FreeBSD Cleanup

atomics/T1003.008/T1003.008.yaml

@@ -69,8 +69,9 @@ atomic_tests:
       type: path
       default: /tmp/T1003.008.txt
   executor:
-    command: |
-      echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}
+    command: | 
+      unamestr=$(uname)
+      if [ "$unamestr" = 'Linux' ]; then echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > ${output_file}; elif [ "$unamestr" = 'FreeBSD' ]; then echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > ${output_file}; fi
     cleanup_command: |
       rm -f #{output_file}
     name: sh
@@ -89,8 +90,8 @@ atomic_tests:
   executor:
     command: |
       testcat(){ (while read line; do echo $line >> #{output_file}; done < $1) }
+      [ "$(uname)" = 'FreeBSD' ] && testcat /etc/master.passwd
       testcat /etc/passwd
-      testcat /etc/master.passwd
       testcat /etc/shadow
     cleanup_command: |
       rm -f #{output_file}

atomics/T1007/T1007.yaml

@@ -35,23 +35,13 @@ atomic_tests:
     cleanup_command: |
       del /f /q /s #{output_file} >nul 2>&1
     name: command_prompt
-- name: System Service Discovery - systemctl
+- name: System Service Discovery - systemctl/service
   auto_generated_guid: f4b26bce-4c2c-46c0-bcc5-fce062d38bef
   description: |
-    Enumerates system service using systemctl
+    Enumerates system service using systemctl/service
   supported_platforms:
   - linux
   executor:
     command: |
-      systemctl --type=service
-    name: bash
-- name: System Service Discovery - service
-  auto_generated_guid: b2e1c734-7336-40f9-b970-b04731cbaf8a
-  description: |
-    Enumerates system service using service
-  supported_platforms:
-  - linux
-  executor:
-    command: |
-      service -e
-    name: sh
+      if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;
+    name: bash

atomics/T1016/T1016.yaml

@@ -33,7 +33,6 @@ atomic_tests:
   auto_generated_guid: c141bbdb-7fca-4254-9fd6-f47e79447e17
   description: |
     Identify network configuration information.
-
     Upon successful execution, sh will spawn multiple commands and output will be via stdout.
   supported_platforms:
   - macos
@@ -48,24 +47,11 @@ atomic_tests:
       (which yum && yum -y install net-tools)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools)
   executor:
     command: |
+      if [ "$(uname)" = 'FreeBSD' ]; then cmd="netstat -Sp tcp"; else cmd="netstat -ant"; fi;
       if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
       if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
       if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
-      if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
-    name: sh
-- name: System Network Configuration Discovery (freebsd)
-  auto_generated_guid: 7625b978-4efd-47de-8744-add270374bee
-  description: |
-    Identify network configuration information.
-
-    Upon successful execution, sh will spawn multiple commands and output will be via stdout.
-  supported_platforms:
-  - linux
-  executor:
-    command: |
-      if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
-      if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
-      if [ -x "$(command -v netstat)" ]; then netstat -Sp tcp | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
+      if [ -x "$(command -v netstat)" ]; then $cmd | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
     name: sh
 - name: System Network Configuration Discovery (TrickBot Style)
   auto_generated_guid: dafaf052-5508-402d-bf77-51e0700c02e2

atomics/T1027/T1027.yaml

@@ -23,41 +23,12 @@ atomic_tests:
     prereq_command: |
       if [ -e "/tmp/encoded.dat" ]; then exit 0; else exit 1; fi
     get_prereq_command: |
-      echo "#{shell_command}" | base64 > /tmp/encoded.dat
+      if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64encode -r -"; else cmd="base64"; fi;
+      echo "#{shell_command}" | $cmd > /tmp/encoded.dat
   executor:
     command: |
-      cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
-      chmod +x /tmp/art.sh
-      /tmp/art.sh
-    cleanup_command: |
-      rm /tmp/encoded.dat 
-      rm /tmp/art.sh
-    name: sh
-- name: Decode base64 Data into Script
-  auto_generated_guid: 197ed693-08e6-4958-bfd8-5974e291be6c
-  description: |
-    Creates a base64-encoded data file and decodes it into an executable shell script
-
-    Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that echoes `Hello from the Atomic Red Team` 
-    and uname -v
-  supported_platforms:
-  - linux
-  input_arguments:
-    shell_command:
-      description: command to encode
-      type: string
-      default: "echo Hello from the Atomic Red Team && uname -v"
-  dependency_executor_name: sh
-  dependencies:
-  - description: |
-      encode the command into base64 file
-    prereq_command: |
-      exit 1
-    get_prereq_command: |
-      echo "#{shell_command}" | b64encode -r - > /tmp/encoded.dat
-  executor:
-    command: |
-      cat /tmp/encoded.dat | b64decode -r > /tmp/art.sh
+      if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64decode -r"; else cmd="base64 -d"; fi;
+      cat /tmp/encoded.dat | $cmd > /tmp/art.sh
       chmod +x /tmp/art.sh
       /tmp/art.sh
     cleanup_command: |

