adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FreeBSD changes (#2585)

Browse Source 
* freebsd changes

* renaming freebsd to linux
This commit is contained in:
Hare Sudhan
2023-11-06 17:41:43 -05:00
committed by GitHub
parent 446c2d5d05
commit 62a85c12b5
83 changed files with 524 additions and 629 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/index.yaml
+227 -227
View File
@@ -1037,7 +1037,7 @@ defense-evasion:
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
path_to_pam_conf:
description: PAM config file to modify.
@@ -1311,7 +1311,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -1335,7 +1335,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -1359,7 +1359,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -1383,7 +1383,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -1460,7 +1460,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -1523,7 +1523,7 @@ defense-evasion:
Remove's a file's `immutable` attribute using `chflags`.
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
file_to_modify:
description: Path of the file
@@ -1572,7 +1572,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
source_file:
description: Path of c source file
@@ -1636,7 +1636,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
source_file:
description: Path of c source file
@@ -3164,7 +3164,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
dependency_executor_name: sh
dependencies:
- description: 'Check if sudo is installed.
@@ -3203,7 +3203,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
dependency_executor_name: sh
dependencies:
- description: 'Check if sudo is installed.
@@ -3242,7 +3242,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
dependency_executor_name: sh
dependencies:
- description: 'Check if sudo is installed.
@@ -3852,7 +3852,7 @@ defense-evasion:
supported_platforms:
- macos
- linux
- freebsd
- linux:freebsd
input_arguments:
test_message:
description: Test message to echo out to the screen
@@ -4787,7 +4787,7 @@ defense-evasion:
Detects execution in a virtualized environment.
At boot, dmesg stores a log if a hypervisor is detected.
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: true
@@ -4938,7 +4938,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: |
rm -rf /var/log/messages
@@ -4997,7 +4997,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: "truncate -s 0 /var/log/messages #size parameter shorthand\ntruncate
--size=0 /var/log/security #size parameter \n"
@@ -5042,7 +5042,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: |
cat /dev/null > /var/log/messages #truncating the file to zero bytes
@@ -5116,7 +5116,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: 'echo '''' > /var/log/messages
@@ -5172,7 +5172,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: 'unlink /var/log/messages
@@ -7414,7 +7414,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: 'rm ~/.sh_history
@@ -7438,7 +7438,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: 'echo "" > ~/.sh_history
@@ -7463,7 +7463,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: 'cat /dev/null > ~/.sh_history
@@ -7488,7 +7488,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: 'ln -sf /dev/null ~/.sh_history
@@ -7512,7 +7512,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: 'truncate -s0 ~/.sh_history
@@ -7540,7 +7540,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: |
unset HISTFILE
@@ -7618,7 +7618,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
dependencies:
- description: 'Install sshpass and create user account used for excuting
@@ -7961,7 +7961,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -7999,7 +7999,7 @@ defense-evasion:
description: "Use Perl to decode a base64-encoded text string and echo it to
the console \n"
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -8067,7 +8067,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
message:
description: Message to print to the screen
@@ -8098,7 +8098,7 @@ defense-evasion:
Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml)
for it. \n"
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
bash_encoded:
description: Encoded
@@ -8141,7 +8141,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -9755,7 +9755,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -9787,7 +9787,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -9822,7 +9822,7 @@ defense-evasion:
Setting the creation timestamp requires changing the system clock and reverting.
Sudo or root privileges are required to change date. Use with caution.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -9849,7 +9849,7 @@ defense-evasion:
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -11175,7 +11175,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
dependency_executor_name: sh
dependencies:
- description: 'Check if pfctl is installed on the machine.
@@ -11283,7 +11283,7 @@ defense-evasion:
description: "Add and delete a rule on the Packet Filter (PF) if installed and
enabled. \n"
supported_platforms:
- freebsd
- linux:freebsd
dependency_executor_name: sh
dependencies:
- description: 'Check if pf is installed on the machine and enabled.
@@ -13706,7 +13706,7 @@ defense-evasion:
Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -13741,7 +13741,7 @@ defense-evasion:
Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -14938,7 +14938,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
payload:
description: hello.c payload
@@ -14986,7 +14986,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
file_to_setuid:
description: Path of file to set SetUID flag
@@ -15031,7 +15031,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
file_to_setuid:
description: Path of file to set SetGID flag
@@ -15100,7 +15100,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
command: 'find /usr/bin -perm -4000
@@ -15114,7 +15114,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
command: 'find /usr/bin -perm -2000
@@ -16041,7 +16041,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
auditd_config_file_name:
description: The name of the auditd configuration file to be changed
@@ -16105,7 +16105,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
syslog_config_file_name:
description: The name of the syslog configuration file to be changed
@@ -18898,7 +18898,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
evil_command:
description: Command to run after shell history collection is disabled
@@ -18997,7 +18997,7 @@ defense-evasion:
Note: we don't wish to log out, so we are just confirming the value of HISTSIZE. In this test we 1. echo HISTSIZE 2. set it to zero 3. confirm that HISTSIZE is set to zero.
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: false
@@ -19036,7 +19036,7 @@ defense-evasion:
Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: false
@@ -20688,7 +20688,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: |
service syslogd stop
@@ -21582,7 +21582,7 @@ defense-evasion:
as an additional \npayload to the compromised host and to make sure that there
will be no recoverable data due to swap feature of FreeBSD/linux.\n"
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
command: "swapon -a \nsleep 2\nswapoff -a\nsync\n"
@@ -22425,7 +22425,7 @@ defense-evasion:
a base64 encoded command, that echoes `Hello from the Atomic Red Team` \nand
uname -v\n"
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
shell_command:
description: command to encode
@@ -23742,7 +23742,7 @@ defense-evasion:
Upon successful execution, sh is renamed to `crond` and executed.
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
command: |
@@ -24702,7 +24702,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
cert_filename:
description: Path of the CA certificate we create
@@ -25021,7 +25021,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -25053,7 +25053,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -25084,7 +25084,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -27350,7 +27350,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -27388,7 +27388,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -27577,7 +27577,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: |
chflags -R 0 /
@@ -28397,7 +28397,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
command: "mkdir -p /tmp/atomic-test-T1036.006\ncd /tmp/atomic-test-T1036.006\nmkdir
@@ -29406,7 +29406,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
executor:
@@ -31261,7 +31261,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: true
@@ -31302,7 +31302,7 @@ defense-evasion:
the account, try to su to art and fail, unlock and renew the account, su successfully,
then delete the account.\n"
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: true
@@ -31344,7 +31344,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: true
@@ -33926,7 +33926,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
dependency_executor_name: sh
dependencies:
- description: 'Check if sudo is installed.
@@ -33965,7 +33965,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
dependency_executor_name: sh
dependencies:
- description: 'Check if sudo is installed.
@@ -34004,7 +34004,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
dependency_executor_name: sh
dependencies:
- description: 'Check if sudo is installed.
@@ -35196,7 +35196,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -35256,7 +35256,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
command:
description: Command to execute
@@ -38063,7 +38063,7 @@ privilege-escalation:
Launch bash shell with command arg to create TRAP on EXIT.
The trap executes script that writes to /tmp/art-fish.txt
supported_platforms:
- freebsd
- linux:freebsd
dependency_executor_name: sh
dependencies:
- description: 'Check if bash is installed.
@@ -38106,7 +38106,7 @@ privilege-escalation:
Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
The trap executes script that writes to /tmp/art-fish.txt
supported_platforms:
- freebsd
- linux:freebsd
dependency_executor_name: sh
dependencies:
- description: 'Check if bash is installed.
@@ -38865,7 +38865,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
payload:
description: hello.c payload
@@ -38913,7 +38913,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
file_to_setuid:
description: Path of file to set SetUID flag
@@ -38958,7 +38958,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
file_to_setuid:
description: Path of file to set SetGID flag
@@ -39027,7 +39027,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
command: 'find /usr/bin -perm -4000
@@ -39041,7 +39041,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
command: 'find /usr/bin -perm -2000
@@ -43596,7 +43596,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
command_to_add:
description: Command to add to the .shrc file
@@ -43617,7 +43617,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
text_to_append:
@@ -43640,7 +43640,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
text_to_append:
@@ -45568,7 +45568,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: true
@@ -45864,7 +45864,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
rc_service_path:
description: Path to rc service file
@@ -47322,7 +47322,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
time_spec:
description: Time specification of when the command should run
@@ -47866,7 +47866,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: true
@@ -47907,7 +47907,7 @@ privilege-escalation:
the account, try to su to art and fail, unlock and renew the account, su successfully,
then delete the account.\n"
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: true
@@ -47949,7 +47949,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: true
@@ -50010,7 +50010,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -50070,7 +50070,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
command:
description: Command to execute
@@ -53084,7 +53084,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -53109,7 +53109,7 @@ execution:
Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
executor:
@@ -53203,7 +53203,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
name: sh
@@ -53223,7 +53223,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
name: sh
@@ -53241,7 +53241,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
name: sh
@@ -53256,7 +53256,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
name: sh
@@ -53290,7 +53290,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: false
@@ -53337,7 +53337,7 @@ execution:
with a /bin/sh shell, changes the users shell to sh, then deletes the art
user. \n"
supported_platforms:
- freebsd
- linux:freebsd
dependencies:
- description: 'chsh - change login shell, must be installed
@@ -53389,7 +53389,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: false
@@ -53450,7 +53450,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
remote_url:
description: url of remote payload
@@ -54089,7 +54089,7 @@ execution:
description: Download and execute shell script and write to file then execute
locally using Python -c (command mode)
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
script_url:
@@ -54131,7 +54131,7 @@ execution:
description: Create Python file (.py) that downloads and executes shell script
via executor arguments
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
python_script_name:
@@ -54189,7 +54189,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
python_script_name:
@@ -54254,7 +54254,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
dependencies:
- description: 'Verify if python is in the environment variable path and attempt
@@ -55573,7 +55573,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
time_spec:
description: Time specification of when the command should run
@@ -56632,7 +56632,7 @@ persistence:
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
path_to_pam_conf:
description: PAM config file to modify.
