Skip to content

Latest commit

 

History

History
89 lines (89 loc) · 39.9 KB

linux-matrix.md

File metadata and controls

89 lines (89 loc) · 39.9 KB

Linux Atomic Tests by ATT&CK Tactic & Technique

initial-access execution persistence privilege-escalation defense-evasion credential-access discovery lateral-movement collection exfiltration command-and-control impact
External Remote Services CONTRIBUTE A TEST Server Software Component CONTRIBUTE A TEST Socket Filters CONTRIBUTE A TEST Boot or Logon Initialization Scripts CONTRIBUTE A TEST Socket Filters CONTRIBUTE A TEST Adversary-in-the-Middle CONTRIBUTE A TEST System Owner/User Discovery Remote Services:VNC CONTRIBUTE A TEST Archive Collected Data: Archive via Utility Exfiltration Over Web Service CONTRIBUTE A TEST Socket Filters CONTRIBUTE A TEST Disk Structure Wipe CONTRIBUTE A TEST
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST Command and Scripting Interpreter: JavaScript CONTRIBUTE A TEST Boot or Logon Initialization Scripts CONTRIBUTE A TEST Path Interception by PATH Environment Variable CONTRIBUTE A TEST Embedded Payloads CONTRIBUTE A TEST Modify Authentication Process: Pluggable Authentication Modules System Network Configuration Discovery: Internet Connection Discovery Taint Shared Content CONTRIBUTE A TEST Screen Capture Exfiltration Over Webhook CONTRIBUTE A TEST Data Encoding: Standard Encoding Direct Network Flood CONTRIBUTE A TEST
Phishing: Spearphishing Link CONTRIBUTE A TEST User Execution: Malicious File CONTRIBUTE A TEST Modify Authentication Process: Pluggable Authentication Modules Create or Modify System Process CONTRIBUTE A TEST Modify Authentication Process: Pluggable Authentication Modules Input Capture: Keylogging Permission Groups Discovery CONTRIBUTE A TEST Remote Services: SSH Adversary-in-the-Middle CONTRIBUTE A TEST Scheduled Transfer CONTRIBUTE A TEST Domain Generation Algorithms CONTRIBUTE A TEST External Defacement CONTRIBUTE A TEST
Phishing: Spearphishing Attachment CONTRIBUTE A TEST Scheduled Task/Job: Cron Path Interception by PATH Environment Variable CONTRIBUTE A TEST Abuse Elevation Control Mechanism: Sudo and Sudo Caching File/Path Exclusions CONTRIBUTE A TEST Brute Force: Password Guessing Device Driver Discovery CONTRIBUTE A TEST SSH Hijacking CONTRIBUTE A TEST Input Capture: Keylogging Exfiltration Over Other Network Medium CONTRIBUTE A TEST Application Layer Protocol: DNS CONTRIBUTE A TEST OS Exhaustion Flood CONTRIBUTE A TEST
Compromise Hardware Supply Chain CONTRIBUTE A TEST Scheduled Task/Job CONTRIBUTE A TEST Create or Modify System Process CONTRIBUTE A TEST Boot or Logon Autostart Execution CONTRIBUTE A TEST File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification OS Credential Dumping CONTRIBUTE A TEST Account Discovery: Domain Account Remote Services CONTRIBUTE A TEST Audio Capture CONTRIBUTE A TEST Exfiltration Over Bluetooth CONTRIBUTE A TEST Symmetric Cryptography CONTRIBUTE A TEST Application Exhaustion Flood CONTRIBUTE A TEST
Supply Chain Compromise CONTRIBUTE A TEST Native API CONTRIBUTE A TEST External Remote Services CONTRIBUTE A TEST Scheduled Task/Job: Cron Path Interception by PATH Environment Variable CONTRIBUTE A TEST Steal Web Session Cookie CONTRIBUTE A TEST Account Discovery: Local Account Remote Service Session Hijacking CONTRIBUTE A TEST Archive via Custom Method CONTRIBUTE A TEST Automated Exfiltration CONTRIBUTE A TEST Fast Flux DNS CONTRIBUTE A TEST Disk Wipe CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST Command and Scripting Interpreter CONTRIBUTE A TEST Bootkit CONTRIBUTE A TEST Scheduled Task/Job CONTRIBUTE A TEST Hide Artifacts: Email Hiding Rules CONTRIBUTE A TEST Securityd Memory CONTRIBUTE A TEST Virtualization/Sandbox Evasion: System Checks Software Deployment Tools CONTRIBUTE A TEST Email Collection CONTRIBUTE A TEST Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Application Layer Protocol CONTRIBUTE A TEST Stored Data Manipulation CONTRIBUTE A TEST
