EDRmetry Linux Matrix For Download / Self-Hosted - Comprehensive Hands-On Attack TTPs Catalog
- Buy now
- Learn more
1. EDRmetry Overview

Introduction
What you will get?
Goals / What to expect
EDRmetry Matrix
Virtual Machines / C2
EDRmetry Generic Flow
Contextual Execution
Changelog / Updates
2. EDRmetry Deployment

Deploy your EDRmetry Matrix Docker Container
Download EDRmetry Matrix JSON Database
Import your EDRmetry Matrix JSON Database
Provision your TARGET_X VM
Provision your KALI_X or C2_X VM
Request for HTTPS Hosted Access to EDRmetry Matrix
3. Research and emulation of Linux threats

MITRE ATT&CK TACTICS in the Linux Ecosystem
Linux Threat Landscape
Initial Access - TA0001
Discovery - TA0007
Execution - TA0002
Defense Evasion - TA0005
Persistence - TA0003
Privilege Escalation - TA0004
Exfiltration - TA0010
Command and Control - TA0011
Lateral Movement - TA0008
Credentials Access - TA0006
Impact - TA0040
Collection - TA0009

Persistence - TA0003

Objective:

Maintain long-term access despite reboots, updates, or defensive actions. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

ID: TA0003
- https://attack.mitre.org/tactics/TA0003/

Linux Context:

Persistence on Linux exploits its startup and scheduling mechanisms. Attackers modify /etc/crontab or user-level cron jobs to run malicious scripts periodically. Systemd services (e.g., creating /etc/systemd/system/malicious.service) offer robust persistence, surviving reboots and blending with legitimate processes. Shell profiles like .bashrc, .bash_profile, or /etc/profile are altered to execute code on login. Advanced techniques include shared library hijacking (LD_PRELOAD to preload malicious .so files) or kernel module insertion (e.g., rootkits like Reptile). In cloud setups, attackers may backdoor Docker containers or Kubernetes cronjobs.

Key Techniques:

Create or Modify System Process (T1543): Installing a rogue systemd service.
Hijack Execution Flow (T1574): Preloading a malicious library.
Boot or Logon Initialization Scripts (T1037): Editing .bashrc.

Flow Example:

An attacker creates /etc/systemd/system/backdoor.service with ExecStart=/bin/sh /tmp/backdooror injects export LD_PRELOAD=/tmp/mal.so into /etc/profile.

Defender Strategies:

Audit systemd units via systemctl list-unit-files, monitor cron jobs crontab -l), and use integrity checks to detect file changes. Restrict LD_PRELOAD with SELinux policies.

The current list of corresponding EDRmetry test definitions includes:

EDR-T6270 - /etc/modules-load.d Persistence
EDR-T6048 - /etc/sudoers Modification
EDR-T6209 - Add Backdoor User - /etc/passwd modification
EDR-T6031 - Add backdoor user with uid=0
EDR-T6095 - Add new group
EDR-T6091 - Add User to Privileged Group
EDR-T6145 - At job persistence
EDR-T6250 - Backdooring Initramfs
EDR-T6161 - BDS Ftrace Hooking Rootkit
EDR-T6170 - Cap_setuid over LD linker
EDR-T6093 - Crontab root Backdoor
EDR-T6213 - Deploy a malicious RPM package
EDR-T6144 - DNF Package Manager
EDR-T6152 - eBPF Boopkit Rootkit
EDR-T6007 - eBPF Magic SRC Port Tracepoint Exe with bpftrace
EDR-T6158 - eBPF mount bpffs
EDR-T6157 - eBPF sudo Rootkit
EDR-T6151 - eBPF TripleCross Rootkit
EDR-T6325 - eBPF BPFDoor Backdoor
EDR-T6117 - Execute UPX Reverse SSH server
EDR-T6161 - Ftrace Hooking Rootkit
EDR-T6272 - Ftrace Kill Hooking
EDR-T6274 - Ftrace tcp4_seq_show Hiding
EDR-T6146 - Git hook persistence
EDR-T6235 - Hiding SSH key with /etc/ld.so.preload
EDR-T6011.017 - Hidden PHP webshell with carriage return (\r)
EDR-T6208 - HTTPD mod_authg Backdoor
EDR-T6017 - HTTPD mod_backdoor module
EDR-T6303 - K8S - CronJob
EDR-T6305 - K8S - Malicious Admission Controller
EDR-T6306 - K8S - Static pods
EDR-T6380 - K8S - Create service account
EDR-T6273 - Kprobe sys_setuid Hooking
EDR-T6046 - Libc readdir() function hooking with /etc/ld.so.preload
EDR-T6101 - LKM ENOTTY Netfilter Hooking
EDR-T6155 - LKM KoviD Rootkit
EDR-T6153 - LKM Reptile Rootkit
EDR-T6163 - LKM Reveng Rootkit
EDR-T6289 - LKM Ftrace Rootkit - Rebellion
EDR-T6023 - LKM rootkit - Diamorphine
EDR-T6154 - LKM Suterusu Rootkit
EDR-T6327 - LD_PRELOAD Father
EDR-T6029 - Modify crontab with @reboot
EDR-T6347 - Nginx Shell Module
EDR-T6164 - PAM Sneaky Backdoor
EDR-T6309 - PAM SSHdoor
EDR-T6011.004 - PHP base64 system Backdoor
EDR-T6011.009 - PHP filter chain generator
EDR-T6011.001 - PHP GET method
EDR-T6011.007 - PHP Weevly
EDR-T6139 - Python .pth Extensions
EDR-T6128 - Revshell ~/.profile background
EDR-T6271 - rc.local Persistence
EDR-T6066 - SSH Authorized keys
EDR-T6104 - SSHD Dummy Cipher Suite BYOT
EDR-T6316 - SSH PubKey Command Backdoor
EDR-T6130 - SUID backdoor
EDR-T6015 - Systemd Backdoor service
EDR-T6024 - Systemd Backdoor Timer Service
EDR-T6165 - Systemd-run Backdoor Timer Service
EDR-T6362 - Systemd --user Backdoor service
EDR-T6102 - Systemtap LPE creds() upgrade
EDR-T6179 - Udev+atd C2 persistence
EDR-T6011.014 - Webshell base64 PHP Eval
EDR-T6011.013 - Webshell PHP Array_join Obfuscation
EDR-T6011.003 - Webshell PHP Char Obfuscated
EDR-T6011.010 - Webshell PHP Eval
EDR-T6011.005 - Webshell PHP p0wny-shell
EDR-T6011.006 - Webshell PHP Proc Open
EDR-T6011.008 - Webshell PHP Simple popen()
EDR-T6011.012 - Webshell Tinyshell
EDR-T6011.015 - Webshell PHP Sudo
EDR-T6162 - xt_conntrack.ko Rootkit