To efficiently use the EDRmetry Matrix, we created a proposed generic flow consisting of six simple steps:

1. Provision your TARGET_X, KALI_X, or C2_X VMs.

2. Install EDR/Runtime Security/DFIR engine @ TARGET_X:

• Choose and install the Linux EDR/Runtime Security/DFIR engine you want to evaluate. In the area of ​​Open Source projects, we recommend taking a look at:

  • Falco Runtime Security

  • Kunai Runtime Security

  • Jibril Runtime Security

  • Tetragon Runtime Security

  • Elastic Security

  • Wazuh

  • OSquery + osquery-defense-kit

  • Velociraptor IR

  • Zeek NIDS

  • Suricata NIDS

3. Search Technique:

• Identify relevant techniques from a comprehensive EDRmetry database.

4. Choose offensive commands:

• Extract the necessary commands or code snippets and follow step-by-step instructions.

5. Execute attack emulations:

• Prepare attack chains or manually execute single offensive tests on a vulnerable-by-design TARGET_X Linux system.

6. Verify detections and alerts:

• Check detections, telemetry, and alerts generated within the chosen EDR/Runtime/SIEM platform.

7. Dig deeper:

• Make configuration changes to your EDR/Runtime/DFIR or ask the EDR/SIEM vendor questions.

• Create complex attack paths

• Do additional research