Content Injection CONTRIBUTE A TEST User Execution CONTRIBUTE A TEST Boot or Logon Autostart Execution CONTRIBUTE A TEST Process Injection CONTRIBUTE A TEST Encrypted/Encoded File CONTRIBUTE A TEST Brute Force: Password Cracking CONTRIBUTE A TEST Permission Groups Discovery: Domain Groups Exploitation of Remote Services CONTRIBUTE A TEST Data from Removable Media CONTRIBUTE A TEST Exfiltration to Code Repository CONTRIBUTE A TEST Remote Access Software CONTRIBUTE A TEST Service Stop
Valid Accounts: Default Accounts CONTRIBUTE A TEST Software Deployment Tools CONTRIBUTE A TEST Scheduled Task/Job: Cron Escape to Host CONTRIBUTE A TEST Rootkit OS Credential Dumping: Proc Filesystem System Service Discovery Internal Spearphishing CONTRIBUTE A TEST Data Staged: Local Data Staging Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Content Injection CONTRIBUTE A TEST Application or System Exploitation CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST Scheduled Task/Job: Systemd Timers Server Software Component: Transport Agent CONTRIBUTE A TEST Valid Accounts: Default Accounts CONTRIBUTE A TEST Abuse Elevation Control Mechanism: Sudo and Sudo Caching Password Managers CONTRIBUTE A TEST Network Sniffing Lateral Tool Transfer CONTRIBUTE A TEST Automated Collection CONTRIBUTE A TEST Exfiltration Over C2 Channel CONTRIBUTE A TEST Traffic Signaling CONTRIBUTE A TEST Runtime Data Manipulation CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST Command and Scripting Interpreter: Bash Scheduled Task/Job CONTRIBUTE A TEST Event Triggered Execution: Trap Bootkit CONTRIBUTE A TEST Network Sniffing Network Share Discovery Clipboard Data Exfiltration Over Alternative Protocol Protocol Tunneling CONTRIBUTE A TEST Reflection Amplification CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST Inter-Process Communication CONTRIBUTE A TEST Browser Extensions Hijack Execution Flow: LD_PRELOAD Masquerading: Match Legitimate Name or Location Steal or Forge Kerberos Tickets CONTRIBUTE A TEST Peripheral Device Discovery CONTRIBUTE A TEST Remote Data Staging CONTRIBUTE A TEST Exfiltration over USB CONTRIBUTE A TEST Mail Protocols CONTRIBUTE A TEST Service Exhaustion Flood CONTRIBUTE A TEST
Spearphishing Voice CONTRIBUTE A TEST Exploitation for Client Execution CONTRIBUTE A TEST Traffic Signaling CONTRIBUTE A TEST Abuse Elevation Control Mechanism CONTRIBUTE A TEST Masquerade File Type CONTRIBUTE A TEST Credentials from Password Stores CONTRIBUTE A TEST System Information Discovery Data from Local System Exfiltration Over Web Service: Exfiltration to Text Storage Sites CONTRIBUTE A TEST Communication Through Removable Media CONTRIBUTE A TEST Defacement CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST Command and Scripting Interpreter: Python Server Software Component: Web Shell CONTRIBUTE A TEST Abuse Elevation Control Mechanism: Setuid and Setgid Hide Artifacts CONTRIBUTE A TEST Unsecured Credentials System Network Configuration Discovery: Wi-Fi Discovery CONTRIBUTE A TEST Archive Collected Data: Archive via Library Exfiltration Over Web Service: Exfiltration to Cloud Storage CONTRIBUTE A TEST External Proxy CONTRIBUTE A TEST Financial Theft CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST System Services CONTRIBUTE A TEST Valid Accounts: Default Accounts CONTRIBUTE A TEST SSH Authorized Keys Virtualization/Sandbox Evasion: System Checks Credentials from Password Stores: Credentials from Web Browsers Application Window Discovery CONTRIBUTE A TEST Archive Collected Data CONTRIBUTE A TEST Data Transfer Size Limits Proxy CONTRIBUTE A TEST Defacement: Internal Defacement CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST Command and Scripting Interpreter: Visual Basic CONTRIBUTE A TEST Event Triggered Execution: Trap VDSO Hijacking CONTRIBUTE A TEST Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs DHCP Spoofing CONTRIBUTE A TEST Time Based Evasion DHCP Spoofing CONTRIBUTE A TEST Exfiltration Over Physical Medium CONTRIBUTE A TEST Dynamic Resolution CONTRIBUTE A TEST Data Manipulation CONTRIBUTE A TEST