@@ -58667,7 +58667,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -58727,7 +58727,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
command:
description: Command to execute
@@ -60348,7 +60348,7 @@ persistence:
description: Turn on Chrome/Chromium developer mode and Load Extension found
in the src directory
supported_platforms:
- freebsd
- linux:freebsd
- linux
- windows
- macos
@@ -60366,7 +60366,7 @@ persistence:
auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
description: Install the "Minimum Viable Malicious Extension" Chrome extension
supported_platforms:
- freebsd
- linux:freebsd
- linux
- windows
- macos
@@ -60383,7 +60383,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- windows
- macos
@@ -62672,7 +62672,7 @@ persistence:
Launch bash shell with command arg to create TRAP on EXIT.
The trap executes script that writes to /tmp/art-fish.txt
supported_platforms:
- freebsd
- linux:freebsd
dependency_executor_name: sh
dependencies:
- description: 'Check if bash is installed.
@@ -62715,7 +62715,7 @@ persistence:
Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
The trap executes script that writes to /tmp/art-fish.txt
supported_platforms:
- freebsd
- linux:freebsd
dependency_executor_name: sh
dependencies:
- description: 'Check if bash is installed.
@@ -63061,7 +63061,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
username:
description: Username of the user to create
@@ -63184,7 +63184,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
username:
description: Username of the user to create
@@ -64042,7 +64042,7 @@ persistence:
persistence on victim host. \nIf the user is able to save the same contents
in the authorized_keys file, it shows user can modify the file.\n"
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
executor:
@@ -70371,7 +70371,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
command_to_add:
description: Command to add to the .shrc file
@@ -70392,7 +70392,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
text_to_append:
@@ -70415,7 +70415,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
text_to_append:
@@ -72694,7 +72694,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: true
@@ -73032,7 +73032,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
rc_service_path:
description: Path to rc service file
@@ -74533,7 +74533,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
time_spec:
description: Time specification of when the command should run
@@ -75168,7 +75168,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: true
@@ -75209,7 +75209,7 @@ persistence:
the account, try to su to art and fail, unlock and renew the account, su successfully,
then delete the account.\n"
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: true
@@ -75251,7 +75251,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: true
@@ -75631,7 +75631,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
destination_url:
description: Destination URL to post encoded data.
@@ -77896,7 +77896,7 @@ command-and-control:
with add-ons in order to provide onion routing functionality.\nUpon successful
execution, the tor proxy service will be launched. \n"
supported_platforms:
- freebsd
- linux:freebsd
dependency_executor_name: sh
dependencies:
- description: "Tor must be installed on the machine \n"
@@ -78050,7 +78050,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -78810,7 +78810,7 @@ command-and-control:
This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -78899,7 +78899,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -78939,7 +78939,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -78978,7 +78978,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -79009,7 +79009,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -79040,7 +79040,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -79071,7 +79071,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -79280,7 +79280,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -79937,7 +79937,7 @@ command-and-control:
Note that this test may conflict with pre-existing system configuration.
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -80502,7 +80502,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -80532,7 +80532,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -80569,7 +80569,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -80789,7 +80789,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
output_file:
description: Output file path
@@ -80851,7 +80851,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
output_file:
description: Output file path
@@ -81207,7 +81207,7 @@ collection:
syslog.\n\nTo gain persistence the command could be added to the users .shrc
or .profile \n"
supported_platforms:
- freebsd
- linux:freebsd
dependency_executor_name: sh
dependencies:
- description: 'This test requires to be run in a bash shell and that logger
@@ -81241,7 +81241,7 @@ collection:
persistence the command could be added to the users .bashrc or .bash_aliases
or the systems default .bashrc in /etc/skel/ \n"
supported_platforms:
- freebsd
- linux:freebsd
- linux
dependency_executor_name: sh
dependencies:
@@ -81828,7 +81828,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
output_file:
description: Location to save downloaded discovery.bat file
@@ -82719,7 +82719,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
path_to_input_file:
@@ -82756,7 +82756,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
path_to_input_file:
@@ -82793,7 +82793,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
path_to_input_file:
@@ -82830,7 +82830,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
path_to_input_file:
@@ -87659,7 +87659,7 @@ credential-access:
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
path_to_pam_conf:
description: PAM config file to modify.
@@ -87935,7 +87935,7 @@ credential-access:
syslog.\n\nTo gain persistence the command could be added to the users .shrc
or .profile \n"
supported_platforms:
- freebsd
- linux:freebsd
dependency_executor_name: sh
dependencies:
- description: 'This test requires to be run in a bash shell and that logger
@@ -87969,7 +87969,7 @@ credential-access:
persistence the command could be added to the users .bashrc or .bash_aliases
or the systems default .bashrc in /etc/skel/ \n"
supported_platforms:
- freebsd
- linux:freebsd
- linux
dependency_executor_name: sh
dependencies:
@@ -88448,7 +88448,7 @@ credential-access:
the sudo_bruteforce.sh which brute force guesses the password, then deletes
the user\n"
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
remote_url:
description: url of remote payload
@@ -90117,7 +90117,7 @@ credential-access:
copy process memory to an external file so it can be searched or exfiltrated later.
On FreeBSD procfs must be mounted.
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
output_file:
description: Path where captured results will be placed
@@ -90162,7 +90162,7 @@ credential-access:
copy a process's heap memory to an external file so it can be searched or exfiltrated later.
On FreeBSD procfs must be mounted.
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
output_file:
@@ -90468,7 +90468,7 @@ credential-access:
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
interface:
description: Specify interface to perform PCAP on.
@@ -90706,7 +90706,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
ifname:
description: Specify interface to perform PCAP on.
@@ -90747,7 +90747,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
ifname:
description: Specify interface to perform PCAP on.
@@ -92871,7 +92871,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -92924,7 +92924,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
search_path:
description: Path where to start searching from.
@@ -92986,7 +92986,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
search_path:
description: Path where to start searching from.
@@ -93048,7 +93048,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
search_path:
description: Path where to start searching from
@@ -95022,7 +95022,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
output_file:
description: Path where captured results will be placed
@@ -95128,7 +95128,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -95158,7 +95158,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -95204,7 +95204,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -96457,7 +96457,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
target_host:
description: IP Address / Hostname you want to target.
@@ -97138,7 +97138,7 @@ credential-access:
auto_generated_guid: 5076874f-a8e6-4077-8ace-9e5ab54114a5
description: "/etc/master.passwd file is accessed in FreeBSD environments\n"
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
output_file:
description: Path where captured results will be placed
@@ -97157,7 +97157,7 @@ credential-access:
auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d
description: "/etc/passwd file is accessed in FreeBSD and Linux environments\n"
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
output_file:
@@ -97179,7 +97179,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
output_file:
@@ -97203,7 +97203,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
output_file:
@@ -99059,7 +99059,7 @@ discovery:
Upon successful execution, sh will stdout list of usernames.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
executor:
@@ -100288,7 +100288,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
output_file:
@@ -100307,7 +100307,7 @@ discovery:
auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2
description: "(requires root)\n"
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -100331,7 +100331,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -100354,7 +100354,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
executor:
@@ -100411,7 +100411,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
output_file:
description: Path where captured results will be placed
@@ -100431,7 +100431,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
executor:
@@ -100614,7 +100614,7 @@ discovery:
Detects execution in a virtualized environment.
At boot, dmesg stores a log if a hypervisor is detected.
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: true
@@ -101153,7 +101153,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: 'service -e
@@ -101283,7 +101283,7 @@ discovery:
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
interface:
description: Specify interface to perform PCAP on.
@@ -101521,7 +101521,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
ifname:
description: Specify interface to perform PCAP on.
@@ -101562,7 +101562,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
ifname:
description: Specify interface to perform PCAP on.
@@ -101861,7 +101861,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
package_checker:
description: Package checking command. pkg info -x samba
@@ -102197,7 +102197,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -102258,7 +102258,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: |
kldstat | grep -i "vmm"
@@ -102283,7 +102283,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
executor:
@@ -102357,7 +102357,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
executor:
@@ -102588,7 +102588,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: |
kldstat
@@ -103128,7 +103128,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
output_file:
@@ -103193,7 +103193,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
output_file:
description: Path where captured results will be placed.
@@ -103405,7 +103405,7 @@ discovery:
Upon successful execution, sh will spawn multiple commands and output will be via stdout.
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: |
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
@@ -104003,7 +104003,7 @@ discovery:
https://perishablepress.com/list-files-folders-recursively-terminal/
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -104031,7 +104031,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -104225,7 +104225,7 @@ discovery:
Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
dependency_executor_name: sh
@@ -104575,7 +104575,7 @@ discovery:
Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -104793,7 +104793,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
executor:
@@ -105024,7 +105024,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: 'cat /etc/pam.d/passwd
@@ -105305,7 +105305,7 @@ discovery:
Upon successful execution, the output will contain the environment variables that indicate
the 5 character locale that can be looked up to correlate the language and territory.
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
command: 'locale
@@ -105363,7 +105363,7 @@ discovery:
also used as a builtin command that does not generate syscall telemetry but
does provide a list of the environment variables.
supported_platforms:
- freebsd
- linux:freebsd
- linux
dependency_executor_name: sh
dependencies:
@@ -105739,7 +105739,7 @@ discovery:
Methods to identify Security Software on an endpoint
when sucessfully executed, command shell is going to display AV/Security software it is running.
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: 'pgrep -l ''bareos-fd|icinga2|cbagentd|wazuh-agent|packetbeat|filebeat|osqueryd''
@@ -106104,7 +106104,7 @@ discovery:
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
dependency_executor_name: sh
@@ -106130,7 +106130,7 @@ discovery:
Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -106324,7 +106324,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: 'netstat -r | grep default
@@ -106603,7 +106603,7 @@ discovery:
Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
supported_platforms:
- freebsd
- linux:freebsd
input_arguments:
host:
description: Host to scan.
@@ -107186,7 +107186,7 @@ discovery:
description: "Identify system time. Upon execution, the local computer system
time and timezone will be displayed. \n"
supported_platforms:
- freebsd
- linux:freebsd
- macos
executor:
command: 'date
@@ -113671,7 +113671,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
pwd_for_encrypted_file:
@@ -113717,7 +113717,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
pwd_for_encrypted_file:
@@ -113756,7 +113756,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
cped_file_path:
@@ -113807,7 +113807,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
private_key_path:
@@ -114349,7 +114349,7 @@ impact:
This test simulates a high CPU load as you might observe during cryptojacking attacks.
End the test by using CTRL/CMD+C to break.
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
executor:
@@ -114549,7 +114549,7 @@ impact:
Overwrites and deletes a file using DD.
To stop the test, break the command with CTRL/CMD+C.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -115231,7 +115231,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -115251,7 +115251,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -115271,7 +115271,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
executor:
@@ -115286,7 +115286,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
command: 'halt -p
@@ -115300,7 +115300,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: 'halt -r
@@ -115326,7 +115326,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
command: 'poweroff
@@ -115340,7 +115340,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
command: 'poweroff -r 3
@@ -117508,7 +117508,7 @@ initial-access:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: true
@@ -117549,7 +117549,7 @@ initial-access:
the account, try to su to art and fail, unlock and renew the account, su successfully,
then delete the account.\n"
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: true
@@ -117591,7 +117591,7 @@ initial-access:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: true
@@ -118137,7 +118137,7 @@ exfiltration:
supported_platforms:
- macos
- linux
- freebsd
- linux:freebsd
input_arguments:
input_file:
description: Test file to upload
@@ -118316,7 +118316,7 @@ exfiltration:
supported_platforms:
- macos
- linux
- freebsd
- linux:freebsd
input_arguments:
domain:
description: target SSH domain
@@ -118338,7 +118338,7 @@ exfiltration:
supported_platforms:
- macos
- linux
- freebsd
- linux:freebsd
input_arguments:
user_name:
description: username for domain
@@ -118738,7 +118738,7 @@ exfiltration:
supported_platforms:
- macos
- linux
- freebsd
- linux:freebsd
input_arguments:
file_name:
description: File name
@@ -119022,7 +119022,7 @@ exfiltration:
supported_platforms:
- macos
- linux
- freebsd
- linux:freebsd
executor:
steps: |
1. Victim System Configuration:
@@ -119069,7 +119069,7 @@ exfiltration:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
steps: "1. On the adversary machine run the below command.\n\n tshark -f
@@ -119253,7 +119253,7 @@ exfiltration:
'
supported_platforms:
- freebsd
- linux:freebsd
executor:
name: sh
elevation_required: false
atomics/Indexes/linux-index.yaml
+111 -111
View File
@@ -921,7 +921,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -945,7 +945,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -969,7 +969,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -993,7 +993,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -1070,7 +1070,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -2602,7 +2602,7 @@ defense-evasion:
supported_platforms:
- macos
- linux
- freebsd
- linux:freebsd
input_arguments:
test_message:
description: Test message to echo out to the screen
@@ -4562,7 +4562,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -4600,7 +4600,7 @@ defense-evasion:
description: "Use Perl to decode a base64-encoded text string and echo it to
the console \n"
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -4668,7 +4668,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -5579,7 +5579,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -5611,7 +5611,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -5646,7 +5646,7 @@ defense-evasion:
Setting the creation timestamp requires changing the system clock and reverting.
Sudo or root privileges are required to change date. Use with caution.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -5673,7 +5673,7 @@ defense-evasion:
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -7620,7 +7620,7 @@ defense-evasion:
Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -7655,7 +7655,7 @@ defense-evasion:
Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -8681,7 +8681,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
command: 'find /usr/bin -perm -4000
@@ -8695,7 +8695,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
command: 'find /usr/bin -perm -2000
@@ -12732,7 +12732,7 @@ defense-evasion:
as an additional \npayload to the compromised host and to make sure that there
will be no recoverable data due to swap feature of FreeBSD/linux.\n"
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
command: "swapon -a \nsleep 2\nswapoff -a\nsync\n"
@@ -14047,7 +14047,7 @@ defense-evasion:
Upon successful execution, sh is renamed to `crond` and executed.
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
command: |
@@ -14786,7 +14786,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -14818,7 +14818,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -14849,7 +14849,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -16496,7 +16496,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -16534,7 +16534,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -17923,7 +17923,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
executor:
@@ -21218,7 +21218,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -24003,7 +24003,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
command: 'find /usr/bin -perm -4000
@@ -24017,7 +24017,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
command: 'find /usr/bin -perm -2000
@@ -26947,7 +26947,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
text_to_append:
@@ -26970,7 +26970,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
text_to_append:
@@ -30849,7 +30849,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -33103,7 +33103,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -33128,7 +33128,7 @@ execution:
Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
executor:
@@ -33222,7 +33222,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
name: sh
@@ -33242,7 +33242,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
name: sh
@@ -33260,7 +33260,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
name: sh
@@ -33275,7 +33275,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
name: sh
@@ -33830,7 +33830,7 @@ execution:
description: Download and execute shell script and write to file then execute
locally using Python -c (command mode)
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
script_url:
@@ -33872,7 +33872,7 @@ execution:
description: Create Python file (.py) that downloads and executes shell script
via executor arguments
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
python_script_name:
@@ -33930,7 +33930,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
python_script_name:
@@ -33995,7 +33995,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
dependencies:
- description: 'Verify if python is in the environment variable path and attempt
@@ -37154,7 +37154,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -38232,7 +38232,7 @@ persistence:
description: Turn on Chrome/Chromium developer mode and Load Extension found
in the src directory
supported_platforms:
- freebsd
- linux:freebsd
- linux
- windows
- macos
@@ -38250,7 +38250,7 @@ persistence:
auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
description: Install the "Minimum Viable Malicious Extension" Chrome extension
supported_platforms:
- freebsd
- linux:freebsd
- linux
- windows
- macos
@@ -38267,7 +38267,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- windows
- macos
@@ -41065,7 +41065,7 @@ persistence:
persistence on victim host. \nIf the user is able to save the same contents
in the authorized_keys file, it shows user can modify the file.\n"
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
executor:
@@ -44855,7 +44855,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
text_to_append:
@@ -44878,7 +44878,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
text_to_append:
@@ -50213,7 +50213,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -50794,7 +50794,7 @@ command-and-control:
This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -50883,7 +50883,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -50923,7 +50923,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -50962,7 +50962,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -50993,7 +50993,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -51024,7 +51024,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -51055,7 +51055,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -51086,7 +51086,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -51301,7 +51301,7 @@ command-and-control:
Note that this test may conflict with pre-existing system configuration.
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -51633,7 +51633,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -51663,7 +51663,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -51700,7 +51700,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -52148,7 +52148,7 @@ collection:
persistence the command could be added to the users .bashrc or .bash_aliases
or the systems default .bashrc in /etc/skel/ \n"
supported_platforms:
- freebsd
- linux:freebsd
- linux
dependency_executor_name: sh
dependencies:
@@ -53110,7 +53110,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
path_to_input_file:
@@ -53147,7 +53147,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
path_to_input_file:
@@ -53184,7 +53184,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
path_to_input_file:
@@ -53221,7 +53221,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
path_to_input_file:
@@ -57242,7 +57242,7 @@ credential-access:
persistence the command could be added to the users .bashrc or .bash_aliases
or the systems default .bashrc in /etc/skel/ \n"
supported_platforms:
- freebsd
- linux:freebsd
- linux
dependency_executor_name: sh
dependencies:
@@ -58481,7 +58481,7 @@ credential-access:
copy a process's heap memory to an external file so it can be searched or exfiltrated later.
On FreeBSD procfs must be mounted.
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
output_file:
@@ -60072,7 +60072,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -61017,7 +61017,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -61036,7 +61036,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -61056,7 +61056,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -62563,7 +62563,7 @@ credential-access:
auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d
description: "/etc/passwd file is accessed in FreeBSD and Linux environments\n"
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
output_file:
@@ -62585,7 +62585,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
output_file:
@@ -62609,7 +62609,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
output_file:
@@ -63692,7 +63692,7 @@ discovery:
Upon successful execution, sh will stdout list of usernames.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
executor:
@@ -64280,7 +64280,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
output_file:
@@ -64299,7 +64299,7 @@ discovery:
auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2
description: "(requires root)\n"
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -64323,7 +64323,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -64346,7 +64346,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
executor:
@@ -64403,7 +64403,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
executor:
@@ -65162,7 +65162,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -65223,7 +65223,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
executor:
@@ -65238,7 +65238,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
executor:
@@ -65679,7 +65679,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
output_file:
@@ -66006,7 +66006,7 @@ discovery:
https://perishablepress.com/list-files-folders-recursively-terminal/
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -66034,7 +66034,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -66139,7 +66139,7 @@ discovery:
Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
dependency_executor_name: sh
@@ -66423,7 +66423,7 @@ discovery:
Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -66575,7 +66575,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
executor:
@@ -66819,7 +66819,7 @@ discovery:
Upon successful execution, the output will contain the environment variables that indicate
the 5 character locale that can be looked up to correlate the language and territory.
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
command: 'locale
@@ -66877,7 +66877,7 @@ discovery:
also used as a builtin command that does not generate syscall telemetry but
does provide a list of the environment variables.
supported_platforms:
- freebsd
- linux:freebsd
- linux
dependency_executor_name: sh
dependencies:
@@ -67242,7 +67242,7 @@ discovery:
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
dependency_executor_name: sh
@@ -67268,7 +67268,7 @@ discovery:
Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -73810,7 +73810,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
pwd_for_encrypted_file:
@@ -73856,7 +73856,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
pwd_for_encrypted_file:
@@ -73895,7 +73895,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
cped_file_path:
@@ -73946,7 +73946,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
input_arguments:
private_key_path:
@@ -74364,7 +74364,7 @@ impact:
This test simulates a high CPU load as you might observe during cryptojacking attacks.
End the test by using CTRL/CMD+C to break.
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
executor:
@@ -74529,7 +74529,7 @@ impact:
Overwrites and deletes a file using DD.
