Skip to content

Latest commit

 

History

History
86 lines (86 loc) · 30.7 KB

linux-matrix.md

File metadata and controls

86 lines (86 loc) · 30.7 KB

Linux Atomic Tests by ATT&CK Tactic & Technique

initial-access execution persistence privilege-escalation defense-evasion credential-access discovery lateral-movement collection exfiltration command-and-control impact
Cloud Accounts CONTRIBUTE A TEST At (Linux) .bash_profile and .bashrc .bash_profile and .bashrc Abuse Elevation Control Mechanism CONTRIBUTE A TEST /etc/passwd and /etc/shadow Account Discovery CONTRIBUTE A TEST Application Access Token CONTRIBUTE A TEST ARP Cache Poisoning CONTRIBUTE A TEST Automated Exfiltration CONTRIBUTE A TEST Application Layer Protocol CONTRIBUTE A TEST Account Access Removal CONTRIBUTE A TEST
Compromise Hardware Supply Chain CONTRIBUTE A TEST Command and Scripting Interpreter CONTRIBUTE A TEST Account Manipulation CONTRIBUTE A TEST Abuse Elevation Control Mechanism CONTRIBUTE A TEST Application Access Token CONTRIBUTE A TEST ARP Cache Poisoning CONTRIBUTE A TEST Browser Bookmark Discovery Exploitation of Remote Services CONTRIBUTE A TEST Archive Collected Data CONTRIBUTE A TEST Data Transfer Size Limits Asymmetric Cryptography CONTRIBUTE A TEST Application Exhaustion Flood CONTRIBUTE A TEST
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST Cron Add Office 365 Global Administrator Role CONTRIBUTE A TEST At (Linux) Binary Padding Bash History Cloud Account CONTRIBUTE A TEST Internal Spearphishing CONTRIBUTE A TEST Archive via Custom Method CONTRIBUTE A TEST Exfiltration Over Alternative Protocol Bidirectional Communication CONTRIBUTE A TEST Application or System Exploitation CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST Exploitation for Client Execution CONTRIBUTE A TEST Add-ins CONTRIBUTE A TEST Boot or Logon Autostart Execution CONTRIBUTE A TEST Bootkit CONTRIBUTE A TEST Brute Force CONTRIBUTE A TEST Cloud Groups CONTRIBUTE A TEST Lateral Tool Transfer CONTRIBUTE A TEST Archive via Library CONTRIBUTE A TEST Exfiltration Over Asymmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Commonly Used Port CONTRIBUTE A TEST Data Destruction
Default Accounts CONTRIBUTE A TEST Graphical User Interface CONTRIBUTE A TEST Additional Cloud Credentials CONTRIBUTE A TEST Boot or Logon Initialization Scripts CONTRIBUTE A TEST Clear Command History Cloud Instance Metadata API CONTRIBUTE A TEST Cloud Infrastructure Discovery CONTRIBUTE A TEST Remote Service Session Hijacking CONTRIBUTE A TEST Archive via Utility Exfiltration Over Bluetooth CONTRIBUTE A TEST Communication Through Removable Media CONTRIBUTE A TEST Data Encrypted for Impact CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST JavaScript/JScript CONTRIBUTE A TEST At (Linux) Cloud Accounts CONTRIBUTE A TEST Clear Linux or Mac System Logs Credential Stuffing CONTRIBUTE A TEST Cloud Service Dashboard CONTRIBUTE A TEST Remote Services CONTRIBUTE A TEST Audio Capture CONTRIBUTE A TEST Exfiltration Over C2 Channel CONTRIBUTE A TEST DNS CONTRIBUTE A TEST Data Manipulation CONTRIBUTE A TEST