Drive-by Compromise CONTRIBUTE A TEST Malicious Link CONTRIBUTE A TEST Hijack Execution Flow: LD_PRELOAD Account Manipulation CONTRIBUTE A TEST Stripped Payloads CONTRIBUTE A TEST Unsecured Credentials: Private Keys Browser Bookmark Discovery Web Portal Capture CONTRIBUTE A TEST Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Web Service CONTRIBUTE A TEST Account Access Removal
Spearphishing via Service CONTRIBUTE A TEST Scheduled Task/Job: At Create Account: Local Account Boot or Logon Autostart Execution: Kernel Modules and Extensions Break Process Trees CONTRIBUTE A TEST Brute Force: Password Spraying CONTRIBUTE A TEST System Network Configuration Discovery Video Capture CONTRIBUTE A TEST DNS Calculation CONTRIBUTE A TEST Data Encrypted for Impact
Valid Accounts: Local Accounts SSH Authorized Keys Scheduled Task/Job: Systemd Timers Clear Network Connection History and Configurations CONTRIBUTE A TEST Web Portal Capture CONTRIBUTE A TEST Account Discovery CONTRIBUTE A TEST Email Collection: Email Forwarding Rule CONTRIBUTE A TEST Multi-Stage Channels CONTRIBUTE A TEST Endpoint Denial of Service CONTRIBUTE A TEST
Create Account: Domain Account Hijack Execution Flow CONTRIBUTE A TEST Indicator Removal on Host: Clear Command History OS Credential Dumping: Cached Domain Credentials CONTRIBUTE A TEST File and Directory Discovery Data Staged CONTRIBUTE A TEST Port Knocking CONTRIBUTE A TEST Resource Hijacking
Component Firmware CONTRIBUTE A TEST Valid Accounts CONTRIBUTE A TEST Deobfuscate/Decode Files or Information Steal or Forge Authentication Certificates CONTRIBUTE A TEST System Network Connections Discovery Input Capture: GUI Input Capture CONTRIBUTE A TEST File Transfer Protocols CONTRIBUTE A TEST Transmitted Data Manipulation CONTRIBUTE A TEST
Pre-OS Boot CONTRIBUTE A TEST Exploitation for Privilege Escalation CONTRIBUTE A TEST Impair Defenses Unsecured Credentials: Bash History Virtualization/Sandbox Evasion CONTRIBUTE A TEST Data from Network Shared Drive CONTRIBUTE A TEST One-Way Communication CONTRIBUTE A TEST Data Destruction
Port Knocking CONTRIBUTE A TEST Event Triggered Execution CONTRIBUTE A TEST Masquerading CONTRIBUTE A TEST Unsecured Credentials: Credentials In Files Log Enumeration CONTRIBUTE A TEST Input Capture CONTRIBUTE A TEST Proxy: Multi-hop Proxy Network Denial of Service CONTRIBUTE A TEST
Compromise Host Software Binary CONTRIBUTE A TEST Event Triggered Execution: .bash_profile .bashrc and .shrc Email Collection: Mailbox Manipulation Web Cookies CONTRIBUTE A TEST Process Discovery ARP Cache Poisoning CONTRIBUTE A TEST Data Obfuscation CONTRIBUTE A TEST Firmware Corruption CONTRIBUTE A TEST
Account Manipulation CONTRIBUTE A TEST Domain Accounts CONTRIBUTE A TEST Process Injection CONTRIBUTE A TEST Forge Web Credentials CONTRIBUTE A TEST User Activity Based Checks CONTRIBUTE A TEST Data from Information Repositories CONTRIBUTE A TEST Non-Standard Port Inhibit System Recovery CONTRIBUTE A TEST
Boot or Logon Autostart Execution: Kernel Modules and Extensions Proc Memory CONTRIBUTE A TEST Traffic Signaling CONTRIBUTE A TEST Multi-Factor Authentication Request Generation CONTRIBUTE A TEST Permission Groups Discovery: Local Groups Encrypted Channel CONTRIBUTE A TEST Disk Content Wipe CONTRIBUTE A TEST
Scheduled Task/Job: Systemd Timers Installer Packages CONTRIBUTE A TEST Signed Binary Proxy Execution CONTRIBUTE A TEST Exploitation for Credential Access CONTRIBUTE A TEST Password Policy Discovery Bidirectional Communication CONTRIBUTE A TEST System Shutdown/Reboot
Hijack Execution Flow CONTRIBUTE A TEST Boot or Logon Initialization Scripts: Rc.common Indicator Removal on Host: Timestomp Input Capture: GUI Input Capture CONTRIBUTE A TEST System Location Discovery: System Language Discovery Asymmetric Cryptography CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST Create or Modify System Process: SysV/Systemd Service Reflective Code Loading CONTRIBUTE A TEST Brute Force CONTRIBUTE A TEST System Location Discovery Non-Application Layer Protocol CONTRIBUTE A TEST