To stop the test, break the command with CTRL/CMD+C.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -74928,7 +74928,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -74948,7 +74948,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -74968,7 +74968,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
executor:
@@ -74983,7 +74983,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
command: 'halt -p
@@ -75010,7 +75010,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
command: 'poweroff
@@ -77126,7 +77126,7 @@ exfiltration:
supported_platforms:
- macos
- linux
- freebsd
- linux:freebsd
input_arguments:
input_file:
description: Test file to upload
@@ -77283,7 +77283,7 @@ exfiltration:
supported_platforms:
- macos
- linux
- freebsd
- linux:freebsd
input_arguments:
domain:
description: target SSH domain
@@ -77305,7 +77305,7 @@ exfiltration:
supported_platforms:
- macos
- linux
- freebsd
- linux:freebsd
input_arguments:
user_name:
description: username for domain
@@ -77565,7 +77565,7 @@ exfiltration:
supported_platforms:
- macos
- linux
- freebsd
- linux:freebsd
input_arguments:
file_name:
description: File name
@@ -77849,7 +77849,7 @@ exfiltration:
supported_platforms:
- macos
- linux
- freebsd
- linux:freebsd
executor:
steps: |
1. Victim System Configuration:
@@ -77872,7 +77872,7 @@ exfiltration:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
executor:
steps: "1. On the adversary machine run the below command.\n\n tshark -f
atomics/Indexes/macos-index.yaml
+73 -73
View File
@@ -829,7 +829,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -853,7 +853,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -877,7 +877,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -901,7 +901,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -978,7 +978,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -2329,7 +2329,7 @@ defense-evasion:
supported_platforms:
- macos
- linux
- freebsd
- linux:freebsd
input_arguments:
test_message:
description: Test message to echo out to the screen
@@ -4480,7 +4480,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -4518,7 +4518,7 @@ defense-evasion:
description: "Use Perl to decode a base64-encoded text string and echo it to
the console \n"
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -4586,7 +4586,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -5449,7 +5449,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -5481,7 +5481,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -5516,7 +5516,7 @@ defense-evasion:
Setting the creation timestamp requires changing the system clock and reverting.
Sudo or root privileges are required to change date. Use with caution.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -5543,7 +5543,7 @@ defense-evasion:
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -7190,7 +7190,7 @@ defense-evasion:
Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -7225,7 +7225,7 @@ defense-evasion:
Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -13976,7 +13976,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -14008,7 +14008,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -14039,7 +14039,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -15686,7 +15686,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -15724,7 +15724,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -17093,7 +17093,7 @@ defense-evasion:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
executor:
@@ -20447,7 +20447,7 @@ privilege-escalation:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -29881,7 +29881,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -32038,7 +32038,7 @@ execution:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -32063,7 +32063,7 @@ execution:
Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
executor:
@@ -35452,7 +35452,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -36503,7 +36503,7 @@ persistence:
description: Turn on Chrome/Chromium developer mode and Load Extension found
in the src directory
supported_platforms:
- freebsd
- linux:freebsd
- linux
- windows
- macos
@@ -36521,7 +36521,7 @@ persistence:
auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
description: Install the "Minimum Viable Malicious Extension" Chrome extension
supported_platforms:
- freebsd
- linux:freebsd
- linux
- windows
- macos
@@ -36538,7 +36538,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- windows
- macos
@@ -39368,7 +39368,7 @@ persistence:
persistence on victim host. \nIf the user is able to save the same contents
in the authorized_keys file, it shows user can modify the file.\n"
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
executor:
@@ -48279,7 +48279,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -48860,7 +48860,7 @@ command-and-control:
This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -48949,7 +48949,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -48989,7 +48989,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -49028,7 +49028,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -49059,7 +49059,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -49090,7 +49090,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -49121,7 +49121,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -49152,7 +49152,7 @@ command-and-control:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -49342,7 +49342,7 @@ command-and-control:
Note that this test may conflict with pre-existing system configuration.
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -49703,7 +49703,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -49733,7 +49733,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -49770,7 +49770,7 @@ collection:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -57401,7 +57401,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -58320,7 +58320,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -58350,7 +58350,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -58370,7 +58370,7 @@ credential-access:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -60879,7 +60879,7 @@ discovery:
Upon successful execution, sh will stdout list of usernames.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
executor:
@@ -61419,7 +61419,7 @@ discovery:
auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2
description: "(requires root)\n"
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -61443,7 +61443,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -61466,7 +61466,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
executor:
@@ -61491,7 +61491,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
executor:
@@ -62144,7 +62144,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -62169,7 +62169,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
executor:
@@ -62184,7 +62184,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
executor:
@@ -63010,7 +63010,7 @@ discovery:
https://perishablepress.com/list-files-folders-recursively-terminal/
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -63038,7 +63038,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -63143,7 +63143,7 @@ discovery:
Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
dependency_executor_name: sh
@@ -63427,7 +63427,7 @@ discovery:
Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -63579,7 +63579,7 @@ discovery:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
executor:
@@ -64099,7 +64099,7 @@ discovery:
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
dependency_executor_name: sh
@@ -64125,7 +64125,7 @@ discovery:
Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -64559,7 +64559,7 @@ discovery:
description: "Identify system time. Upon execution, the local computer system
time and timezone will be displayed. \n"
supported_platforms:
- freebsd
- linux:freebsd
- macos
executor:
command: 'date
@@ -71126,7 +71126,7 @@ impact:
This test simulates a high CPU load as you might observe during cryptojacking attacks.
End the test by using CTRL/CMD+C to break.
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
executor:
@@ -71291,7 +71291,7 @@ impact:
Overwrites and deletes a file using DD.
To stop the test, break the command with CTRL/CMD+C.
supported_platforms:
- freebsd
- linux:freebsd
- linux
- macos
input_arguments:
@@ -71690,7 +71690,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -71710,7 +71710,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
input_arguments:
@@ -71730,7 +71730,7 @@ impact:
'
supported_platforms:
- freebsd
- linux:freebsd
- macos
- linux
executor:
@@ -73844,7 +73844,7 @@ exfiltration:
supported_platforms:
- macos
- linux
- freebsd
- linux:freebsd
input_arguments:
input_file:
description: Test file to upload
@@ -74001,7 +74001,7 @@ exfiltration:
supported_platforms:
- macos
- linux
- freebsd
- linux:freebsd
input_arguments:
domain:
description: target SSH domain
@@ -74023,7 +74023,7 @@ exfiltration:
supported_platforms:
- macos
- linux
- freebsd
- linux:freebsd
input_arguments:
user_name:
description: username for domain
@@ -74283,7 +74283,7 @@ exfiltration:
supported_platforms:
- macos
- linux
- freebsd
- linux:freebsd
input_arguments:
file_name:
description: File name
@@ -74567,7 +74567,7 @@ exfiltration:
supported_platforms:
- macos
- linux
- freebsd
- linux:freebsd
executor:
steps: |
1. Victim System Configuration:
atomics/Indexes/windows-index.yaml
+3 -3
View File
@@ -51018,7 +51018,7 @@ persistence:
description: Turn on Chrome/Chromium developer mode and Load Extension found
in the src directory
supported_platforms:
- freebsd
- linux:freebsd
- linux
- windows
- macos
@@ -51036,7 +51036,7 @@ persistence:
auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
description: Install the "Minimum Viable Malicious Extension" Chrome extension
supported_platforms:
- freebsd
- linux:freebsd
- linux
- windows
- macos
@@ -51053,7 +51053,7 @@ persistence:
'
supported_platforms:
- freebsd
- linux:freebsd
- linux
- windows
- macos
atomics/T1003.007/T1003.007.yaml
+1 -2
View File
@@ -55,7 +55,7 @@ atomic_tests:
copy process memory to an external file so it can be searched or exfiltrated later.
On FreeBSD procfs must be mounted.
supported_platforms:
- freebsd
- linux
input_arguments:
output_file:
@@ -102,7 +102,6 @@ atomic_tests:
copy a process's heap memory to an external file so it can be searched or exfiltrated later.
On FreeBSD procfs must be mounted.
supported_platforms:
- freebsd
- linux
input_arguments:
atomics/T1003.008/T1003.008.yaml
+1 -4
View File
@@ -25,7 +25,7 @@ atomic_tests:
description: |
/etc/master.passwd file is accessed in FreeBSD environments
supported_platforms:
- freebsd
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
@@ -44,7 +44,6 @@ atomic_tests:
description: |
/etc/passwd file is accessed in FreeBSD and Linux environments
supported_platforms:
- freebsd
- linux
input_arguments:
output_file:
@@ -63,7 +62,6 @@ atomic_tests:
description: |
Dump /etc/passwd, /etc/master.passwd and /etc/shadow using ed
supported_platforms:
- freebsd
- linux
input_arguments:
output_file:
@@ -82,7 +80,6 @@ atomic_tests:
description: |
Dump /etc/passwd, /etc/master.passwd and /etc/shadow using sh builtins
supported_platforms:
- freebsd
- linux
input_arguments:
output_file:
atomics/T1007/T1007.yaml
+1 -1
View File
@@ -50,7 +50,7 @@ atomic_tests:
description: |
Enumerates system service using service
supported_platforms:
- freebsd
- linux
executor:
command: |
service -e
atomics/T1016/T1016.yaml
+1 -1
View File
@@ -60,7 +60,7 @@ atomic_tests:
Upon successful execution, sh will spawn multiple commands and output will be via stdout.
supported_platforms:
- freebsd
- linux
executor:
command: |
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
atomics/T1018/T1018.yaml
+1 -3
View File
@@ -87,7 +87,6 @@ atomic_tests:
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
supported_platforms:
- freebsd
- linux
- macos
dependency_executor_name: sh
@@ -109,7 +108,6 @@ atomic_tests:
Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -277,7 +275,7 @@ atomic_tests:
description: |
Use the netstat command to display the kernels routing tables.
supported_platforms:
- freebsd
- linux
executor:
command: |
netstat -r | grep default
atomics/T1027.001/T1027.001.yaml
+2 -4
View File
@@ -8,9 +8,8 @@ atomic_tests:
Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
supported_platforms:
- freebsd
- macos
- linux
- macos
input_arguments:
file_to_pad:
description: Path of binary to be padded
@@ -40,9 +39,8 @@ atomic_tests:
Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.
supported_platforms:
- freebsd
- macos
- linux
- macos
input_arguments:
file_to_pad:
description: Path of binary to be padded
atomics/T1027.004/T1027.004.yaml
-3
View File
@@ -64,7 +64,6 @@ atomic_tests:
description: |
Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -90,7 +89,6 @@ atomic_tests:
description: |
Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -116,7 +114,6 @@ atomic_tests:
description: |
Compile a go file with golang on FreeBSD, Linux or Macos.