Drive-by Compromise CONTRIBUTE A TEST Malicious File CONTRIBUTE A TEST Boot or Logon Autostart Execution CONTRIBUTE A TEST Create or Modify System Process CONTRIBUTE A TEST Cloud Accounts CONTRIBUTE A TEST Credentials In Files Cloud Service Discovery CONTRIBUTE A TEST SSH CONTRIBUTE A TEST Automated Collection CONTRIBUTE A TEST Exfiltration Over Other Network Medium CONTRIBUTE A TEST DNS Calculation CONTRIBUTE A TEST Defacement CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST Malicious Link CONTRIBUTE A TEST Boot or Logon Initialization Scripts CONTRIBUTE A TEST Cron Compile After Delivery CONTRIBUTE A TEST Credentials from Password Stores CONTRIBUTE A TEST Domain Account CONTRIBUTE A TEST SSH Hijacking CONTRIBUTE A TEST Clipboard Data CONTRIBUTE A TEST Exfiltration Over Physical Medium CONTRIBUTE A TEST Data Encoding CONTRIBUTE A TEST Direct Network Flood CONTRIBUTE A TEST
External Remote Services CONTRIBUTE A TEST Native API CONTRIBUTE A TEST Bootkit CONTRIBUTE A TEST Default Accounts CONTRIBUTE A TEST Create Cloud Instance CONTRIBUTE A TEST Credentials from Web Browsers CONTRIBUTE A TEST Domain Groups CONTRIBUTE A TEST Software Deployment Tools CONTRIBUTE A TEST Confluence CONTRIBUTE A TEST Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Data Obfuscation CONTRIBUTE A TEST Disk Content Wipe CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST Network Device CLI CONTRIBUTE A TEST Browser Extensions Domain Accounts CONTRIBUTE A TEST Create Snapshot CONTRIBUTE A TEST Exploitation for Credential Access CONTRIBUTE A TEST Email Account CONTRIBUTE A TEST Use Alternate Authentication Material CONTRIBUTE A TEST Data Staged CONTRIBUTE A TEST Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Dead Drop Resolver CONTRIBUTE A TEST Disk Structure Wipe CONTRIBUTE A TEST
Local Accounts CONTRIBUTE A TEST Python CONTRIBUTE A TEST Cloud Account CONTRIBUTE A TEST Event Triggered Execution CONTRIBUTE A TEST Default Accounts CONTRIBUTE A TEST Input Capture CONTRIBUTE A TEST File and Directory Discovery VNC CONTRIBUTE A TEST Data from Cloud Storage Object CONTRIBUTE A TEST Exfiltration Over Web Service CONTRIBUTE A TEST Domain Fronting CONTRIBUTE A TEST Disk Wipe CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST Scheduled Task/Job CONTRIBUTE A TEST Cloud Accounts CONTRIBUTE A TEST Exploitation for Privilege Escalation CONTRIBUTE A TEST Delete Cloud Instance CONTRIBUTE A TEST Keylogging CONTRIBUTE A TEST Local Account Web Session Cookie CONTRIBUTE A TEST Data from Configuration Repository CONTRIBUTE A TEST Exfiltration over USB CONTRIBUTE A TEST Domain Generation Algorithms CONTRIBUTE A TEST Endpoint Denial of Service CONTRIBUTE A TEST
Spearphishing Attachment CONTRIBUTE A TEST Scripting CONTRIBUTE A TEST Compromise Client Software Binary CONTRIBUTE A TEST Hijack Execution Flow CONTRIBUTE A TEST Deobfuscate/Decode Files or Information CONTRIBUTE A TEST Man-in-the-Middle CONTRIBUTE A TEST Local Groups Data from Information Repositories CONTRIBUTE A TEST Exfiltration to Cloud Storage CONTRIBUTE A TEST Dynamic Resolution CONTRIBUTE A TEST External Defacement CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST Software Deployment Tools CONTRIBUTE A TEST Create Account CONTRIBUTE A TEST Kernel Modules and Extensions Disable Cloud Logs CONTRIBUTE A TEST Modify Authentication Process CONTRIBUTE A TEST Network Service Scanning Data from Local System CONTRIBUTE A TEST Exfiltration to Code Repository CONTRIBUTE A TEST Encrypted Channel CONTRIBUTE A TEST Firmware Corruption CONTRIBUTE A TEST
Spearphishing via Service CONTRIBUTE A TEST Source CONTRIBUTE A TEST Create or Modify System Process CONTRIBUTE A TEST LD_PRELOAD Disable Crypto Hardware CONTRIBUTE A TEST Network Device Authentication CONTRIBUTE A TEST Network Share Discovery Data from Network Shared Drive CONTRIBUTE A TEST Scheduled Transfer CONTRIBUTE A TEST External Proxy CONTRIBUTE A TEST Inhibit System Recovery CONTRIBUTE A TEST
