From 2db46f3ca3485868504f3e8fd5d111eb4d6d5288 Mon Sep 17 00:00:00 2001
From: Yugoslavskiy Daniil <yugoslavskiy@gmail.com>
Date: Tue, 20 Oct 2020 05:26:38 +0200
Subject: [PATCH] split linux and macos tests for TT1518.001; update processes
 list

---
 atomics/T1518.001/T1518.001.yaml | 33 +++++++++++++++++++++++++++++---
 1 file changed, 30 insertions(+), 3 deletions(-)

diff --git a/atomics/T1518.001/T1518.001.yaml b/atomics/T1518.001/T1518.001.yaml
index 856dfeaf..80cd1d26 100644
--- a/atomics/T1518.001/T1518.001.yaml
+++ b/atomics/T1518.001/T1518.001.yaml
@@ -34,19 +34,46 @@ atomic_tests:
       get-process | ?{$_.Description -like "*defender*"}
       get-process | ?{$_.Description -like "*cylance*"}
     name: powershell
-- name: Security Software Discovery - ps
+- name: Security Software Discovery - ps (macOS)
   auto_generated_guid: ba62ce11-e820-485f-9c17-6f3c857cd840
   description: |
     Methods to identify Security Software on an endpoint
-    when sucessfully executed, command shell  is going to display AV software it is running( Little snitch or carbon black ).
+    when sucessfully executed, command shell  is going to display AV/Security software it is running.
   supported_platforms:
-  - linux
   - macos
   executor:
     command: |
       ps -ef | grep Little\ Snitch | grep -v grep
       ps aux | grep CbOsxSensorService
       ps aux | grep falcond
+      ps aux | grep nessusd
+      ps aux | grep santad
+      ps aux | grep CbDefense
+      ps aux | grep td-agent
+      ps aux | grep packetbeat
+      ps aux | grep filebeat
+      ps aux | grep auditbeat
+      ps aux | grep osqueryd
+      ps aux | grep BlockBlock
+      ps aux | grep LuLu
+    name: sh
+- name: Security Software Discovery - ps (Linux)
+  auto_generated_guid: ba62ce11-e820-485f-9c17-6f3c857cd840
+  description: |
+    Methods to identify Security Software on an endpoint
+    when sucessfully executed, command shell  is going to display AV/Security software it is running.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      ps aux | grep falcond
+      ps aux | grep nessusd
+      ps aux | grep cbagentd
+      ps aux | grep td-agent
+      ps aux | grep packetbeat
+      ps aux | grep filebeat
+      ps aux | grep auditbeat
+      ps aux | grep osqueryd
     name: sh
 - name: Security Software Discovery - Sysmon Service
   auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9