atomics/T1036.006/T1036.006.yaml

@@ -22,30 +22,13 @@ atomic_tests:
   supported_platforms:
   - macos
   - linux
-  executor:
-    name: bash
-    command: |
-      mkdir -p /tmp/atomic-test-T1036.006
-      cd /tmp/atomic-test-T1036.006
-      mkdir -p 'testdirwithspaceend '
-      /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init  '/;\nqx/'.\/init  ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null
-      chmod +x 'testdirwithspaceend /init '
-      './testdirwithspaceend /init '
-    cleanup_command:
-      rm -rf /tmp/atomic-test-T1036.006
-- name: Space After Filename (FreeBSD)
-  auto_generated_guid: cfc1fbb5-caae-4f4c-bfa8-1b7c8b5cc4e8
-  description: |
-    Space after filename.
-  supported_platforms:
-  - linux
   executor:
     name: sh
     command: |
       mkdir -p /tmp/atomic-test-T1036.006
       cd /tmp/atomic-test-T1036.006
       mkdir -p 'testdirwithspaceend '
-      /bin/echo "#\!/bin/sh" > "testdirwithspaceend /init " && echo 'echo "print(\"running T1035.006 with space after filename to masquerade init\")" | python3.9' >> "testdirwithspaceend /init " && echo "exit" >> "testdirwithspaceend /init "      
+      [ "$(uname)" = 'FreeBSD' ] && /bin/echo "#\!/bin/sh" > "testdirwithspaceend /init " && echo 'echo "print(\"running T1035.006 with space after filename to masquerade init\")" | python3.9' >> "testdirwithspaceend /init " && echo "exit" >> "testdirwithspaceend /init " || /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init  '/;\nqx/'.\/init  ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null
       chmod +x 'testdirwithspaceend /init '
       './testdirwithspaceend /init '
     cleanup_command:

atomics/T1037.004/T1037.004.yaml

@@ -40,34 +40,16 @@ atomic_tests:
   description: |
     Modify rc.local
 
-  supported_platforms:
-    - linux
-  executor:
-    name: bash
-    elevation_required: true 
-    command: | 
-      filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
-      printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
-      echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
-      printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
-      sudo chmod +x /etc/rc.local
-    cleanup_command: | 
-      origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi
-- name: rc.local (FreeBSD)
-  auto_generated_guid: 2015fb48-8ab6-4fbf-928b-0b62de5c9476
-  description: |
-    Modify rc.local
-
   supported_platforms:
     - linux
   executor:
     name: sh
     elevation_required: true 
     command: | 
       filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
-      printf '%s\n' '#\!/usr/local/bin/bash' | sudo tee /etc/rc.local
-      echo 'python3.9 -c "import os, base64;exec(base64.b64decode(\"aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo=\"))"' | sudo tee -a /etc/rc.local
-      printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+      [ "$(uname)" = 'FreeBSD' ] && alias python3=python3.9 && printf '#\!/usr/local/bin/bash' | sudo tee /etc/rc.local || printf '#!/bin/bash' | sudo tee /etc/rc.local
+      echo "\npython3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+      printf 'exit 0' | sudo tee -a /etc/rc.local
       sudo chmod +x /etc/rc.local
     cleanup_command: | 
       origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi

