diff --git a/Linux/README.md b/Linux/README.md index 1e45c788..7064510b 100644 --- a/Linux/README.md +++ b/Linux/README.md @@ -1,22 +1,25 @@ ## MITRE ATT&CK Matrix - Linux -| Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | -|------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| -| [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Command-Line Interface](Execution/Command-Line_Interface.md) | Audio Capture | Automated Exfiltration | Commonly Used Port | -| Bootkit | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media | -| [Browser Extensions](Persistence/Browser_Extensions.md)| Sudo | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | [Create Account](Credential_Access/Create_Account.md) | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | [Remote File Copy](Lateral_Movement/Remote_File_Copy.md) | Scripting | [Browser Extensions](Collection/Browser_Extensions.md) | [Data Encrypted](Exfiltration/Data_Encrypted.md) | Connection Proxy | -| [Cron Job](Persistence/Cron_Job.md) | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Clipboard Data | [Data Transfer Size Limits](Exfiltration/Data_Transfer_Size_Limits.md) | Custom Command and Control Protocol | -| [Hidden Files and Directories](Persistence/Hidden_Files_and_Directories.md) | Web Shell | [File Deletion](Defense_Evasion/File_Deletion.md) | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data Staged | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol | -| Rc.common | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding | -| Redundant Access | | [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories.md) | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | [Trap](Execution/Trap.md) | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation | -| [Trap](Persistence/Trap.md) | | Indicator Removal from Tools | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | Data from Removable Media | Exfiltration Over Physical Medium | Fallback Channels | -| Valid Accounts | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Input Capture | Scheduled Transfer | Multi-Stage Channels | -| