Changelog / Updates
-
1.10.2025:
EDR-T6382 - LKM Hiding taint message from dmesg
EDR-T6378 - K8S - Access Credentials from ConfigMaps
EDR-T6377 - K8S - Access Credentials in Environment Variables
EDR-T6375 - K8S - Pod Name Similarity
EDR-T6372 - K8S - List RBAC permissions
EDR-T6380 - K8S - Create service account
EDR-T6374 - K8S - Enumerate nodes
EDR-T6373 - K8S - Enumerate pods
EDR-T6376 - K8S - Enumerate cluster secrets
-
18.09.2025:
EDR-T6360 - Dirty Pagetable Attack via huge pages Kernel UAF LPE
EDR-T6359 - Dirty Pipe Kernel UAF LPE
-
15.09.2025:
EDR-T6123.023 - cURL-based HTTPS RevShell in Go
EDR-T6363 - Base64 Payload as a filename inside ZIP
EDR-T6123.022 - Oneshell - Encrypted Reverse Shell using echo and chmod
EDR-T6354 - UAF+Heap Overflow Remote Exploitation
EDR-T6353 - Hide logs with mount overlay
EDR-T6362 - Systemd --user Backdoor service
-
Initial version 05.09.2025:
EDR-T6114 - ActiveMQ CVE-2023-46604 Exploitation
EDR-T6105 - Apache HTTP CVE-2021-41773 Exploitation
EDR-T6185 - Apache Tomcat Manager Brute Force
EDR-T6116 - Apache Tomcat Manager Exploitation
EDR-T6077 - Code Execution via SSH XZBackdoor
EDR-T6210 - HTTPD CVE-2014-6271 Shellshock RCE
EDR-T6228 - JetBrains TeamCity CVE-2023-42793
EDR-T6062 - Kafka CVE-2023-25194 Exploitation
EDR-T6178 - MySQL Brute Force
EDR-T6262 - Ofbiz CVE-2024-45507 SSRF+RCE
EDR-T6243 - OpenSMTPD CVE-2020-7247 RCE
EDR-T6118 - Oracle WebLogic SSRF Exploitation
EDR-T6119 - Remote UAF Exploitation - root
EDR-T6261 - Remote UAF Exploitation - user
EDR-T6110 - Solr Log4J JNDI Exploitation
EDR-T6113 - Spring CVE-2022-22963 Exploitation
EDR-T6019 - SSH Brute Force / Spraying
EDR-T6304 - K8S - Kubeconfig file
EDR-T6355 - Langflow API Pre-Auth CVE-2025-3248 Exploitation
EDR-T6065 - /proc/PID enumeration
EDR-T6036 - C2 randomized hostname lookups
EDR-T6050 - Check ASLR configuration
EDR-T6055 - Check bpf settings from /proc
EDR-T6265 - Dismap Asset Discovery
EDR-T6097 - Download and launch LinEnum
EDR-T6084 - Enumerate kernel modules
EDR-T6225 - Execute "What Server" Enumeration
EDR-T6040 - Execute LinPEAS from /dev/tcp
EDR-T6069 - Execute nping
EDR-T6259 - Find all suid/sgid files
EDR-T6260 - Find all writeable dirs
EDR-T6263 - Find SSH keys
EDR-T6223 - Get Kernel Text Region Address
EDR-T6047 - Kcore Memory File Read
EDR-T6218 - Linux VM Check via Hardware
EDR-T6217 - Linux VM Check via Kernel Modules
EDR-T6124 - Local Network Discovery Scan
EDR-T6251 - Process Snooping with pspy
EDR-T6338 - Process Snooping with rspy
EDR-T6204 - Read local file using curl
EDR-T6068 - Sudo Enumeration
EDR-T6343 - DNS TXT request
EDR-T6276 - List capabilities of binaries
EDR-T6341 - Scan SSH services with SSHamble
EDR-T6138 - Bash HTTP GET data with /dev/tcp
EDR-T6122 - Dump process memory via GDB
EDR-T6009 - eBPF system("whoami") Execution with bpftrace
EDR-T6025 - Encrypted ELF implant
EDR-T6094 - Establish Unix Socket connection
EDR-T6041 - Execute binary listening from a hidden directory as root
EDR-T6085 - Execute Linux Hack Tools
EDR-T6099 - Execute LKM call_usermodehelper() on ICMP
EDR-T6205 - Export proxy_http
EDR-T6039 - File Transfer to a hidden directory
EDR-T0003 - Install suspicious RPM package
EDR-T6086 - LKM Load/unload kernel module
EDR-T6051 - Modify core_pattern file
EDR-T6177 - MySQL UDF Command Execution
EDR-T6173 - OpenSSL - hackshell download without curl
EDR-T6174 - Perl - File download without curl
EDR-T6172 - Python - File download without curl
EDR-T6247 - Python GET File over Network
EDR-T6203 - Renice or Ulimit Execution
EDR-T6123.004 - Revshell mkfifo+nc
EDR-T6171 - Simplest Proc Name Masquerading
EDR-T6278 - Execute mknod/mkfifo
EDR-T6302 - K8S - Sidecar injection
EDR-T6340 - Python HTTP POST and Exec
EDR-T6108 - ASM Injection over /proc/PID/mem
EDR-T6239 - Bash Anti-Forensic Log Wiper
EDR-T6064 - Bash Script Obfuscation
EDR-T6089 - Bashrc File Hiding with ls Alias
EDR-T6156 - Block rsyslogd logging
EDR-T6167 - BOF Loading with BOF-Stager
EDR-T6222 - Change Shell Optional Behavior
EDR-T6005 - Clear kernel ring buffer
EDR-T6221 - Clear Paging Cache
EDR-T6312 - Clear from /var/log/secure
EDR-T6088 - Copy/rename commands to exotic directory
EDR-T6043 - Disable .bash_history
EDR-T6193 - Disable ASLR
EDR-T6034 - Disable EDR/XDR sensor
EDR-T6219 - Disable SELinux
EDR-T6214 - Disable syslog
EDR-T6080 - Disable/modify iptables rules
EDR-T6268 - eBPF Attach prog to eth1 with XDP
EDR-T6008 - eBPF Hide PID with bad-bpf
EDR-T6267 - eBPF Hide PID/file with evilBPF
EDR-T6159 - eBPF Rename Loaded LKM module
EDR-T6253 - eBPF socket/proc/audit/bpftool Hider
EDR-T6336 - eBPF Caracal bpf/program Hider
EDR-T6287 - eBPF Map Attack
EDR-T6245 - Enable Unprivileged BPF
EDR-T6121 - Execute fileless ELF with fee
EDR-T6067 - Execute Invisible SSH notty session
EDR-T6078 - Execute masscan/xmring via PRoot as BYOF
EDR-T6321 - Ezuri ELF Crypter
EDR-T6133 - File immutable with chattr
EDR-T6132 - File immutable with mount
EDR-T6188 - Fileless Execution with memexec
EDR-T6037 - Fileless memfd_create via Python3
EDR-T6361 - Fileless memfd_create via Python3 - no pts attached
EDR-T6349 - Fake Process Command Line with Perl
EDR-T6296 - GTFOArgs - Command and shell
EDR-T6295 - GTFOArgs - File read
EDR-T6297 - GTFOBINS - Library Load
EDR-T6045 - Hidden Executable File Creation in /dev/shm
EDR-T6098 - Hiding Process Name with /etc/ld.so.preload
EDR-T6351 - Hide from cat with ANSI escapes
EDR-T6344 - Hiding files within an existing mount namespace
EDR-T6330 - Hiding Payload in Extended File Attributes
EDR-T6227 - Inotify Trigger Action on File Access
EDR-T6248 - IPTables Drop outbound traffic
EDR-T6291 - Indirect File Read with FD
EDR-T6322 - io_uring Bypassing libc hooks
EDR-T6310 - io_uring Curing Rootkit
EDR-T6328 - io_uring RingReaper Agent
EDR-T6142 - LD_PRELOAD Process ENV Tampering
EDR-T6149 - LD_PRELOAD Shared Library shell_reverse_tcp
EDR-T6329 - LD_PRELOAD Toy Rootkit
EDR-T6324 - LD_PRELOAD vbackdoor
EDR-T6107 - LKM Remote Loading
