EDRmetry Linux Matrix For Download / Self-Hosted - Comprehensive Hands-On Attack TTPs Catalog
- Buy now
- Learn more
1. EDRmetry Overview

Introduction
What you will get?
Goals / What to expect
EDRmetry Matrix
Virtual Machines / C2
EDRmetry Generic Flow
Contextual Execution
Changelog / Updates
2. EDRmetry Deployment

Deploy your EDRmetry Matrix Docker Container
Download EDRmetry Matrix JSON Database
Import your EDRmetry Matrix JSON Database
Provision your TARGET_X VM
Provision your KALI_X or C2_X VM
Request for HTTPS Hosted Access to EDRmetry Matrix
3. Research and emulation of Linux threats

MITRE ATT&CK TACTICS in the Linux Ecosystem
Linux Threat Landscape
Initial Access - TA0001
Discovery - TA0007
Execution - TA0002
Defense Evasion - TA0005
Persistence - TA0003
Privilege Escalation - TA0004
Exfiltration - TA0010
Command and Control - TA0011
Lateral Movement - TA0008
Credentials Access - TA0006
Impact - TA0040
Collection - TA0009

Lateral Movement - TA0008

Objective:

Move across systems or networks to reach additional targets. Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.
ID: TA0008
- https://attack.mitre.org/tactics/TA0008/

Linux Context:

SSH is the linchpin of lateral movement on Linux, using stolen keys or passwords ssh user@target -i key). Tools like scp, rsync, or sftp transfer files between hosts, while misconfigured services (e.g., Samba, NFS) offer exploitable paths. In cloud setups, attackers pivot via Kubernetes pod-to-pod communication or IAM role abuse. Advanced techniques include SSH tunneling or exploiting vulnerabilities. Ansible or Puppet misconfigurations may also enable mass execution.

Key Techniques:

Remote Services (T1021): SSH-based pivoting.
Exploitation of Remote Services (T1210): Attacking unpatched services.
Internal Spearphishing (T1534): Targeting internal Linux users.

Linux Example:

Running ssh -i stolen_key admin@dbserver to access a database host, or exploiting an NFS share to mount a remote filesystem.

Defender Strategies:

Disable password-based SSH, enforce key rotation, and segment networks with iptables/FW. Monitor lateral traffic with NetFlow.

The current list of corresponding EDRmetry test definitions includes:

EDR-T6125 - Create a SOCKS proxy with ssh
EDR-T6258 - DarkFlare TCP over CDN Tunneling
EDR-T6186 - DNS Zone Transfer
EDR-T6350 - DNS Potentially Suspicious Requests
EDR-T6071 - Drop Malicious Files Remotely
EDR-T6057 - Execute Port Scanning
EDR-T6226 - Execute SSHD as a victim user
EDR-T6255 - FRP Fast Reverse Proxy
EDR-T6131 - Hijack SSH Client Session
EDR-T6192 - Ligolo-ng Reverse TCP/TLS Tunneling
EDR-T6323 - linWinPwn - Pentesting AD from Linux
EDR-T6016 - Network ping sweep
EDR-T6200 - Ngrok Tunneling
EDR-T6035 - Proxychains TOR connection
EDR-T6189 - Reverse SOCKS5 proxy
EDR-T6160 - Socks Proxy from Tomcat JSP
EDR-T6334 - SoaPy - Pentesting AD WS from Linux
EDR-T6033 - SSH Linux Tunneling
EDR-T6246 - SSHD Manipulation in sshd_config.d
EDR-T6266 - Tailscale Tunneling
EDR-T6074 - Visit malicious Threat Intel URL