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
atomics/T1027/T1027.yaml
+1 -1
View File
@@ -41,7 +41,7 @@ atomic_tests:
Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that echoes `Hello from the Atomic Red Team`
and uname -v
supported_platforms:
- freebsd
- linux
input_arguments:
shell_command:
description: command to encode
atomics/T1030/T1030.yaml
-1
View File
@@ -8,7 +8,6 @@ atomic_tests:
supported_platforms:
- macos
- linux
- freebsd
input_arguments:
file_name:
description: File name
atomics/T1033/T1033.yaml
-1
View File
@@ -33,7 +33,6 @@ atomic_tests:
Upon successful execution, sh will stdout list of usernames.
supported_platforms:
- freebsd
- linux
- macos
executor:
atomics/T1036.003/T1036.003.yaml
-1
View File
@@ -23,7 +23,6 @@ atomic_tests:
Upon successful execution, sh is renamed to `crond` and executed.
supported_platforms:
- freebsd
- linux
executor:
command: |
atomics/T1036.005/T1036.005.yaml
-1
View File
@@ -8,7 +8,6 @@ atomic_tests:
supported_platforms:
- macos
- linux
- freebsd
input_arguments:
test_message:
description: Test message to echo out to the screen
atomics/T1036.006/T1036.006.yaml
+1 -1
View File
@@ -38,7 +38,7 @@ atomic_tests:
description: |
Space after filename.
supported_platforms:
- freebsd
- linux
executor:
name: sh
command: |
atomics/T1037.004/T1037.004.yaml
+1 -1
View File
@@ -59,7 +59,7 @@ atomic_tests:
Modify rc.local
supported_platforms:
- freebsd
- linux
executor:
name: sh
elevation_required: true
atomics/T1040/T1040.yaml
+3 -3
View File
@@ -35,7 +35,7 @@ atomic_tests:
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
supported_platforms:
- freebsd
- linux
input_arguments:
interface:
description: Specify interface to perform PCAP on.
@@ -254,7 +254,7 @@ atomic_tests:
description: |
Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.
supported_platforms:
- freebsd
- linux
input_arguments:
ifname:
description: Specify interface to perform PCAP on.
@@ -288,7 +288,7 @@ atomic_tests:
description: |
Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.
supported_platforms:
- freebsd
- linux
input_arguments:
ifname:
description: Specify interface to perform PCAP on.
atomics/T1046/T1046.yaml
+2 -2
View File
@@ -69,13 +69,13 @@ atomic_tests:
name: sh
elevation_required: true
- name: Port Scan Nmap for FreeBSD
auto_generated_guid: f03d59dc-0e3b-428a-baeb-3499552c7048
auto_generated_guid: f03d59dc-0e3b-428a-baeb-3499552c7048
description: |
Scan ports to check for listening ports with Nmap.
Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
supported_platforms:
- freebsd
- linux
input_arguments:
host:
description: Host to scan.
atomics/T1048.002/T1048.002.yaml
-1
View File
@@ -46,7 +46,6 @@ atomic_tests:
supported_platforms:
- macos
- linux
- freebsd
input_arguments:
input_file:
description: Test file to upload
atomics/T1048.003/T1048.003.yaml
+1 -3
View File
@@ -10,7 +10,6 @@ atomic_tests:
supported_platforms:
- macos
- linux
- freebsd
executor:
steps: |
1. Victim System Configuration:
@@ -53,7 +52,6 @@ atomic_tests:
description: |
Exfiltration of specified file over DNS protocol.
supported_platforms:
- freebsd
- linux
executor:
steps: |
@@ -223,7 +221,7 @@ atomic_tests:
description: |
An adversary may use the python3 standard library module http.server to exfiltrate data. This test checks if python3.9 is available and if so, creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds, then kills the PID and unsets the $PID variable.
supported_platforms:
- freebsd
- linux
executor:
name: sh
elevation_required: false
atomics/T1048/T1048.yaml
-2
View File
@@ -12,7 +12,6 @@ atomic_tests:
supported_platforms:
- macos
- linux
- freebsd
input_arguments:
domain:
description: target SSH domain
@@ -33,7 +32,6 @@ atomic_tests:
supported_platforms:
- macos
- linux
- freebsd
input_arguments:
user_name:
description: username for domain
atomics/T1049/T1049.yaml
-1
View File
@@ -34,7 +34,6 @@ atomic_tests:
Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
supported_platforms:
- freebsd
- linux
- macos
dependency_executor_name: sh
atomics/T1053.002/T1053.002.yaml
+1 -1
View File
@@ -60,7 +60,7 @@ atomic_tests:
This test submits a command to be run in the future by the `at` daemon.
supported_platforms:
- freebsd
- linux
input_arguments:
time_spec:
atomics/T1053.003/T1053.003.yaml
+2 -3
View File
@@ -6,9 +6,8 @@ atomic_tests:
description: |
This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
supported_platforms:
- freebsd
- macos
- linux
- macos
input_arguments:
command:
description: Command to execute
@@ -59,7 +58,7 @@ atomic_tests:
description: |
This test adds a script to /etc/cron.d folder configured to execute on a schedule.
supported_platforms:
- freebsd
- linux
input_arguments:
command:
description: Command to execute
atomics/T1056.001/T1056.001.yaml
+1 -2
View File
@@ -95,7 +95,7 @@ atomic_tests:
To gain persistence the command could be added to the users .shrc or .profile
supported_platforms:
- freebsd
- linux
dependency_executor_name: sh
dependencies:
- description: |
@@ -121,7 +121,6 @@ atomic_tests:
To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/
supported_platforms:
- freebsd
- linux
dependency_executor_name: sh
dependencies:
atomics/T1057/T1057.yaml
-1
View File
@@ -8,7 +8,6 @@ atomic_tests:
Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
atomics/T1059.004/T1059.004.yaml
+4 -10
View File
@@ -6,7 +6,6 @@ atomic_tests:
description: |
Creates and executes a simple sh script.
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -30,7 +29,6 @@ atomic_tests:
Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
supported_platforms:
- freebsd
- linux
- macos
executor:
@@ -105,7 +103,6 @@ atomic_tests:
description: |
An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which results in the id command being executed.
supported_platforms:
- freebsd
- linux
executor:
name: sh
@@ -122,7 +119,6 @@ atomic_tests:
description: |
An adversary will want to discover what shell is running so that they can tailor their attacks accordingly. The following commands will discover what shell is running.
supported_platforms:
- freebsd
- linux
executor:
name: sh
@@ -136,7 +132,6 @@ atomic_tests:
description: |
An adversary may want to discover which shell's are available so that they might switch to that shell to tailor their attacks to suit that shell. The following commands will discover what shells are available on the host.
supported_platforms:
- freebsd
- linux
executor:
name: sh
@@ -148,7 +143,6 @@ atomic_tests:
description: |
An adversary may type in elaborate multi-line shell commands into a terminal session because they can't or don't wish to create script files on the host. The following command is a simple loop, echoing out Atomic Red Team was here!
supported_platforms:
- freebsd
- linux
executor:
name: sh
@@ -173,7 +167,7 @@ atomic_tests:
description: |
An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to bash, which results in the id command being executed.
supported_platforms:
- freebsd
- linux
executor:
name: sh
elevation_required: false
@@ -210,7 +204,7 @@ atomic_tests:
description: |
An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/sh shell, changes the users shell to sh, then deletes the art user.
supported_platforms:
- freebsd
- linux
dependencies:
- description: |
chsh - change login shell, must be installed
@@ -247,7 +241,7 @@ atomic_tests:
description: |
An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/sh
supported_platforms:
- freebsd
- linux
executor:
name: sh
elevation_required: false
@@ -293,7 +287,7 @@ atomic_tests:
description: |
An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage of this BLIND install method and selectively running extra commands in the install script for those who DO pipe to bash and not for those who DO NOT. This test uses curl to download the pipe-to-shell.sh script, the first time without piping it to bash and the second piping it into bash which executes the echo command.
supported_platforms:
- freebsd
- linux
input_arguments:
remote_url:
description: url of remote payload
atomics/T1059.006/T1059.006.yaml
+1 -5
View File
@@ -5,7 +5,6 @@ atomic_tests:
auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
description: Download and execute shell script and write to file then execute locally using Python -c (command mode)
supported_platforms:
- freebsd
- linux
input_arguments:
script_url:
@@ -43,7 +42,6 @@ atomic_tests:
auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
description: Create Python file (.py) that downloads and executes shell script via executor arguments
supported_platforms:
- freebsd
- linux
input_arguments:
python_script_name:
@@ -97,7 +95,6 @@ atomic_tests:
description: |
Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments
supported_platforms:
- freebsd
- linux
input_arguments:
python_script_name:
@@ -156,9 +153,8 @@ atomic_tests:
description: |
Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
supported_platforms:
- freebsd
- linux
dependencies:
dependencies:
- description: |
Verify if python is in the environment variable path and attempt to import requests library.
