Generate docs from job=validate_atomics_generate_docs branch=oscd

atomics/Indexes/Indexes-CSV/index.csv

@@ -583,6 +583,7 @@ discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall R
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
 discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt
 discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell
+discovery,T1016,System Network Configuration Discovery,6,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
 discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
 discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
 discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -123,6 +123,7 @@ discovery,T1082,System Information Discovery,2,System Information Discovery,edff
 discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
 discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
+discovery,T1016,System Network Configuration Discovery,6,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
 discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
 execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh

atomics/Indexes/Indexes-Markdown/index.md

@@ -1016,6 +1016,7 @@
   - Atomic Test #3: System Network Configuration Discovery [macos, linux]
   - Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
   - Atomic Test #5: List Open Egress Ports [windows]
+  - Atomic Test #6: List macOS Firewall Rules [macos]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
   - Atomic Test #1: System Network Connections Discovery [windows]
   - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -307,6 +307,7 @@
   - Atomic Test #7: Hostname Discovery [linux, macos]
 - [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
   - Atomic Test #3: System Network Configuration Discovery [macos, linux]
+  - Atomic Test #6: List macOS Firewall Rules [macos]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
   - Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
 - [T1033 System Owner/User Discovery](../../T1033/T1033.md)

atomics/Indexes/index.yaml

@@ -41831,6 +41831,26 @@ discovery:
 
 '
         name: powershell
+    - name: List macOS Firewall Rules
+      auto_generated_guid: ff1d8c25-2aa4-4f18-a425-fede4a41ee88
+      description: "\"This will test if the macOS firewall is enabled and/or show
+        what rules are configured. Must be run with elevated privileges. Upon successful
+        execution, these commands will output various information about the firewall
+        configuration, including status and specific port/protocol blocks or allows.
+        \n\nUsing `defaults`, additional arguments can be added to see filtered details,
+        such as `globalstate` for global configuration (\\\"Is it on or off?\\\"),
+        `firewall` for common application allow rules, and `explicitauths` for specific
+        rules configured by the user. \n\nUsing `socketfilterfw`, flags such as --getglobalstate
+        or --listapps can be used for similar filtering. At least one flag is required
+        to send parseable output to standard out. \n"
+      supported_platforms:
+      - macos
+      executor:
+        command: |
+          sudo defaults read /Library/Preferences/com.apple.alf
+          sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
+        name: bash
+        elevation_required: true
   T1049:
     technique:
       object_marking_refs:

atomics/T1016/T1016.md

@@ -16,6 +16,8 @@ Adversaries may use the information from [System Network Configuration Discovery
 
 - [Atomic Test #5 - List Open Egress Ports](#atomic-test-5---list-open-egress-ports)
 
+- [Atomic Test #6 - List macOS Firewall Rules](#atomic-test-6---list-macos-firewall-rules)
+
 
 <br/>
 
@@ -206,4 +208,33 @@ Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - List macOS Firewall Rules
+"This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows. 
+
+Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user. 
+
+Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out.
+
+**Supported Platforms:** macOS
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sudo defaults read /Library/Preferences/com.apple.alf
+sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
+```
+
+
+
+
+
+
 <br/>

atomics/T1016/T1016.yaml

@@ -123,6 +123,7 @@ atomic_tests:
       Remove-Item -ErrorAction ignore "#{output_file}"
     name: powershell
 - name: List macOS Firewall Rules
+  auto_generated_guid: ff1d8c25-2aa4-4f18-a425-fede4a41ee88
   description: |
     "This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows. 
     

atomics/used_guids.txt

@@ -600,3 +600,4 @@ f373b482-48c8-4ce4-85ed-d40c8b3f7310
 79d57242-bbef-41db-b301-9d01d9f6e817
 d34ef297-f178-4462-871e-9ce618d44e50
 23b91cd2-c99c-4002-9e41-317c63e024a2
+ff1d8c25-2aa4-4f18-a425-fede4a41ee88