EDRmetry Linux Matrix For Download / Self-Hosted - Comprehensive Hands-On Attack TTPs Catalog
- Buy now
- Learn more
1. EDRmetry Overview

Introduction
What you will get?
Goals / What to expect
EDRmetry Matrix
Virtual Machines / C2
EDRmetry Generic Flow
Contextual Execution
Changelog / Updates
2. EDRmetry Deployment

Deploy your EDRmetry Matrix Docker Container
Download EDRmetry Matrix JSON Database
Import your EDRmetry Matrix JSON Database
Provision your TARGET_X VM
Provision your KALI_X or C2_X VM
Request for HTTPS Hosted Access to EDRmetry Matrix
3. Research and emulation of Linux threats

MITRE ATT&CK TACTICS in the Linux Ecosystem
Linux Threat Landscape
Initial Access - TA0001
Discovery - TA0007
Execution - TA0002
Defense Evasion - TA0005
Persistence - TA0003
Privilege Escalation - TA0004
Exfiltration - TA0010
Command and Control - TA0011
Lateral Movement - TA0008
Credentials Access - TA0006
Impact - TA0040
Collection - TA0009

Privilege Escalation - TA0004

Objective:

Gain higher-level permissions to expand control over the system. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.

ID: TA0004
- https://attack.mitre.org/tactics/TA0004/

Linux Context:

Privilege escalation on Linux targets its user/root dichotomy. Misconfigured sudo rights (e.g., user ALL=(ALL) NOPASSWD:ALL) allow instant root access, while setuid binaries (e.g., /usr/bin/find with chmod u+s) are abused to run commands as root. Kernel exploits like Dirty COW (CVE-2016-5195) or pkexec flaws (CVE-2021-4034) grant root via vulnerabilities. Attackers also manipulate LD_PRELOAD or PATH hijacking to escalate via trusted processes. In cloud setups, misconfigured IAM roles or Kubernetes RBAC provide escalated privileges.

Key Techniques:

Abuse Elevation Control Mechanism (T1548): Exploiting setuid binaries.
Exploitation for Privilege Escalation (T1068): Running a kernel exploit.
Access Token Manipulation (T1134): Stealing sudo sessions.

Flow Example:

Running sudo -l reveals an exploitable command (e.g., sudo vi), or an attacker uses a local exploit like CVE-2021-3156 to gain root from a low-privilege account.

Defender Strategies:

Minimize sudo privileges, audit setuid binaries find / -perm -4000) and apply kernel patches promptly. Use a hardened kernel if possible. Use tools like checksec to know your binaries better.

The current list of corresponding EDRmetry test definitions includes:

EDR-T6315 - Add SSH key via iptables-save
EDR-T6360 - Dirty Pagetable Attack via huge pages Kernel UAF LPE
EDR-T6359 - Dirty Pipe Kernel UAF LPE
EDR-T6231 - DirtyPipe CVE-2022-0847 LPE
EDR-T6216 - Docker BOTB Break out the Box
EDR-T6215 - Docker Host Escape with Proc injection
EDR-T6147 - Docker Host Escape with socket
EDR-T6073 - Execute Trap signals
EDR-T6049 - Exploit local suid binary
EDR-T6232 - Linux Kernel CVE-2022-2588 LPE
EDR-T6300 - K8S - Run a privileged pod
EDR-T6301 - K8S - Writable hostPath mount
EDR-T6183 - MySQL wsrep_provider CVE-2021-27928
EDR-T6346 - Modify nftables via unprivileged namespace
EDR-T6229 - Namespace manipulation with unshare
EDR-T6187 - NFS SUID Escalation
EDR-T6290 - Overwrite modprobe_path
EDR-T6184 - PATH Hijacking
EDR-T6230 - pkexec CVE-2021-4034 Exploitation
EDR-T6100 - Register LKM Char Device + LPE
EDR-T6109 - Socket Command Injection
EDR-T6233 - XZ / liblzma backdoor CVE-2024-3094