Multi-Factor Authentication CONTRIBUTE A TEST XDG Autostart Entries CONTRIBUTE A TEST Ignore Process Interrupts CONTRIBUTE A TEST Brute Force: Credential Stuffing Software Discovery: Security Software Discovery Protocol Impersonation CONTRIBUTE A TEST
Event Triggered Execution CONTRIBUTE A TEST Ptrace System Calls CONTRIBUTE A TEST Time Based Evasion Multi-Factor Authentication CONTRIBUTE A TEST Remote System Discovery Domain Fronting CONTRIBUTE A TEST
Event Triggered Execution: .bash_profile .bashrc and .shrc Scheduled Task/Job: At Impair Defenses: Disable or Modify System Firewall Input Capture CONTRIBUTE A TEST Network Service Discovery Data Encoding CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST Valid Accounts: Local Accounts Electron Applications CONTRIBUTE A TEST ARP Cache Poisoning CONTRIBUTE A TEST Software Discovery CONTRIBUTE A TEST Non-Standard Encoding CONTRIBUTE A TEST
Server Software Component CONTRIBUTE A TEST Impair Defenses: Disable or Modify Linux Audit System OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow Debugger Evasion CONTRIBUTE A TEST Application Layer Protocol: Web Protocols
Installer Packages CONTRIBUTE A TEST Obfuscated Files or Information: Binary Padding Multi-Factor Authentication Interception CONTRIBUTE A TEST System Time Discovery Ingress Tool Transfer
Boot or Logon Initialization Scripts: Rc.common Valid Accounts: Default Accounts CONTRIBUTE A TEST Modify Authentication Process CONTRIBUTE A TEST Hide Infrastructure CONTRIBUTE A TEST
Create or Modify System Process: SysV/Systemd Service Hijack Execution Flow: LD_PRELOAD Data Obfuscation via Steganography
Create Account CONTRIBUTE A TEST File and Directory Permissions Modification CONTRIBUTE A TEST Fallback Channels CONTRIBUTE A TEST
XDG Autostart Entries CONTRIBUTE A TEST Abuse Elevation Control Mechanism CONTRIBUTE A TEST Proxy: Internal Proxy
Power Settings CONTRIBUTE A TEST Abuse Elevation Control Mechanism: Setuid and Setgid Dead Drop Resolver CONTRIBUTE A TEST
Scheduled Task/Job: At Impair Defenses: Indicator Blocking Junk Data CONTRIBUTE A TEST
Modify Authentication Process CONTRIBUTE A TEST Right-to-Left Override CONTRIBUTE A TEST
SQL Stored Procedures CONTRIBUTE A TEST Component Firmware CONTRIBUTE A TEST
Valid Accounts: Local Accounts Indicator Removal on Host CONTRIBUTE A TEST
Masquerading: Masquerade Task or Service
Pre-OS Boot CONTRIBUTE A TEST
Impair Defenses: Downgrade Attack
Virtualization/Sandbox Evasion CONTRIBUTE A TEST
Execution Guardrails CONTRIBUTE A TEST
Port Knocking CONTRIBUTE A TEST
Hide Artifacts: Hidden Users CONTRIBUTE A TEST
Impair Defenses: Impair Command History Logging
User Activity Based Checks CONTRIBUTE A TEST
VDSO Hijacking CONTRIBUTE A TEST
Impair Defenses: Disable or Modify Tools
Hijack Execution Flow CONTRIBUTE A TEST
Indicator Removal from Tools CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST
Obfuscated Files or Information
Multi-Factor Authentication CONTRIBUTE A TEST
Run Virtual Instance CONTRIBUTE A TEST
Subvert Trust Controls CONTRIBUTE A TEST
Masquerading: Rename System Utilities
Spoof Security Alerting CONTRIBUTE A TEST
Steganography CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST
Subvert Trust Controls: Install Root Certificate
Obfuscated Files or Information: Compile After Delivery
VBA Stomping CONTRIBUTE A TEST
Impersonation CONTRIBUTE A TEST
Hide Artifacts: Hidden Window CONTRIBUTE A TEST
Proc Memory CONTRIBUTE A TEST
Clear Persistence CONTRIBUTE A TEST
HTML Smuggling CONTRIBUTE A TEST
Command Obfuscation CONTRIBUTE A TEST
Indicator Removal on Host: File Deletion
Obfuscated Files or Information: Software Packing
Hidden File System CONTRIBUTE A TEST
Debugger Evasion CONTRIBUTE A TEST
Masquerading: Space after Filename
Ptrace System Calls CONTRIBUTE A TEST
Hide Artifacts: Hidden Files and Directories
Environmental Keying CONTRIBUTE A TEST
Modify Authentication Process CONTRIBUTE A TEST
Valid Accounts: Local Accounts
Exploitation for Defense Evasion CONTRIBUTE A TEST