EDR-T6166 - Load ELF object in memory via ELFLoader
EDR-T6286 - Libc Hooking with Auto-Color Malware
EDR-T6081 - Modify /etc/hosts
EDR-T6053 - mount --bind process hiding
EDR-T6249 - mount -o remount
EDR-T6320 - Obfuscate Go binaries
EDR-T6237 - Parent-child Obfuscated Process Hierarchy
EDR-T6241 - Patch Dynamic Linker
EDR-T6127 - Process Injection over dd+/proc/PID/mem
EDR-T6141 - Process Name Masquerading with argv[0] overwrite
EDR-T6038 - Process Name Masquerading with exec
EDR-T6140 - Process Name Masquerading with prctl()
EDR-T6345 - Process Name Masquerading with mount namespace
EDR-T6032 - Proxy Execution with DDexec
EDR-T6111 - Ptrace Process Masq with Zapper
EDR-T6256 - Ptrace-less Process Injection with dlinject
EDR-T6238 - ptrace() based Anti-Analysis
EDR-T6028 - Ptrace() Shared Object Process Injection in C
EDR-T6348 - Ptrace() Shared Object Process Injection in Rust
EDR-T6244 - Python Userland Exec
EDR-T6356 - Rust elf_loader
EDR-T6220 - Reboot via Kernel System Request
EDR-T6337 - Sickle - Payload Development Framework
EDR-T6092 - Space before command
EDR-T6182 - Suspicious File/Directory Location
EDR-T6333 - Sleep Obfuscation with SilentPulse
EDR-T6096 - Terminate/stop syslog/EDR Agent
EDR-T6207 - Timestomping - Modifying the system date
EDR-T6054- Timestomping - touch
EDR-T6072 - Wipe Filesystem with shred
EDR-T6106 - Zombieant Preloading a decoy binary
EDR-T6292 - Avoid Filename and Filepath Matching
EDR-T6279 - Binary Runtime Crypter in Bash
EDR-T6275 - Create file with Unicode zero-width space
EDR-T6294 - Disable EDR with LKM cleanup_module
EDR-T6025 - Encrypted ELF implant
EDR-T6331 - zpoline System Call Hook
EDR-T6270 - /etc/modules-load.d Persistence
EDR-T6048 - /etc/sudoers Modification
EDR-T6209 - Add Backdoor User - /etc/passwd modification
EDR-T6031 - Add backdoor user with uid=0
EDR-T6095 - Add new group
EDR-T6091 - Add User to Privileged Group
EDR-T6145 - At job persistence
EDR-T6250 - Backdooring Initramfs
EDR-T6161 - BDS Ftrace Hooking Rootkit
EDR-T6170 - Cap_setuid over LD linker
EDR-T6093 - Crontab root Backdoor
EDR-T6213 - Deploy a malicious RPM package
EDR-T6144 - DNF Package Manager
EDR-T6152 - eBPF Boopkit Rootkit
EDR-T6007 - eBPF Magic SRC Port Tracepoint Exe with bpftrace
EDR-T6158 - eBPF mount bpffs
EDR-T6157 - eBPF sudo Rootkit
EDR-T6151 - eBPF TripleCross Rootkit
EDR-T6325 - eBPF BPFDoor Backdoor
EDR-T6117 - Execute UPX Reverse SSH server
EDR-T6161 - Ftrace Hooking Rootkit
EDR-T6272 - Ftrace Kill Hooking
EDR-T6274 - Ftrace tcp4_seq_show Hiding
EDR-T6146 - Git hook persistence
EDR-T6235 - Hiding SSH key with /etc/ld.so.preload
EDR-T6011.017 - Hidden PHP webshell with carriage return (\r)
EDR-T6208 - HTTPD mod_authg Backdoor
EDR-T6017 - HTTPD mod_backdoor module
EDR-T6303 - K8S - CronJob
EDR-T6305 - K8S - Malicious Admission Controller
EDR-T6306 - K8S - Static pods
EDR-T6273 - Kprobe sys_setuid Hooking
EDR-T6046 - Libc readdir() function hooking with /etc/ld.so.preload
EDR-T6101 - LKM ENOTTY Netfilter Hooking