prereq_command: |
atomics/T1069.001/T1069.001.yaml
+1 -2
View File
@@ -6,9 +6,8 @@ atomic_tests:
description: |
Permission Groups Discovery
supported_platforms:
- freebsd
- macos
- linux
- macos
executor:
command: |
if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi;
atomics/T1070.002/T1070.002.yaml
+5 -5
View File
@@ -37,7 +37,7 @@ atomic_tests:
description: |
Delete messages and security logs
supported_platforms:
- freebsd
- linux
executor:
command: |
rm -rf /var/log/messages
@@ -86,7 +86,7 @@ atomic_tests:
description: |
This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content
supported_platforms:
- freebsd
- linux
executor:
command: |
truncate -s 0 /var/log/messages #size parameter shorthand
@@ -124,7 +124,7 @@ atomic_tests:
description: |
The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility
supported_platforms:
- freebsd
- linux
executor:
command: |
cat /dev/null > /var/log/messages #truncating the file to zero bytes
@@ -187,7 +187,7 @@ atomic_tests:
description: |
This test overwrites the contents of system log file with an empty string using echo utility
supported_platforms:
- freebsd
- linux
executor:
command: |
echo '' > /var/log/messages
@@ -234,7 +234,7 @@ atomic_tests:
description: |
This test deletes the messages log file using unlink utility
supported_platforms:
- freebsd
- linux
executor:
command: |
unlink /var/log/messages
atomics/T1070.003/T1070.003.yaml
+7 -7
View File
@@ -17,7 +17,7 @@ atomic_tests:
description: |
Clears sh history via rm
supported_platforms:
- freebsd
- linux
executor:
command: |
rm ~/.sh_history
@@ -38,7 +38,7 @@ atomic_tests:
description: |
Clears sh history via echo
supported_platforms:
- freebsd
- linux
executor:
command: |
echo "" > ~/.sh_history
@@ -59,7 +59,7 @@ atomic_tests:
description: |
Clears sh history via cat /dev/null
supported_platforms:
- freebsd
- linux
executor:
command: |
cat /dev/null > ~/.sh_history
@@ -81,7 +81,7 @@ atomic_tests:
description: |
Clears sh history via a symlink to /dev/null
supported_platforms:
- freebsd
- linux
executor:
command: |
ln -sf /dev/null ~/.sh_history
@@ -101,7 +101,7 @@ atomic_tests:
description: |
Clears sh history via truncate
supported_platforms:
- freebsd
- linux
executor:
command: |
truncate -s0 ~/.sh_history
@@ -124,7 +124,7 @@ atomic_tests:
description: |
Clears the history of a bunch of different shell types by setting the history size to zero
supported_platforms:
- freebsd
- linux
executor:
command: |
unset HISTFILE
@@ -192,7 +192,7 @@ atomic_tests:
description: |
Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog
supported_platforms:
- freebsd
- linux
dependencies:
- description: |
Install sshpass and create user account used for excuting
atomics/T1070.004/T1070.004.yaml
+1 -3
View File
@@ -6,7 +6,6 @@ atomic_tests:
description: |
Delete a single file from the temporary directory
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -37,7 +36,6 @@ atomic_tests:
description: |
Recursively delete the temporary directory and all files contained within it
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -182,7 +180,7 @@ atomic_tests:
description: |
This test deletes the entire root filesystem of a FreeBSD system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
supported_platforms:
- freebsd
- linux
executor:
command: |
chflags -R 0 /
atomics/T1070.006/T1070.006.yaml
-4
View File
@@ -6,7 +6,6 @@ atomic_tests:
description: |
Stomps on the access timestamp of a file
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -33,7 +32,6 @@ atomic_tests:
description: |
Stomps on the modification timestamp of a file
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -62,7 +60,6 @@ atomic_tests:
Setting the creation timestamp requires changing the system clock and reverting.
Sudo or root privileges are required to change date. Use with caution.
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -88,7 +85,6 @@ atomic_tests:
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
atomics/T1071.001/T1071.001.yaml
-1
View File
@@ -66,7 +66,6 @@ atomic_tests:
This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
atomics/T1074.001/T1074.001.yaml
+1 -1
View File
@@ -40,7 +40,7 @@ atomic_tests:
description: |
Utilize curl to download discovery.sh and execute a basic information gathering shell script
supported_platforms:
- freebsd
- linux
input_arguments:
output_file:
description: Location to save downloaded discovery.bat file
atomics/T1078.003/T1078.003.yaml
+3 -3
View File
@@ -123,7 +123,7 @@ atomic_tests:
description: |
An adversary may wish to create an account with admin privileges to work with. In this test we create a "art" user with the password art, switch to art, execute whoami, exit and delete the art user.
supported_platforms:
- freebsd
- linux
executor:
name: sh
elevation_required: true
@@ -164,7 +164,7 @@ atomic_tests:
In this test we create a "art" user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.
supported_platforms:
- freebsd
- linux
executor:
name: sh
elevation_required: true
@@ -206,7 +206,7 @@ atomic_tests:
description: |
An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin.
supported_platforms:
- freebsd
- linux
executor:
name: sh
elevation_required: true
atomics/T1082/T1082.yaml
+3 -6
View File
@@ -28,7 +28,6 @@ atomic_tests:
description: |
Identify System Info
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -85,7 +84,7 @@ atomic_tests:
description: |
Identify virtual machine host kernel modules.
supported_platforms:
- freebsd
- linux
executor:
command: |
kldstat | grep -i "vmm"
@@ -106,7 +105,6 @@ atomic_tests:
description: |
Identify system hostname for FreeBSD, Linux and macOS systems.
supported_platforms:
- freebsd
- linux
- macos
executor:
@@ -165,9 +163,8 @@ atomic_tests:
description: |
Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
supported_platforms:
- freebsd
- macos
- linux
- macos
executor:
command: |
env
@@ -369,7 +366,7 @@ atomic_tests:
description: |
Enumerate kernel modules loaded. Upon successful execution stdout will display kernel modules loaded, followed by list of modules matching 'vmm' if present.
supported_platforms:
- freebsd
- linux
executor:
command: |
kldstat
atomics/T1083/T1083.yaml
+2 -4
View File
@@ -47,9 +47,8 @@ atomic_tests:
https://perishablepress.com/list-files-folders-recursively-terminal/
supported_platforms:
- freebsd
- macos
- linux
- macos
input_arguments:
output_file:
description: Output file used to store the results.
@@ -73,9 +72,8 @@ atomic_tests:
description: |
Find or discover files on the file system
supported_platforms:
- freebsd
- macos
- linux
- macos
input_arguments:
output_file:
description: Output file used to store the results.
atomics/T1087.001/T1087.001.yaml
+1 -6
View File
@@ -6,7 +6,6 @@ atomic_tests:
description: |
Enumerate all accounts by copying /etc/passwd to another file
supported_platforms:
- freebsd
- linux
input_arguments:
output_file:
@@ -25,7 +24,6 @@ atomic_tests:
description: |
(requires root)
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -47,7 +45,6 @@ atomic_tests:
description: |
View accounts with UID 0
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -68,7 +65,6 @@ atomic_tests:
description: |
List opened files by user
supported_platforms:
- freebsd
- linux
- macos
executor:
@@ -114,7 +110,7 @@ atomic_tests:
description: |
Show if a user account has ever logged in remotely
supported_platforms:
- freebsd
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
@@ -133,7 +129,6 @@ atomic_tests:
description: |
Utilize groups and id to enumerate users and groups
supported_platforms:
- freebsd
- linux
- macos
executor:
atomics/T1090.001/T1090.001.yaml
+1 -2
View File
@@ -8,9 +8,8 @@ atomic_tests:
Note that this test may conflict with pre-existing system configuration.
supported_platforms:
- freebsd
- macos
- linux
- macos
input_arguments:
proxy_server:
description: Proxy server URL (host:port)
atomics/T1090.003/T1090.003.yaml
+1 -1
View File
@@ -124,7 +124,7 @@ atomic_tests:
This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
Upon successful execution, the tor proxy service will be launched.
supported_platforms:
- freebsd
- linux
dependency_executor_name: sh
dependencies:
- description: |
atomics/T1098.004/T1098.004.yaml
+1 -2
View File
@@ -9,9 +9,8 @@ atomic_tests:
Modify contents of <user-home>/.ssh/authorized_keys to maintain persistence on victim host.
If the user is able to save the same contents in the authorized_keys file, it shows user can modify the file.
supported_platforms:
- freebsd
- macos
- linux
- macos
executor:
name: sh
elevation_required: false
atomics/T1105/T1105.yaml
-7
View File
@@ -6,7 +6,6 @@ atomic_tests:
description: |
Utilize rsync to perform a remote file copy (push)
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -44,7 +43,6 @@ atomic_tests:
description: |
Utilize rsync to perform a remote file copy (pull)
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -81,7 +79,6 @@ atomic_tests:
description: |
Utilize scp to perform a remote file copy (push)
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -110,7 +107,6 @@ atomic_tests:
description: |
Utilize scp to perform a remote file copy (pull)
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -139,7 +135,6 @@ atomic_tests:
description: |
Utilize sftp to perform a remote file copy (push)
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -168,7 +163,6 @@ atomic_tests:
description: |
Utilize sftp to perform a remote file copy (pull)
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -359,7 +353,6 @@ atomic_tests:
description: |
Download a remote file using the whois utility
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
atomics/T1110.001/T1110.001.yaml
+1 -1
View File
@@ -234,7 +234,7 @@ atomic_tests:
This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
supported_platforms:
- freebsd
- linux
input_arguments:
remote_url:
description: url of remote payload
atomics/T1110.004/T1110.004.yaml
+1 -1
View File
@@ -69,7 +69,7 @@ atomic_tests:
Using username,password combination from a password dump to login over SSH.
supported_platforms:
- freebsd
- linux
input_arguments:
target_host:
atomics/T1113/T1113.yaml
+2 -2
View File
@@ -74,7 +74,7 @@ atomic_tests:
description: |
Use xwd command to collect a full desktop screenshot and review file with xwud
supported_platforms:
- freebsd
- linux
input_arguments:
output_file:
description: Output file path
@@ -126,7 +126,7 @@ atomic_tests:
description: |
Use import command from ImageMagick to collect a full desktop screenshot
supported_platforms:
- freebsd
- linux
input_arguments:
output_file:
description: Output file path
atomics/T1124/T1124.yaml
+1 -1
View File
@@ -32,7 +32,7 @@ atomic_tests:
description: |
Identify system time. Upon execution, the local computer system time and timezone will be displayed.
supported_platforms:
- freebsd
- linux
- macos
executor:
command: |
atomics/T1132.001/T1132.001.yaml
+1 -1
View File
@@ -27,7 +27,7 @@ atomic_tests:
description: |
Utilizing a common technique for posting base64 encoded data.
