EDRmetry Linux Matrix For Download / Self-Hosted - Comprehensive Hands-On Attack TTPs Catalog
- Buy now
- Learn more
1. EDRmetry Overview

Introduction
What you will get?
Goals / What to expect
EDRmetry Matrix
Virtual Machines / C2
EDRmetry Generic Flow
Contextual Execution
Changelog / Updates
2. EDRmetry Deployment

Deploy your EDRmetry Matrix Docker Container
Download EDRmetry Matrix JSON Database
Import your EDRmetry Matrix JSON Database
Provision your TARGET_X VM
Provision your KALI_X or C2_X VM
Request for HTTPS Hosted Access to EDRmetry Matrix
3. Research and emulation of Linux threats

MITRE ATT&CK TACTICS in the Linux Ecosystem
Linux Threat Landscape
Initial Access - TA0001
Discovery - TA0007
Execution - TA0002
Defense Evasion - TA0005
Persistence - TA0003
Privilege Escalation - TA0004
Exfiltration - TA0010
Command and Control - TA0011
Lateral Movement - TA0008
Credentials Access - TA0006
Impact - TA0040
Collection - TA0009

Initial Access - TA0001

Objective:

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.
ID: TA0001:
- https://attack.mitre.org/tactics/TA0001/

Linux Context:

Linux systems, often exposed as servers or cloud endpoints, face a barrage of Initial Access techniques. Weak or default SSH credentials (e.g., root:toor) are a prime target, exploited via brute-force tools like hydra or medusa. Public-facing applications—Apache, Nginx, or PHP-based CMS—fall to exploits like remote code execution (RCE) vulnerabilities (e.g., CVE-2021-41773 in Apache). Misconfigured services, such as unauthenticated Redis instances or exposed Docker APIs, provide alternative entry points. Phishing campaigns deliver malicious shell scripts (e.g., disguised as update.sh) to Linux users, while supply chain attacks might compromise software repositories (e.g., PyPI or APT). In advanced cases, attackers exploit kernel or privilege escalation bugs directly after gaining limited access.

Key Techniques:

Exploit Public-Facing Application (T1190): Chaining an Nginx flaw with a webshell upload.
Valid Accounts (T1078): Logging in with stolen SSH keys from ~/.ssh/.
External Remote Services (T1133): Abusing exposed VPNs or RDP on Linux hybrids.

Flow Example:

An attacker uses hydra -l root -P rockyou.txt ssh://target.com to brute-force SSH, or exploits an unpatched WordPress plugin on a Linux server to drop a PHP backdoor.

Defender Strategies:

Enforce SSH key-based authentication with strong passphrases, disable root login (PermitRootLogin no in /etc/ssh/sshd_config), and deploy web application firewalls (WAFs) like ModSecurity. Patch systems religiously and scan for misconfigurations with tools like Lynis.

The current list of corresponding EDRmetry test definitions includes:

EDR-T6114 - ActiveMQ CVE-2023-46604 Exploitation
EDR-T6105 - Apache HTTP CVE-2021-41773 Exploitation
EDR-T6185 - Apache Tomcat Manager Brute Force
EDR-T6116 - Apache Tomcat Manager Exploitation
EDR-T6077 - Code Execution via SSH XZBackdoor
EDR-T6210 - HTTPD CVE-2014-6271 Shellshock RCE
EDR-T6228 - JetBrains TeamCity CVE-2023-42793
EDR-T6062 - Kafka CVE-2023-25194 Exploitation
EDR-T6178 - MySQL Brute Force
EDR-T6262 - Ofbiz CVE-2024-45507 SSRF+RCE
EDR-T6243 - OpenSMTPD CVE-2020-7247 RCE
EDR-T6118 - Oracle WebLogic SSRF Exploitation
EDR-T6119 - Remote UAF Exploitation - root
EDR-T6261 - Remote UAF Exploitation - user
EDR-T6110 - Solr Log4J JNDI Exploitation
EDR-T6113 - Spring CVE-2022-22963 Exploitation
EDR-T6019 - SSH Brute Force / Spraying
EDR-T6304 - K8S - Kubeconfig file
EDR-T6355 - Langflow API Pre-Auth CVE-2025-3248 Exploitation
EDR-T6354 - UAF+Heap Overflow Remote Exploitation