EDR-T6155 - LKM KoviD Rootkit
EDR-T6153 - LKM Reptile Rootkit
EDR-T6163 - LKM Reveng Rootkit
EDR-T6289 - LKM Ftrace Rootkit - Rebellion
EDR-T6023 - LKM rootkit - Diamorphine
EDR-T6154 - LKM Suterusu Rootkit
EDR-T6327 - LD_PRELOAD Father
EDR-T6029 - Modify crontab with @reboot
EDR-T6347 - Nginx Shell Module
EDR-T6164 - PAM Sneaky Backdoor
EDR-T6309 - PAM SSHdoor
EDR-T6011.004 - PHP base64 system Backdoor
EDR-T6011.009 - PHP filter chain generator
EDR-T6011.001 - PHP GET method
EDR-T6011.007 - PHP Weevly
EDR-T6139 - Python .pth Extensions
EDR-T6128 - Revshell ~/.profile background
EDR-T6271 - rc.local Persistence
EDR-T6066 - SSH Authorized keys
EDR-T6104 - SSHD Dummy Cipher Suite BYOT
EDR-T6316 - SSH PubKey Command Backdoor
EDR-T6130 - SUID backdoor
EDR-T6015 - Systemd Backdoor service
EDR-T6024 - Systemd Backdoor Timer Service
EDR-T6165 - Systemd-run Backdoor Timer Service
EDR-T6102 - Systemtap LPE creds() upgrade
EDR-T6179 - Udev+atd C2 persistence
EDR-T6011.014 - Webshell base64 PHP Eval
EDR-T6011.013 - Webshell PHP Array_join Obfuscation
EDR-T6011.003 - Webshell PHP Char Obfuscated
EDR-T6011.010 - Webshell PHP Eval
EDR-T6011.005 - Webshell PHP p0wny-shell
EDR-T6011.006 - Webshell PHP Proc Open
EDR-T6011.008 - Webshell PHP Simple popen()
EDR-T6011.012 - Webshell Tinyshell
EDR-T6011.015 - Webshell PHP Sudo
EDR-T6162 - xt_conntrack.ko Rootkit
EDR-T6315 - Add SSH key via iptables-save
EDR-T6231 - DirtyPipe CVE-2022-0847 LPE
EDR-T6216 - Docker BOTB Break out the Box
EDR-T6215 - Docker Host Escape with Proc injection
EDR-T6147 - Docker Host Escape with socket
EDR-T6073 - Execute Trap signals
EDR-T6049 - Exploit local suid binary
EDR-T6232 - Linux Kernel CVE-2022-2588 LPE
EDR-T6300 - K8S - Run a privileged pod
EDR-T6301 - K8S - Writable hostPath mount
EDR-T6183 - MySQL wsrep_provider CVE-2021-27928
EDR-T6346 - Modify nftables via unprivileged namespace
EDR-T6229 - Namespace manipulation with unshare
EDR-T6187 - NFS SUID Escalation
EDR-T6290 - Overwrite modprobe_path
EDR-T6184 - PATH Hijacking
EDR-T6230 - pkexec CVE-2021-4034 Exploitation
EDR-T6100 - Register LKM Char Device + LPE
EDR-T6109 - Socket Command Injection
EDR-T6233 - XZ / liblzma backdoor CVE-2024-3094
EDR-T6307 - DNS Exfiltration with dig
EDR-T6115 - DNS Tunneling/Exfiltration with dnscat2
EDR-T6169 - eBPF Magic String Tracepoint Execution with bpftrace
EDR-T6136 - Exfil data using rsync
EDR-T6137 - Exfil data using transfer.sh
EDR-T6342 - Exfil data with AWS S3
EDR-T6211 - ICMP Python Scapy Exfiltration
EDR-T6168 - ICMP_exfil + nping Exfiltration
EDR-T6112 - NTP Data Exfiltration
EDR-T6103 - PAM creds over HTTP Post
EDR-T6234 - pam_exec SSHD Exfiltration
EDR-T6120 - Python FTP Upload
EDR-T6180 - SMB Data Exfiltration with impacket
EDR-T6257 - Telegram Data Exfiltration
EDR-T6052 - Upload data over HTTP/HTTPS
EDR-T6021 - Upload data over SCP/SFTP
EDR-T6135 - Upload data over WebDAV
EDR-T6181 - Upload/download data over SSHFS
EDR-T6254 - DNS AXFR Payload Delivery