Supply Chain Compromise CONTRIBUTE A TEST Systemd Timers CONTRIBUTE A TEST Cron Local Accounts CONTRIBUTE A TEST Disable or Modify Cloud Firewall CONTRIBUTE A TEST Network Sniffing Network Sniffing Data from Removable Media CONTRIBUTE A TEST Traffic Duplication CONTRIBUTE A TEST Fallback Channels CONTRIBUTE A TEST Internal Defacement CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST Unix Shell Default Accounts CONTRIBUTE A TEST Proc Memory CONTRIBUTE A TEST Disable or Modify System Firewall OS Credential Dumping CONTRIBUTE A TEST Password Policy Discovery Email Collection CONTRIBUTE A TEST Transfer Data to Cloud Account CONTRIBUTE A TEST Fast Flux DNS CONTRIBUTE A TEST Network Denial of Service CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST User Execution CONTRIBUTE A TEST Domain Account CONTRIBUTE A TEST Process Injection CONTRIBUTE A TEST Disable or Modify Tools Password Cracking CONTRIBUTE A TEST Permission Groups Discovery CONTRIBUTE A TEST Email Forwarding Rule CONTRIBUTE A TEST File Transfer Protocols CONTRIBUTE A TEST OS Exhaustion Flood CONTRIBUTE A TEST
Visual Basic CONTRIBUTE A TEST Domain Accounts CONTRIBUTE A TEST Ptrace System Calls CONTRIBUTE A TEST Domain Accounts CONTRIBUTE A TEST Password Guessing CONTRIBUTE A TEST Process Discovery Input Capture CONTRIBUTE A TEST Ingress Tool Transfer Reflection Amplification CONTRIBUTE A TEST
Event Triggered Execution CONTRIBUTE A TEST Scheduled Task/Job CONTRIBUTE A TEST Downgrade System Image CONTRIBUTE A TEST Password Spraying CONTRIBUTE A TEST Remote System Discovery Keylogging CONTRIBUTE A TEST Internal Proxy Resource Hijacking
Exchange Email Delegate Permissions CONTRIBUTE A TEST Setuid and Setgid Environmental Keying CONTRIBUTE A TEST Pluggable Authentication Modules CONTRIBUTE A TEST Security Software Discovery Local Data Staging Junk Data CONTRIBUTE A TEST Runtime Data Manipulation CONTRIBUTE A TEST
External Remote Services CONTRIBUTE A TEST Sudo and Sudo Caching Execution Guardrails CONTRIBUTE A TEST Private Keys Software Discovery CONTRIBUTE A TEST Man-in-the-Middle CONTRIBUTE A TEST Mail Protocols CONTRIBUTE A TEST Service Exhaustion Flood CONTRIBUTE A TEST
Hijack Execution Flow CONTRIBUTE A TEST Systemd Service Exploitation for Defense Evasion CONTRIBUTE A TEST Proc Filesystem CONTRIBUTE A TEST System Checks Network Device Configuration Dump CONTRIBUTE A TEST Multi-Stage Channels CONTRIBUTE A TEST Service Stop CONTRIBUTE A TEST
Implant Container Image CONTRIBUTE A TEST Systemd Timers CONTRIBUTE A TEST File Deletion Securityd Memory CONTRIBUTE A TEST System Information Discovery Remote Data Staging CONTRIBUTE A TEST Multi-hop Proxy CONTRIBUTE A TEST Stored Data Manipulation CONTRIBUTE A TEST
Kernel Modules and Extensions Trap File and Directory Permissions Modification CONTRIBUTE A TEST Steal Application Access Token CONTRIBUTE A TEST System Network Configuration Discovery Remote Email Collection CONTRIBUTE A TEST Multiband Communication CONTRIBUTE A TEST System Shutdown/Reboot
LD_PRELOAD VDSO Hijacking CONTRIBUTE A TEST Hidden File System CONTRIBUTE A TEST Steal Web Session Cookie CONTRIBUTE A TEST System Network Connections Discovery SNMP (MIB Dump) CONTRIBUTE A TEST Non-Application Layer Protocol CONTRIBUTE A TEST Transmitted Data Manipulation CONTRIBUTE A TEST
Local Account Valid Accounts CONTRIBUTE A TEST Hidden Files and Directories Two-Factor Authentication Interception CONTRIBUTE A TEST System Owner/User Discovery Screen Capture Non-Standard Encoding CONTRIBUTE A TEST