atomics/T1046/T1046.yaml

@@ -23,7 +23,6 @@ atomic_tests:
   auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f
   description: |
     Scan ports to check for listening ports with Nmap.
-
     Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
   supported_platforms:
   - linux
@@ -48,13 +47,13 @@ atomic_tests:
     prereq_command: |
       if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
     get_prereq_command: |
-      (which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)
+      (which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which pkg && pkg install -y nmap)
   - description: |
       Check if nc command exists on the machine
     prereq_command: |
       if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi;
     get_prereq_command: |
-      (which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)
+      (which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)||(which pkg && pkg install -y netcat)
   - description: |
       Check if telnet command exists on the machine
     prereq_command: |
@@ -68,42 +67,6 @@ atomic_tests:
       nc -nv #{host} #{port}
     name: sh
     elevation_required: true
-- name: Port Scan Nmap for FreeBSD
-  auto_generated_guid: f03d59dc-0e3b-428a-baeb-3499552c7048
-  description: |
-    Scan ports to check for listening ports with Nmap.
-
-    Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
-  supported_platforms:
-  - linux
-  input_arguments:
-    host:
-      description: Host to scan.
-      type: string
-      default: 192.168.1.1
-    port:
-      description: Ports to scan.
-      type: string
-      default: "80"
-    network_range:
-      description: Network Range to Scan.
-      type: string
-      default: 192.168.1.0/24
-  dependency_executor_name: sh
-  dependencies:
-  - description: |
-      Check if nmap command exists on the machine
-    prereq_command: |
-      if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
-    get_prereq_command: |
-      (which pkg && pkg install -y nmap)
-  executor:
-    command: |
-      nmap -sS #{network_range} -p #{port}
-      telnet #{host} #{port}
-      nc -nv #{host} #{port}
-    name: sh
-    elevation_required: true
 - name: Port Scan NMap for Windows
   auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
   description: Scan ports to check for listening ports for the local host 127.0.0.1

atomics/T1048.003/T1048.003.yaml

@@ -215,15 +215,5 @@ atomic_tests:
     name: sh
     elevation_required: false
     command: |
+      [ "$(uname)" = 'FreeBSD' ] && alias python3=python3.9
       if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi
-- name: Python3 http.server (freebsd)
-  auto_generated_guid: 57a303a2-0bc6-400d-b144-4f3292920a0b
-  description: |
-    An adversary may use the python3 standard library module http.server to exfiltrate data. This test checks if python3.9 is available and if so, creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds, then kills the PID and unsets the $PID variable.
-  supported_platforms:
-  - linux
-  executor:
-    name: sh
-    elevation_required: false
-    command: |
-      if [ $(which python3.9) ]; then cd /tmp; python3.9 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi

atomics/T1053.002/T1053.002.yaml

@@ -39,13 +39,13 @@ atomic_tests:
   - description: |
       The `at` and `atd` executables must exist in the PATH
     prereq_command: |
-      which at && which atd
+      if [ "$(uname)" = 'FreeBSD' ]; then which at; else which at && which atd; fi;
     get_prereq_command: |
       echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'
   - description: |
       The `atd` daemon must be running
     prereq_command: |
-      systemctl status atd || service atd status
+      if [ $(uname) = 'Linux' ]; then systemctl status atd || service atd status; fi;
     get_prereq_command: |
       echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'
 
@@ -54,35 +54,3 @@ atomic_tests:
     elevation_required: false
     command: |-
       echo "#{at_command}" | at #{time_spec}
-- name: At - Schedule a job freebsd
-  auto_generated_guid: 549863fb-1c91-467e-97fc-1fa32b9f356b
-  description: |
-    This test submits a command to be run in the future by the `at` daemon.
-
-  supported_platforms:
-  - linux
-
-  input_arguments:
-    time_spec:
-      description: Time specification of when the command should run
-      type: string
-      default: now + 1 minute
-    at_command:
-      description: The command to be run
-      type: string
-      default: echo Hello from Atomic Red Team
-
-  dependency_executor_name: sh
-  dependencies:
-  - description: |
-      The `at` executable must exist in the PATH
-    prereq_command: |
-      which at
-    get_prereq_command: |
-      echo 'Please install `at` ; they were not found in the PATH (Package name: `at`)'
-
-  executor:
-    name: sh
-    elevation_required: false
-    command: |-
-      echo "#{at_command}" | at #{time_spec}

bin/generate_labels.py

@@ -36,7 +36,6 @@ class GithubAPI:
     labels = {
         "windows": "windows",
         "macos": "macOS",
-        "freebsd": "freebsd",
         "linux": "linux",
         "azure-ad": "ADFS",
         "containers": "containers",
@@ -51,7 +50,6 @@ class GithubAPI:
         "windows": ["clr2of8", "MHaggis"],
         "linux": ["josehelps", "cyberbuff"],
         "macos": ["josehelps", "cyberbuff"],
-        "freebsd": ["josehelps", "cyberbuff"],
         "containers": ["patel-bhavin"],
         "iaas:gcp": ["patel-bhavin"],
         "iaas:aws": ["patel-bhavin"],