linux
   input_arguments:
     ifname:
       description: Specify interface to perform PCAP on.
@@ -288,7 +288,7 @@ atomic_tests:
   description: |
     Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.
   supported_platforms:
-  - freebsd
+  - linux
   input_arguments:
     ifname:
       description: Specify interface to perform PCAP on.

diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml
@@ -69,13 +69,13 @@ atomic_tests:
     name: sh
     elevation_required: true
 - name: Port Scan Nmap for FreeBSD
-  auto_generated_guid: f03d59dc-0e3b-428a-baeb-3499552c7048
+  auto_generated_guid: f03d59dc-0e3b-428a-baeb-3499552c7048
   description: |
     Scan ports to check for listening ports with Nmap.
 
     Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
   supported_platforms:
-  - freebsd
+  - linux
   input_arguments:
     host:
       description: Host to scan.

diff --git a/atomics/T1048.002/T1048.002.yaml b/atomics/T1048.002/T1048.002.yaml
@@ -46,7 +46,6 @@ atomic_tests:
   supported_platforms:
   - macos
   - linux
-  - freebsd
   input_arguments:
     input_file:
       description: Test file to upload

diff --git a/atomics/T1048.003/T1048.003.yaml b/atomics/T1048.003/T1048.003.yaml
@@ -10,7 +10,6 @@ atomic_tests:
   supported_platforms:
   - macos
   - linux
-  - freebsd
   executor:
     steps: |
       1. Victim System Configuration:
@@ -53,7 +52,6 @@ atomic_tests:
   description: |
     Exfiltration of specified file over DNS protocol.
   supported_platforms:
-  - freebsd
   - linux
   executor:
     steps: |
@@ -223,7 +221,7 @@ atomic_tests:
   description: |
     An adversary may use the python3 standard library module http.server to exfiltrate data. This test checks if python3.9 is available and if so, creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds, then kills the PID and unsets the $PID variable.
   supported_platforms:
-  - freebsd
+  - linux
   executor:
     name: sh
     elevation_required: false

diff --git a/atomics/T1048/T1048.yaml b/atomics/T1048/T1048.yaml
@@ -12,7 +12,6 @@ atomic_tests:
   supported_platforms:
   - macos
   - linux
-  - freebsd
   input_arguments:
     domain:
       description: target SSH domain
@@ -33,7 +32,6 @@ atomic_tests:
   supported_platforms:
   - macos
   - linux
-  - freebsd
   input_arguments:
     user_name:
       description: username for domain

diff --git a/atomics/T1049/T1049.yaml b/atomics/T1049/T1049.yaml
@@ -34,7 +34,6 @@ atomic_tests:
 
     Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
   supported_platforms:
-  - freebsd
   - linux
   - macos
   dependency_executor_name: sh

diff --git a/atomics/T1053.002/T1053.002.yaml b/atomics/T1053.002/T1053.002.yaml
@@ -60,7 +60,7 @@ atomic_tests:
     This test submits a command to be run in the future by the `at` daemon.
 
   supported_platforms:
-  - freebsd
+  - linux
 
   input_arguments:
     time_spec:

diff --git a/atomics/T1053.003/T1053.003.yaml b/atomics/T1053.003/T1053.003.yaml
@@ -6,9 +6,8 @@ atomic_tests:
   description: |
     This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
   supported_platforms:
-  - freebsd
-  - macos
   - linux
+  - macos
   input_arguments:
     command:
       description: Command to execute
@@ -59,7 +58,7 @@ atomic_tests:
   description: |
     This test adds a script to /etc/cron.d folder configured to execute on a schedule.
   supported_platforms:
-  - freebsd
+  - linux
   input_arguments:
     command:
       description: Command to execute

diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml
@@ -95,7 +95,7 @@ atomic_tests:
 
     To gain persistence the command could be added to the users .shrc or .profile 
   supported_platforms:
-  - freebsd
+  - linux
   dependency_executor_name: sh
   dependencies:
   - description: |
@@ -121,7 +121,6 @@ atomic_tests:
 
     To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ 
   supported_platforms:
-  - freebsd
   - linux
   dependency_executor_name: sh
   dependencies:

diff --git a/atomics/T1057/T1057.yaml b/atomics/T1057/T1057.yaml
@@ -8,7 +8,6 @@ atomic_tests:
 
     Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
   supported_platforms:
-  - freebsd
   - linux
   - macos
   input_arguments:
-Original file line number
+Diff line change
@@ Expand Up / @@ -33,7 +33,6 @@ atomic_tests: @@
         Upon successful execution, sh will stdout list of usernames.
       supported_platforms:
-      - freebsd
       - linux
       - macos
       executor:
@@ Expand Down @@