EDR-T6264 - eBPF Keylogger + DNS RCE
EDR-T6212 - Emp3r0r C2 Shadowsocks C2
EDR-T6090 - Execute Offensive Linux Tunneling tools
EDR-T6076 - Execute process via ProxyChains
EDR-T6224 - Fileless Reverse shell with sshx
EDR-T6123.014 - Gsocket Secure Connection
EDR-T6123.013 JSP+sh
EDR-T6075 - Make a Non-standard port HTTP/HTTPS connection
EDR-T6126.004 - Merlin HTTPX C2
EDR-T6126.001 - Meterpreter reverse_tcp/https
EDR-T6126.005 - Mythic+Poseidon Websockets C2
EDR-T6126.003 - Mythic+Thanalos HTTP C2
EDR-T6200 - Ngrok Tunneling
EDR-T6123.008 - openssl+bash+/dev/fd/3
EDR-T6123.010 - PHP+bash
EDR-T6126.006 - Platypus C2
EDR-T6123.001 - Process Masquerading as kworker+exec+/dev/tcp
EDR-T6123.003 - Revshell curl+telnet
EDR-T6123.002 - Revshell curlshell
EDR-T6123.004 - Revshell mkfifo+nc
EDR-T6123.016 - Revshell on LKM call_usermodehelper()
EDR-T6123.012 - Revshell over GDB
EDR-T6123.009 - Revshell perl+ENV keys
EDR-T6123.006 - Revshell Perl+socket
EDR-T6123.015 - Revshell Python TLS
EDR-T6123.005 - Revshell python+socket+pty
EDR-T6123.007 - Revshell socat+bash
EDR-T6191 - Shell over HTTP streams
EDR-T6190 - Shell Over Reverse SSH
EDR-T6126.002 - Sliver C2 MTLS
EDR-T6134 - Upgrade a reverse shell to a PTY shell
EDR-T6011.011 - Webshell PHP FFI
EDR-T6148 - XOR shell_reverse_tcp Loader
EDR-T6125 - Create a SOCKS proxy with ssh
EDR-T6258 - DarkFlare TCP over CDN Tunneling
EDR-T6186 - DNS Zone Transfer
EDR-T6350 - DNS Potentially Suspicious Requests
EDR-T6071 - Drop Malicious Files Remotely
EDR-T6057 - Execute Port Scanning
EDR-T6226 - Execute SSHD as a victim user
EDR-T6255 - FRP Fast Reverse Proxy
EDR-T6131 - Hijack SSH Client Session
EDR-T6192 - Ligolo-ng Reverse TCP/TLS Tunneling
EDR-T6323 - linWinPwn - Pentesting AD from Linux
EDR-T6016 - Network ping sweep
EDR-T6200 - Ngrok Tunneling
EDR-T6035 - Proxychains TOR connection
EDR-T6189 - Reverse SOCKS5 proxy
EDR-T6160 - Socks Proxy from Tomcat JSP
EDR-T6334 - SoaPy - Pentesting AD WS from Linux
EDR-T6033 - SSH Linux Tunneling
EDR-T6246 - SSHD Manipulation in sshd_config.d
EDR-T6266 - Tailscale Tunneling
EDR-T6074 - Visit malicious Threat Intel URL
EDR-T6201 - Dump credentials via unshadow
EDR-T6319 - Dump heap memory from Java
EDR-T6352 - Dump Passwords From Proc Memory with mimipenguin
EDR-T6242 - eBPF bcc Sniffs pam_get_authtok() with python3
EDR-T6288 - eBPF Capture TLS/SSL functions with Qtap
EDR-T6199 - eBPF pamspy
EDR-T6006 - eBPF Sniff pam_get_authtok() with bpftrace
EDR-T6269 - eBPF Sniff SSL/TLS Traffic
EDR-T6176 - eBPF Sniff PTY with bpftrace
EDR-T6299 - K8S - Dump etcd database
EDR-T6298 - K8S - Steal Pod Service Account Token
EDR-T6313 - Find local passwords/secrets
EDR-T6060 - Read /etc/shadow
EDR-T6012 - Sniff sshd with strace
EDR-T6314 - Scan bash_history to find pass/API keys
EDR-T6240 - Bash Fork Bomb
EDR-T6005 - Clear kernel ring buffer
EDR-T6252 - Crypto Mining CPU stress
EDR-T6018 - Ransomware bash+openssl
EDR-T6058 - Ransomware Black Basta
EDR-T6063 - Ransomware C - lokpack