diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml index 7feb79d2..bda25f43 100644 --- a/atomics/T1003.008/T1003.008.yaml +++ b/atomics/T1003.008/T1003.008.yaml @@ -69,8 +69,9 @@ atomic_tests: type: path default: /tmp/T1003.008.txt executor: - command: | - echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file} + command: | + unamestr=$(uname) + if [ "$unamestr" = 'Linux' ]; then echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > ${output_file}; elif [ "$unamestr" = 'FreeBSD' ]; then echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > ${output_file}; fi cleanup_command: | rm -f #{output_file} name: sh @@ -89,8 +90,8 @@ atomic_tests: executor: command: | testcat(){ (while read line; do echo $line >> #{output_file}; done < $1) } + [ "$(uname)" = 'FreeBSD' ] && testcat /etc/master.passwd testcat /etc/passwd - testcat /etc/master.passwd testcat /etc/shadow cleanup_command: | rm -f #{output_file} diff --git a/atomics/T1007/T1007.yaml b/atomics/T1007/T1007.yaml index 373a48aa..95bac71b 100644 --- a/atomics/T1007/T1007.yaml +++ b/atomics/T1007/T1007.yaml @@ -35,23 +35,13 @@ atomic_tests: cleanup_command: | del /f /q /s #{output_file} >nul 2>&1 name: command_prompt -- name: System Service Discovery - systemctl +- name: System Service Discovery - systemctl/service auto_generated_guid: f4b26bce-4c2c-46c0-bcc5-fce062d38bef description: | - Enumerates system service using systemctl + Enumerates system service using systemctl/service supported_platforms: - linux executor: command: | - systemctl --type=service - name: bash -- name: System Service Discovery - service - auto_generated_guid: b2e1c734-7336-40f9-b970-b04731cbaf8a - description: | - Enumerates system service using service - supported_platforms: - - linux - executor: - command: | - service -e - name: sh + if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi; + name: bash \ No newline at end of file diff --git a/atomics/T1016/T1016.yaml b/atomics/T1016/T1016.yaml index 6c9da311..e4483fd4 100644 --- a/atomics/T1016/T1016.yaml +++ b/atomics/T1016/T1016.yaml @@ -33,7 +33,6 @@ atomic_tests: auto_generated_guid: c141bbdb-7fca-4254-9fd6-f47e79447e17 description: | Identify network configuration information. - Upon successful execution, sh will spawn multiple commands and output will be via stdout. supported_platforms: - macos @@ -48,24 +47,11 @@ atomic_tests: (which yum && yum -y install net-tools)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools) executor: command: | + if [ "$(uname)" = 'FreeBSD' ]; then cmd="netstat -Sp tcp"; else cmd="netstat -ant"; fi; if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi; if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi; if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi; - if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi; - name: sh -- name: System Network Configuration Discovery (freebsd) - auto_generated_guid: 7625b978-4efd-47de-8744-add270374bee - description: | - Identify network configuration information. - - Upon successful execution, sh will spawn multiple commands and output will be via stdout. - supported_platforms: - - linux - executor: - command: | - if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi; - if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi; - if [ -x "$(command -v netstat)" ]; then netstat -Sp tcp | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi; + if [ -x "$(command -v netstat)" ]; then $cmd | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi; name: sh - name: System Network Configuration Discovery (TrickBot Style) auto_generated_guid: dafaf052-5508-402d-bf77-51e0700c02e2 diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml index 51be5ebb..25f8fa6c 100644 --- a/atomics/T1027/T1027.yaml +++ b/atomics/T1027/T1027.yaml @@ -23,41 +23,12 @@ atomic_tests: prereq_command: | if [ -e "/tmp/encoded.dat" ]; then exit 0; else exit 1; fi get_prereq_command: | - echo "#{shell_command}" | base64 > /tmp/encoded.dat + if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64encode -r -"; else cmd="base64"; fi; + echo "#{shell_command}" | $cmd > /tmp/encoded.dat executor: command: | - cat /tmp/encoded.dat | base64 -d > /tmp/art.sh - chmod +x /tmp/art.sh - /tmp/art.sh - cleanup_command: | - rm /tmp/encoded.dat - rm /tmp/art.sh - name: sh -- name: Decode base64 Data into Script - auto_generated_guid: 197ed693-08e6-4958-bfd8-5974e291be6c - description: | - Creates a base64-encoded data file and decodes it into an executable shell script - - Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that echoes `Hello from the Atomic Red Team` - and uname -v - supported_platforms: - - linux - input_arguments: - shell_command: - description: command to encode - type: string - default: "echo Hello from the Atomic Red Team && uname -v" - dependency_executor_name: sh - dependencies: - - description: | - encode the command into base64 file - prereq_command: | - exit 1 - get_prereq_command: | - echo "#{shell_command}" | b64encode -r - > /tmp/encoded.dat - executor: - command: | - cat /tmp/encoded.dat | b64decode -r > /tmp/art.sh + if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64decode -r"; else cmd="base64 -d"; fi; + cat /tmp/encoded.dat | $cmd > /tmp/art.sh chmod +x /tmp/art.sh /tmp/art.sh cleanup_command: | diff --git a/atomics/T1036.006/T1036.006.yaml b/atomics/T1036.006/T1036.006.yaml index 535d2af8..4b92249b 100644 --- a/atomics/T1036.006/T1036.006.yaml +++ b/atomics/T1036.006/T1036.006.yaml @@ -22,30 +22,13 @@ atomic_tests: supported_platforms: - macos - linux - executor: - name: bash - command: | - mkdir -p /tmp/atomic-test-T1036.006 - cd /tmp/atomic-test-T1036.006 - mkdir -p 'testdirwithspaceend ' - /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init '/;\nqx/'.\/init ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null - chmod +x 'testdirwithspaceend /init ' - './testdirwithspaceend /init ' - cleanup_command: - rm -rf /tmp/atomic-test-T1036.006 -- name: Space After Filename (FreeBSD) - auto_generated_guid: cfc1fbb5-caae-4f4c-bfa8-1b7c8b5cc4e8 - description: | - Space after filename. - supported_platforms: - - linux executor: name: sh command: | mkdir -p /tmp/atomic-test-T1036.006 cd /tmp/atomic-test-T1036.006 mkdir -p 'testdirwithspaceend ' - /bin/echo "#\!/bin/sh" > "testdirwithspaceend /init " && echo 'echo "print(\"running T1035.006 with space after filename to masquerade init\")" | python3.9' >> "testdirwithspaceend /init " && echo "exit" >> "testdirwithspaceend /init " + [ "$(uname)" = 'FreeBSD' ] && /bin/echo "#\!/bin/sh" > "testdirwithspaceend /init " && echo 'echo "print(\"running T1035.006 with space after filename to masquerade init\")" | python3.9' >> "testdirwithspaceend /init " && echo "exit" >> "testdirwithspaceend /init " || /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init '/;\nqx/'.\/init ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null chmod +x 'testdirwithspaceend /init ' './testdirwithspaceend /init ' cleanup_command: diff --git a/atomics/T1037.004/T1037.004.yaml b/atomics/T1037.004/T1037.004.yaml index c171f991..06eaece2 100644 --- a/atomics/T1037.004/T1037.004.yaml +++ b/atomics/T1037.004/T1037.004.yaml @@ -40,24 +40,6 @@ atomic_tests: description: | Modify rc.local - supported_platforms: - - linux - executor: - name: bash - elevation_required: true - command: | - filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi - printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local - echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local - printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local - sudo chmod +x /etc/rc.local - cleanup_command: | - origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi -- name: rc.local (FreeBSD) - auto_generated_guid: 2015fb48-8ab6-4fbf-928b-0b62de5c9476 - description: | - Modify rc.local - supported_platforms: - linux executor: @@ -65,9 +47,9 @@ atomic_tests: elevation_required: true command: | filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi - printf '%s\n' '#\!/usr/local/bin/bash' | sudo tee /etc/rc.local - echo 'python3.9 -c "import os, base64;exec(base64.b64decode(\"aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo=\"))"' | sudo tee -a /etc/rc.local - printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local + [ "$(uname)" = 'FreeBSD' ] && alias python3=python3.9 && printf '#\!/usr/local/bin/bash' | sudo tee /etc/rc.local || printf '#!/bin/bash' | sudo tee /etc/rc.local + echo "\npython3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local + printf 'exit 0' | sudo tee -a /etc/rc.local sudo chmod +x /etc/rc.local cleanup_command: | origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml index e7ff37cb..321f9c27 100644 --- a/atomics/T1046/T1046.yaml +++ b/atomics/T1046/T1046.yaml @@ -23,7 +23,6 @@ atomic_tests: auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f description: | Scan ports to check for listening ports with Nmap. - Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout. supported_platforms: - linux @@ -48,13 +47,13 @@ atomic_tests: prereq_command: | if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi; get_prereq_command: | - (which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap) + (which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which pkg && pkg install -y nmap) - description: | Check if nc command exists on the machine prereq_command: | if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi; get_prereq_command: | - (which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat) + (which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)||(which pkg && pkg install -y netcat) - description: | Check if telnet command exists on the machine prereq_command: | @@ -68,42 +67,6 @@ atomic_tests: nc -nv #{host} #{port} name: sh elevation_required: true -- name: Port Scan Nmap for FreeBSD - auto_generated_guid: f03d59dc-0e3b-428a-baeb-3499552c7048 - description: | - Scan ports to check for listening ports with Nmap. - - Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout. - supported_platforms: - - linux - input_arguments: - host: - description: Host to scan. - type: string - default: 192.168.1.1 - port: - description: Ports to scan. - type: string - default: "80" - network_range: - description: Network Range to Scan. - type: string - default: 192.168.1.0/24 - dependency_executor_name: sh - dependencies: - - description: | - Check if nmap command exists on the machine - prereq_command: | - if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi; - get_prereq_command: | - (which pkg && pkg install -y nmap) - executor: - command: | - nmap -sS #{network_range} -p #{port} - telnet #{host} #{port} - nc -nv #{host} #{port} - name: sh - elevation_required: true - name: Port Scan NMap for Windows auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df description: Scan ports to check for listening ports for the local host 127.0.0.1 diff --git a/atomics/T1048.003/T1048.003.yaml b/atomics/T1048.003/T1048.003.yaml index 1a371771..2ba6b5ed 100644 --- a/atomics/T1048.003/T1048.003.yaml +++ b/atomics/T1048.003/T1048.003.yaml @@ -215,15 +215,5 @@ atomic_tests: name: sh elevation_required: false command: | + [ "$(uname)" = 'FreeBSD' ] && alias python3=python3.9 if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi -- name: Python3 http.server (freebsd) - auto_generated_guid: 57a303a2-0bc6-400d-b144-4f3292920a0b - description: | - An adversary may use the python3 standard library module http.server to exfiltrate data. This test checks if python3.9 is available and if so, creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds, then kills the PID and unsets the $PID variable. - supported_platforms: - - linux - executor: - name: sh - elevation_required: false - command: | - if [ $(which python3.9) ]; then cd /tmp; python3.9 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi diff --git a/atomics/T1053.002/T1053.002.yaml b/atomics/T1053.002/T1053.002.yaml index 016dcd9a..c2bbc343 100644 --- a/atomics/T1053.002/T1053.002.yaml +++ b/atomics/T1053.002/T1053.002.yaml @@ -39,13 +39,13 @@ atomic_tests: - description: | The `at` and `atd` executables must exist in the PATH prereq_command: | - which at && which atd + if [ "$(uname)" = 'FreeBSD' ]; then which at; else which at && which atd; fi; get_prereq_command: | echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)' - description: | The `atd` daemon must be running prereq_command: | - systemctl status atd || service atd status + if [ $(uname) = 'Linux' ]; then systemctl status atd || service atd status; fi; get_prereq_command: | echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)' @@ -54,35 +54,3 @@ atomic_tests: elevation_required: false command: |- echo "#{at_command}" | at #{time_spec} -- name: At - Schedule a job freebsd - auto_generated_guid: 549863fb-1c91-467e-97fc-1fa32b9f356b - description: | - This test submits a command to be run in the future by the `at` daemon. - - supported_platforms: - - linux - - input_arguments: - time_spec: - description: Time specification of when the command should run - type: string - default: now + 1 minute - at_command: - description: The command to be run - type: string - default: echo Hello from Atomic Red Team - - dependency_executor_name: sh - dependencies: - - description: | - The `at` executable must exist in the PATH - prereq_command: | - which at - get_prereq_command: | - echo 'Please install `at` ; they were not found in the PATH (Package name: `at`)' - - executor: - name: sh - elevation_required: false - command: |- - echo "#{at_command}" | at #{time_spec} diff --git a/bin/generate_labels.py b/bin/generate_labels.py index 82e9b81d..8545ac8b 100644 --- a/bin/generate_labels.py +++ b/bin/generate_labels.py @@ -36,7 +36,6 @@ class GithubAPI: labels = { "windows": "windows", "macos": "macOS", - "freebsd": "freebsd", "linux": "linux", "azure-ad": "ADFS", "containers": "containers", @@ -51,7 +50,6 @@ class GithubAPI: "windows": ["clr2of8", "MHaggis"], "linux": ["josehelps", "cyberbuff"], "macos": ["josehelps", "cyberbuff"], - "freebsd": ["josehelps", "cyberbuff"], "containers": ["patel-bhavin"], "iaas:gcp": ["patel-bhavin"], "iaas:aws": ["patel-bhavin"],