EDRmetry Linux Matrix For Download / Self-Hosted - Comprehensive Hands-On Attack TTPs Catalog
- Buy now
- Learn more
1. EDRmetry Overview

Introduction
What you will get?
Goals / What to expect
EDRmetry Matrix
Virtual Machines / C2
EDRmetry Generic Flow
Contextual Execution
Changelog / Updates
2. EDRmetry Deployment

Deploy your EDRmetry Matrix Docker Container
Download EDRmetry Matrix JSON Database
Import your EDRmetry Matrix JSON Database
Provision your TARGET_X VM
Provision your KALI_X or C2_X VM
Request for HTTPS Hosted Access to EDRmetry Matrix
3. Research and emulation of Linux threats

MITRE ATT&CK TACTICS in the Linux Ecosystem
Linux Threat Landscape
Initial Access - TA0001
Discovery - TA0007
Execution - TA0002
Defense Evasion - TA0005
Persistence - TA0003
Privilege Escalation - TA0004
Exfiltration - TA0010
Command and Control - TA0011
Lateral Movement - TA0008
Credentials Access - TA0006
Impact - TA0040
Collection - TA0009

Credentials Access - TA0006

Objective:

Steal account credentials or authentication tokens to expand access. Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

ID: TA0006:
- https://attack.mitre.org/tactics/TA0006/

Linux Context:

Credential theft on Linux targets SSH keys (~/.ssh/id_rsa), password hashes (/etc/shadow), and memory-resident secrets. Attackers copy private keys, crack /etc/shadow with john or hashcat, or use mimipenguin to dump plaintext credentials from memory. Keylogging scripts hook into bash or PAM modules, while misconfigured services (e.g., Redis with no auth) leak creds. In cloud setups, attackers query instance metadata for temporary AWS credentials.

Key Techniques:

Unsecured Credentials (T1552): Harvesting SSH keys or config files.
Input Capture (T1056): Logging keystrokes via a modified PAM module.
OS Credential Dumping (T1003): Extracting /etc/shadow.

Flow Example:

Running cat /home/user/.ssh/id_rsa to steal a key or injecting a keylogger into /etc/pam.d/sshd.

Defender Strategies:

Encrypt SSH keys, restrict /etc/shadow access (chmod 600), and monitor syscal//library function tracers. Use MFA wherever possible.

The current list of corresponding EDRmetry test definitions includes:

EDR-T6201 - Dump credentials via unshadow
EDR-T6319 - Dump heap memory from Java
EDR-T6352 - Dump Passwords From Proc Memory with mimipenguin
EDR-T6242 - eBPF bcc Sniffs pam_get_authtok() with python3
EDR-T6288 - eBPF Capture TLS/SSL functions with Qtap
EDR-T6199 - eBPF pamspy
EDR-T6006 - eBPF Sniff pam_get_authtok() with bpftrace
EDR-T6269 - eBPF Sniff SSL/TLS Traffic
EDR-T6176 - eBPF Sniff PTY with bpftrace
EDR-T6299 - K8S - Dump etcd database
EDR-T6298 - K8S - Steal Pod Service Account Token
EDR-T6313 - Find local passwords/secrets
EDR-T6060 - Read /etc/shadow
EDR-T6012 - Sniff sshd with strace
EDR-T6314 - Scan bash_history to find pass/API keys
EDR-T6377 - K8S - Access Credentials in Environment Variables
EDR-T6378 - K8S - Access Credentials from ConfigMaps