supported_platforms:
- freebsd
- linux
input_arguments:
destination_url:
description: Destination URL to post encoded data.
atomics/T1135/T1135.yaml
+1 -1
View File
@@ -51,7 +51,7 @@ atomic_tests:
description: |
Network Share Discovery using smbstatus
supported_platforms:
- freebsd
- linux
input_arguments:
package_checker:
description: Package checking command. pkg info -x samba
atomics/T1136.001/T1136.001.yaml
+2 -2
View File
@@ -24,7 +24,7 @@ atomic_tests:
description: |
Create a user via pw
supported_platforms:
- freebsd
- linux
input_arguments:
username:
description: Username of the user to create
@@ -134,7 +134,7 @@ atomic_tests:
description: |
Creates a new user in FreeBSD and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign.
supported_platforms:
- freebsd
- linux
input_arguments:
username:
description: Username of the user to create
atomics/T1140/T1140.yaml
+3 -6
View File
@@ -47,8 +47,7 @@ atomic_tests:
description: |
Use Python to decode a base64-encoded text string and echo it to the console
supported_platforms:
- freebsd
- linux
- linux
- macos
input_arguments:
message:
@@ -82,7 +81,6 @@ atomic_tests:
description: |
Use Perl to decode a base64-encoded text string and echo it to the console
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -143,7 +141,7 @@ atomic_tests:
description: |
Use common shell utilities to decode a base64-encoded text string and echo it to the console
supported_platforms:
- freebsd
- linux
input_arguments:
message:
description: Message to print to the screen
@@ -170,7 +168,7 @@ atomic_tests:
description: |
Using b64decode shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it.
supported_platforms:
- freebsd
- linux
input_arguments:
bash_encoded:
description: Encoded #!/bin/bash script
@@ -208,7 +206,6 @@ atomic_tests:
description: |
Use common shell utilities to decode a hex-encoded text string and echo it to the console
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
atomics/T1176/T1176.yaml
-3
View File
@@ -5,7 +5,6 @@ atomic_tests:
auto_generated_guid: 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1
description: Turn on Chrome/Chromium developer mode and Load Extension found in the src directory
supported_platforms:
- freebsd
- linux
- windows
- macos
@@ -23,7 +22,6 @@ atomic_tests:
auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
description: Install the "Minimum Viable Malicious Extension" Chrome extension
supported_platforms:
- freebsd
- linux
- windows
- macos
@@ -39,7 +37,6 @@ atomic_tests:
description: |
Create a file called test.wma, with the duration of 30 seconds
supported_platforms:
- freebsd
- linux
- windows
- macos
atomics/T1201/T1201.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ atomic_tests:
description: |
Lists the password complexity policy to console on FreeBSD.
supported_platforms:
- freebsd
- linux
executor:
command: |
cat /etc/pam.d/passwd
atomics/T1217/T1217.yaml
+1 -2
View File
@@ -6,7 +6,6 @@ atomic_tests:
description: |
Searches for Mozilla Firefox's places.sqlite file (on FreeBSD or Linux distributions) that contains bookmarks and lists any found instances to a text file.
supported_platforms:
- freebsd
- linux
input_arguments:
output_file:
@@ -61,7 +60,7 @@ atomic_tests:
description: |
Searches for Google Chromium's Bookmark file (on FreeBSD) that contains bookmarks in JSON format and lists any found instances to a text file.
supported_platforms:
- freebsd
- linux
input_arguments:
output_file:
description: Path where captured results will be placed.
atomics/T1222.002/T1222.002.yaml
+8 -13
View File
@@ -6,9 +6,8 @@ atomic_tests:
description: |
Changes a file or folder's permissions using chmod and a specified numeric mode.
supported_platforms:
- freebsd
- macos
- linux
- macos
input_arguments:
numeric_mode:
description: Specified numeric mode value
@@ -27,9 +26,8 @@ atomic_tests:
description: |
Changes a file or folder's permissions using chmod and a specified symbolic mode.
supported_platforms:
- freebsd
- macos
- linux
- macos
input_arguments:
symbolic_mode:
description: Specified symbolic mode value
@@ -48,9 +46,8 @@ atomic_tests:
description: |
Changes a file or folder's permissions recursively using chmod and a specified numeric mode.
supported_platforms:
- freebsd
- macos
- linux
- macos
input_arguments:
numeric_mode:
description: Specified numeric mode value
@@ -69,9 +66,8 @@ atomic_tests:
description: |
Changes a file or folder's permissions recursively using chmod and a specified symbolic mode.
supported_platforms:
- freebsd
- macos
- linux
- macos
input_arguments:
symbolic_mode:
description: Specified symbolic mode value
@@ -138,9 +134,8 @@ atomic_tests:
description: |
Changes a file or folder's ownership only using chown.
supported_platforms:
- freebsd
- macos
- linux
- macos
input_arguments:
owner:
description: Username of desired owner
@@ -197,7 +192,7 @@ atomic_tests:
Remove's a file's `immutable` attribute using `chflags`.
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
supported_platforms:
- freebsd
- linux
input_arguments:
file_to_modify:
description: Path of the file
@@ -242,7 +237,7 @@ atomic_tests:
description: |
chmods a file using a c script
supported_platforms:
- freebsd
- linux
input_arguments:
source_file:
description: Path of c source file
@@ -299,7 +294,7 @@ atomic_tests:
description: |
chowns a file to root using a c script
supported_platforms:
- freebsd
- linux
input_arguments:
source_file:
description: Path of c source file
atomics/T1485/T1485.yaml
-1
View File
@@ -39,7 +39,6 @@ atomic_tests:
Overwrites and deletes a file using DD.
To stop the test, break the command with CTRL/CMD+C.
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
atomics/T1486/T1486.yaml
-4
View File
@@ -6,7 +6,6 @@ atomic_tests:
description: |
Uses gpg to encrypt a file
supported_platforms:
- freebsd
- linux
input_arguments:
pwd_for_encrypted_file:
@@ -46,7 +45,6 @@ atomic_tests:
description: |
Uses 7z to encrypt a file
supported_platforms:
- freebsd
- linux
input_arguments:
pwd_for_encrypted_file:
@@ -83,7 +81,6 @@ atomic_tests:
description: |
Attempts to encrypt data on target systems as root to simulate an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory.
supported_platforms:
- freebsd
- linux
input_arguments:
cped_file_path:
@@ -126,7 +123,6 @@ atomic_tests:
description: |
Uses openssl to encrypt a file
supported_platforms:
- freebsd
- linux
input_arguments:
private_key_path:
atomics/T1496/T1496.yaml
+1 -2
View File
@@ -7,9 +7,8 @@ atomic_tests:
This test simulates a high CPU load as you might observe during cryptojacking attacks.
End the test by using CTRL/CMD+C to break.
supported_platforms:
- freebsd
- macos
- linux
- macos
executor:
command: |
yes > /dev/null
atomics/T1497.001/T1497.001.yaml
+1 -1
View File
@@ -21,7 +21,7 @@ atomic_tests:
Detects execution in a virtualized environment.
At boot, dmesg stores a log if a hypervisor is detected.
supported_platforms:
- freebsd
- linux
executor:
name: sh
elevation_required: true
atomics/T1518.001/T1518.001.yaml
+1 -1
View File
@@ -79,7 +79,7 @@ atomic_tests:
Methods to identify Security Software on an endpoint
when sucessfully executed, command shell is going to display AV/Security software it is running.
supported_platforms:
- freebsd
- linux
executor:
command: |
pgrep -l 'bareos-fd|icinga2|cbagentd|wazuh-agent|packetbeat|filebeat|osqueryd'
atomics/T1529/T1529.yaml
+5 -10
View File
@@ -38,9 +38,8 @@ atomic_tests:
description: |
This test restarts a FreeBSD/macOS/Linux system.
supported_platforms:
- freebsd
- macos
- linux
- macos
input_arguments:
timeout:
description: Time to restart (can be minutes or specific time)
@@ -56,9 +55,8 @@ atomic_tests:
description: |
This test shuts down a FreeBSD/macOS/Linux system using a halt.
supported_platforms:
- freebsd
- macos
- linux
- macos
input_arguments:
timeout:
description: Time to shutdown (can be minutes or specific time)
@@ -74,9 +72,8 @@ atomic_tests:
description: |
This test restarts a FreeBSD/macOS/Linux system via `reboot`.
supported_platforms:
- freebsd
- macos
- linux
- macos
executor:
command: |
reboot
@@ -87,7 +84,6 @@ atomic_tests:
description: |
This test shuts down a FreeBSD/Linux system using `halt`.
supported_platforms:
- freebsd
- linux
executor:
command: |
@@ -99,7 +95,7 @@ atomic_tests:
description: |
This test restarts a FreeBSD system using `halt`.
supported_platforms:
- freebsd
- linux
executor:
command: |
halt -r
@@ -121,7 +117,6 @@ atomic_tests:
description: |
This test shuts down a FreeBSD/Linux system using `poweroff`.
supported_platforms:
- freebsd
- linux
executor:
command: |
@@ -133,7 +128,7 @@ atomic_tests:
description: |
This test restarts a FreeBSD system using `poweroff`.
supported_platforms:
- freebsd
- linux
executor:
command: |
poweroff -r 3
atomics/T1543.002/T1543.002.yaml
+1 -1
View File
@@ -70,7 +70,7 @@ atomic_tests:
description: |
This test creates a SysV service unit file and enables it as a service.
supported_platforms:
- freebsd
- linux
input_arguments:
rc_service_path:
description: Path to rc service file
atomics/T1546.004/T1546.004.yaml
+1 -3
View File
@@ -44,7 +44,7 @@ atomic_tests:
description: |
Adds a command to the .shrc file of the current user
supported_platforms:
- freebsd
- linux
input_arguments:
command_to_add:
description: Command to add to the .shrc file
@@ -62,7 +62,6 @@ atomic_tests:
description: |
An adversary may wish to establish persistence by executing malicious commands from the systems /etc/profile every time "any" user logs in.
supported_platforms:
- freebsd
- linux
input_arguments:
text_to_append:
@@ -81,7 +80,6 @@ atomic_tests:
description: |
An adversary may wish to establish persistence by executing malicious commands from the users ~/.profile every time the "user" logs in.
supported_platforms:
- freebsd
- linux
input_arguments:
text_to_append:
atomics/T1546.005/T1546.005.yaml
+2 -2
View File
@@ -21,7 +21,7 @@ atomic_tests:
Launch bash shell with command arg to create TRAP on EXIT.