Local Accounts CONTRIBUTE A TEST Hide Artifacts CONTRIBUTE A TEST Unsecured Credentials CONTRIBUTE A TEST Time Based Evasion CONTRIBUTE A TEST Sharepoint CONTRIBUTE A TEST Non-Standard Port
Office Application Startup CONTRIBUTE A TEST Hijack Execution Flow CONTRIBUTE A TEST Web Portal Capture CONTRIBUTE A TEST User Activity Based Checks CONTRIBUTE A TEST Web Portal Capture CONTRIBUTE A TEST One-Way Communication CONTRIBUTE A TEST
Office Template Macros CONTRIBUTE A TEST Impair Command History Logging Virtualization/Sandbox Evasion CONTRIBUTE A TEST Port Knocking CONTRIBUTE A TEST
Office Test CONTRIBUTE A TEST Impair Defenses CONTRIBUTE A TEST Protocol Impersonation CONTRIBUTE A TEST
Outlook Forms CONTRIBUTE A TEST Indicator Blocking Protocol Tunneling CONTRIBUTE A TEST
Outlook Home Page CONTRIBUTE A TEST Indicator Removal from Tools CONTRIBUTE A TEST Proxy CONTRIBUTE A TEST
Outlook Rules CONTRIBUTE A TEST Indicator Removal on Host CONTRIBUTE A TEST Remote Access Software CONTRIBUTE A TEST
Port Knocking CONTRIBUTE A TEST Install Root Certificate Standard Encoding
Pre-OS Boot CONTRIBUTE A TEST LD_PRELOAD Steganography CONTRIBUTE A TEST
ROMMONkit CONTRIBUTE A TEST Linux and Mac File and Directory Permissions Modification Symmetric Cryptography CONTRIBUTE A TEST
Redundant Access CONTRIBUTE A TEST Local Accounts CONTRIBUTE A TEST Traffic Signaling CONTRIBUTE A TEST
SQL Stored Procedures CONTRIBUTE A TEST Masquerade Task or Service CONTRIBUTE A TEST Web Protocols
SSH Authorized Keys Masquerading CONTRIBUTE A TEST Web Service CONTRIBUTE A TEST
Scheduled Task/Job CONTRIBUTE A TEST Match Legitimate Name or Location CONTRIBUTE A TEST
Server Software Component CONTRIBUTE A TEST Modify Authentication Process CONTRIBUTE A TEST
Systemd Service Modify Cloud Compute Infrastructure CONTRIBUTE A TEST
Systemd Timers CONTRIBUTE A TEST Modify System Image CONTRIBUTE A TEST
TFTP Boot CONTRIBUTE A TEST Network Address Translation Traversal CONTRIBUTE A TEST
Traffic Signaling CONTRIBUTE A TEST Network Boundary Bridging CONTRIBUTE A TEST
Transport Agent CONTRIBUTE A TEST Network Device Authentication CONTRIBUTE A TEST
Trap Obfuscated Files or Information
Valid Accounts CONTRIBUTE A TEST Patch System Image CONTRIBUTE A TEST
Web Shell CONTRIBUTE A TEST Pluggable Authentication Modules CONTRIBUTE A TEST
Port Knocking CONTRIBUTE A TEST
Pre-OS Boot CONTRIBUTE A TEST
Proc Memory CONTRIBUTE A TEST
Process Injection CONTRIBUTE A TEST
Ptrace System Calls CONTRIBUTE A TEST
ROMMONkit CONTRIBUTE A TEST
Reduce Key Space CONTRIBUTE A TEST
Redundant Access CONTRIBUTE A TEST
Rename System Utilities
Revert Cloud Instance CONTRIBUTE A TEST
Right-to-Left Override CONTRIBUTE A TEST
Rootkit
Run Virtual Instance CONTRIBUTE A TEST
Scripting CONTRIBUTE A TEST
Setuid and Setgid
Space after Filename CONTRIBUTE A TEST
Steganography CONTRIBUTE A TEST
Subvert Trust Controls CONTRIBUTE A TEST
Sudo and Sudo Caching
System Checks
TFTP Boot CONTRIBUTE A TEST
Time Based Evasion CONTRIBUTE A TEST
Timestomp
Traffic Signaling CONTRIBUTE A TEST
Unused/Unsupported Cloud Regions CONTRIBUTE A TEST
Use Alternate Authentication Material CONTRIBUTE A TEST
User Activity Based Checks CONTRIBUTE A TEST
VBA Stomping CONTRIBUTE A TEST
VDSO Hijacking CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST
Virtualization/Sandbox Evasion CONTRIBUTE A TEST
Weaken Encryption CONTRIBUTE A TEST
Web Session Cookie CONTRIBUTE A TEST