From 2db46f3ca3485868504f3e8fd5d111eb4d6d5288 Mon Sep 17 00:00:00 2001
From: Yugoslavskiy Daniil <yugoslavskiy@gmail.com>
Date: Tue, 20 Oct 2020 05:26:38 +0200
Subject: [PATCH 1/3] split linux and macos tests for TT1518.001; update
 processes list

---
 atomics/T1518.001/T1518.001.yaml | 33 +++++++++++++++++++++++++++++---
 1 file changed, 30 insertions(+), 3 deletions(-)

diff --git a/atomics/T1518.001/T1518.001.yaml b/atomics/T1518.001/T1518.001.yaml
index 856dfeaf..80cd1d26 100644
--- a/atomics/T1518.001/T1518.001.yaml
+++ b/atomics/T1518.001/T1518.001.yaml
@@ -34,19 +34,46 @@ atomic_tests:
       get-process | ?{$_.Description -like "*defender*"}
       get-process | ?{$_.Description -like "*cylance*"}
     name: powershell
-- name: Security Software Discovery - ps
+- name: Security Software Discovery - ps (macOS)
   auto_generated_guid: ba62ce11-e820-485f-9c17-6f3c857cd840
   description: |
     Methods to identify Security Software on an endpoint
-    when sucessfully executed, command shell  is going to display AV software it is running( Little snitch or carbon black ).
+    when sucessfully executed, command shell  is going to display AV/Security software it is running.
   supported_platforms:
-  - linux
   - macos
   executor:
     command: |
       ps -ef | grep Little\ Snitch | grep -v grep
       ps aux | grep CbOsxSensorService
       ps aux | grep falcond
+      ps aux | grep nessusd
+      ps aux | grep santad
+      ps aux | grep CbDefense
+      ps aux | grep td-agent
+      ps aux | grep packetbeat
+      ps aux | grep filebeat
+      ps aux | grep auditbeat
+      ps aux | grep osqueryd
+      ps aux | grep BlockBlock
+      ps aux | grep LuLu
+    name: sh
+- name: Security Software Discovery - ps (Linux)
+  auto_generated_guid: ba62ce11-e820-485f-9c17-6f3c857cd840
+  description: |
+    Methods to identify Security Software on an endpoint
+    when sucessfully executed, command shell  is going to display AV/Security software it is running.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      ps aux | grep falcond
+      ps aux | grep nessusd
+      ps aux | grep cbagentd
+      ps aux | grep td-agent
+      ps aux | grep packetbeat
+      ps aux | grep filebeat
+      ps aux | grep auditbeat
+      ps aux | grep osqueryd
     name: sh
 - name: Security Software Discovery - Sysmon Service
   auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9

From 618c150a94bc14f371ec007bcefcc156161c2300 Mon Sep 17 00:00:00 2001
From: yugoslavskiy <daniil@yugoslavskiy.com>
Date: Tue, 20 Oct 2020 05:31:30 +0200
Subject: [PATCH 2/3] Update T1518.001.yaml

---
 atomics/T1518.001/T1518.001.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/atomics/T1518.001/T1518.001.yaml b/atomics/T1518.001/T1518.001.yaml
index 80cd1d26..156b7706 100644
--- a/atomics/T1518.001/T1518.001.yaml
+++ b/atomics/T1518.001/T1518.001.yaml
@@ -58,7 +58,6 @@ atomic_tests:
       ps aux | grep LuLu
     name: sh
 - name: Security Software Discovery - ps (Linux)
-  auto_generated_guid: ba62ce11-e820-485f-9c17-6f3c857cd840
   description: |
     Methods to identify Security Software on an endpoint
     when sucessfully executed, command shell  is going to display AV/Security software it is running.

From 60d73a2780b872e8d66bcd86f652839b05c8100c Mon Sep 17 00:00:00 2001
From: yugoslavskiy <daniil@yugoslavskiy.com>
Date: Fri, 30 Oct 2020 06:56:20 +0100
Subject: [PATCH 3/3] Update T1518.001.yaml

---
 atomics/T1518.001/T1518.001.yaml | 23 ++---------------------
 1 file changed, 2 insertions(+), 21 deletions(-)

diff --git a/atomics/T1518.001/T1518.001.yaml b/atomics/T1518.001/T1518.001.yaml
index 156b7706..119cf27b 100644
--- a/atomics/T1518.001/T1518.001.yaml
+++ b/atomics/T1518.001/T1518.001.yaml
@@ -43,19 +43,7 @@ atomic_tests:
   - macos
   executor:
     command: |
-      ps -ef | grep Little\ Snitch | grep -v grep
-      ps aux | grep CbOsxSensorService
-      ps aux | grep falcond
-      ps aux | grep nessusd
-      ps aux | grep santad
-      ps aux | grep CbDefense
-      ps aux | grep td-agent
-      ps aux | grep packetbeat
-      ps aux | grep filebeat
-      ps aux | grep auditbeat
-      ps aux | grep osqueryd
-      ps aux | grep BlockBlock
-      ps aux | grep LuLu
+      ps aux | egrep 'Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu'
     name: sh
 - name: Security Software Discovery - ps (Linux)
   description: |
@@ -65,14 +53,7 @@ atomic_tests:
   - linux
   executor:
     command: |
-      ps aux | grep falcond
-      ps aux | grep nessusd
-      ps aux | grep cbagentd
-      ps aux | grep td-agent
-      ps aux | grep packetbeat
-      ps aux | grep filebeat
-      ps aux | grep auditbeat
-      ps aux | grep osqueryd
+      ps aux | egrep 'falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd'
     name: sh
 - name: Security Software Discovery - Sysmon Service
   auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9