The trap executes script that writes to /tmp/art-fish.txt
supported_platforms:
- freebsd
- linux
dependency_executor_name: sh
dependencies:
- description: |
@@ -56,7 +56,7 @@ atomic_tests:
Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
The trap executes script that writes to /tmp/art-fish.txt
supported_platforms:
- freebsd
- linux
dependency_executor_name: sh
dependencies:
- description: |
atomics/T1548.001/T1548.001.yaml
+3 -5
View File
@@ -31,7 +31,7 @@ atomic_tests:
description: |
Make, change owner, and change file attributes on a C source code file
supported_platforms:
- freebsd
- linux
input_arguments:
payload:
description: hello.c payload
@@ -76,7 +76,7 @@ atomic_tests:
description: |
This test sets the SetUID flag on a file in FreeBSD.
supported_platforms:
- freebsd
- linux
input_arguments:
file_to_setuid:
description: Path of file to set SetUID flag
@@ -117,7 +117,7 @@ atomic_tests:
description: |
This test sets the SetGID flag on a file in FreeBSD.
supported_platforms:
- freebsd
- linux
input_arguments:
file_to_setuid:
description: Path of file to set SetGID flag
@@ -180,7 +180,6 @@ atomic_tests:
description: |
This test simulates a command that can be run to enumerate files that have the setuid bit set
supported_platforms:
- freebsd
- linux
executor:
command: |
@@ -191,7 +190,6 @@ atomic_tests:
description: |
This test simulates a command that can be run to enumerate files that have the setgid bit set
supported_platforms:
- freebsd
- linux
executor:
command: |
atomics/T1548.003/T1548.003.yaml
+3 -3
View File
@@ -26,7 +26,7 @@ atomic_tests:
Common Sudo enumeration methods.
supported_platforms:
- freebsd
- linux
dependency_executor_name: sh
dependencies:
@@ -68,7 +68,7 @@ atomic_tests:
Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system.
supported_platforms:
- freebsd
- linux
dependency_executor_name: sh
dependencies:
@@ -109,7 +109,7 @@ atomic_tests:
Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system.
supported_platforms:
- freebsd
- linux
dependency_executor_name: sh
dependencies:
atomics/T1552.001/T1552.001.yaml
+2 -5
View File
@@ -6,7 +6,6 @@ atomic_tests:
description: |
Find local AWS credentials from file, defaults to using / as the look path.
supported_platforms:
- freebsd
- macos
- linux
input_arguments:
@@ -34,9 +33,8 @@ atomic_tests:
description: |
Extracting credentials from files
supported_platforms:
- freebsd
- macos
- linux
- macos
input_arguments:
file_path:
description: Path to search
@@ -78,9 +76,8 @@ atomic_tests:
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
supported_platforms:
- freebsd
- macos
- linux
- macos
input_arguments:
file_path:
description: Path to search
atomics/T1552.003/T1552.003.yaml
+1 -1
View File
@@ -30,7 +30,7 @@ atomic_tests:
description: |
Search through sh history for specifice commands we want to capture
supported_platforms:
- freebsd
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
atomics/T1552.004/T1552.004.yaml
+4 -5
View File
@@ -18,9 +18,8 @@ atomic_tests:
description: |
Discover private SSH keys on a FreeBSD, macOS or Linux system.
supported_platforms:
- freebsd
- macos
- linux
- macos
input_arguments:
search_path:
description: Path where to start searching from.
@@ -65,7 +64,7 @@ atomic_tests:
description: |
Copy private SSH keys on a FreeBSD system to a staging folder using the `cp` command.
supported_platforms:
- freebsd
- linux
input_arguments:
search_path:
description: Path where to start searching from.
@@ -119,7 +118,7 @@ atomic_tests:
description: |
Copy private SSH keys on a FreeBSD system to a staging folder using the `rsync` command.
supported_platforms:
- freebsd
- linux
input_arguments:
search_path:
description: Path where to start searching from.
@@ -173,7 +172,7 @@ atomic_tests:
description: |
Copy the users GnuPG (.gnupg) directory on a FreeBSD system to a staging folder using the `rsync` command.
supported_platforms:
- freebsd
- linux
input_arguments:
search_path:
description: Path where to start searching from
atomics/T1553.004/T1553.004.yaml
+1 -1
View File
@@ -32,7 +32,7 @@ atomic_tests:
description: |
Creates a root CA with openssl
supported_platforms:
- freebsd
- linux
input_arguments:
cert_filename:
description: Path of the CA certificate we create
atomics/T1556.003/T1556.003.yaml
+1 -1
View File
@@ -36,7 +36,7 @@ atomic_tests:
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
supported_platforms:
- freebsd
- linux
input_arguments:
path_to_pam_conf:
description: PAM config file to modify.
atomics/T1560.001/T1560.001.yaml
+1 -4
View File
@@ -193,7 +193,6 @@ atomic_tests:
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -217,7 +216,6 @@ atomic_tests:
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
@@ -248,9 +246,8 @@ atomic_tests:
description: |
Encrypt data for exiltration
supported_platforms:
- freebsd
- macos
- linux
- macos
input_arguments:
test_folder:
description: Path used to store files.
atomics/T1560.002/T1560.002.yaml
-4
View File
@@ -7,7 +7,6 @@ atomic_tests:
description: |
Uses GZip from Python to compress files
supported_platforms:
- freebsd
- linux
input_arguments:
path_to_input_file:
@@ -39,7 +38,6 @@ atomic_tests:
description: |
Uses bz2 from Python to compress files
supported_platforms:
- freebsd
- linux
input_arguments:
path_to_input_file:
@@ -71,7 +69,6 @@ atomic_tests:
description: |
Uses zipfile from Python to compress files
supported_platforms:
- freebsd
- linux
input_arguments:
path_to_input_file:
@@ -103,7 +100,6 @@ atomic_tests:
description: |
Uses tarfile from Python to compress files
supported_platforms:
- freebsd
- linux
input_arguments:
path_to_input_file:
atomics/T1562.001/T1562.001.yaml
+1 -2
View File
@@ -44,7 +44,7 @@ atomic_tests:
description: |
Disables syslog collection
supported_platforms:
- freebsd
- linux
executor:
command: |
service syslogd stop
@@ -850,7 +850,6 @@ atomic_tests:
disable swapping of device paging that impaire the compromised host to swap data if the RAM is full. Awfulshred wiper used this technique as an additional
payload to the compromised host and to make sure that there will be no recoverable data due to swap feature of FreeBSD/linux.
supported_platforms:
- freebsd
- linux
executor:
command: |
atomics/T1562.003/T1562.003.yaml
+3 -3
View File
@@ -23,7 +23,7 @@ atomic_tests:
description: |
Disables history collection in shells
supported_platforms:
- freebsd
- linux
input_arguments:
evil_command:
description: Command to run after shell history collection is disabled
@@ -125,7 +125,7 @@ atomic_tests:
Note: we don't wish to log out, so we are just confirming the value of HISTSIZE. In this test we 1. echo HISTSIZE 2. set it to zero 3. confirm that HISTSIZE is set to zero.
supported_platforms:
- freebsd
- linux
executor:
name: sh
elevation_required: false
@@ -163,7 +163,7 @@ atomic_tests:
Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
supported_platforms:
- freebsd
- linux
executor:
name: sh
elevation_required: false
atomics/T1562.004/T1562.004.yaml
+2 -2
View File
@@ -117,7 +117,7 @@ atomic_tests:
description: |
Stop the Packet Filter if installed.
supported_platforms:
- freebsd
- linux
dependency_executor_name: sh
dependencies:
- description: |
@@ -213,7 +213,7 @@ atomic_tests:
description: |
Add and delete a rule on the Packet Filter (PF) if installed and enabled.
supported_platforms:
- freebsd
- linux
dependency_executor_name: sh
dependencies:
- description: |
atomics/T1562.006/T1562.006.yaml
+2 -2
View File
@@ -42,7 +42,7 @@ atomic_tests:
description: |
Emulates modification of auditd configuration files
supported_platforms:
- freebsd
- linux
input_arguments:
auditd_config_file_name:
description: The name of the auditd configuration file to be changed
@@ -102,7 +102,7 @@ atomic_tests:
description: |
Emulates modification of syslog configuration.
supported_platforms:
- freebsd
- linux
input_arguments:
syslog_config_file_name:
description: The name of the syslog configuration file to be changed
atomics/T1564.001/T1564.001.yaml
-1
View File
@@ -6,7 +6,6 @@ atomic_tests:
description: |
Creates a hidden file inside a hidden directory
supported_platforms:
- freebsd
- linux
- macos
executor:
atomics/T1571/T1571.yaml
-1
View File
@@ -26,7 +26,6 @@ atomic_tests:
description: |
Testing uncommonly used port utilizing telnet.
supported_platforms:
- freebsd
- linux
- macos
input_arguments:
atomics/T1614.001/T1614.001.yaml
-2
View File
@@ -33,7 +33,6 @@ atomic_tests:
Upon successful execution, the output will contain the environment variables that indicate
the 5 character locale that can be looked up to correlate the language and territory.
supported_platforms:
- freebsd
- linux
executor:
command: |
@@ -88,7 +87,6 @@ atomic_tests:
also used as a builtin command that does not generate syscall telemetry but
does provide a list of the environment variables.
supported_platforms:
- freebsd
- linux
dependency_executor_name: sh
dependencies:
bin/validate/atomic-red-team.schema.yaml
-1
View File
@@ -46,7 +46,6 @@ $defs:
- windows
- macos
- linux
- freebsd
- office-365
- azure-ad
- google-workspace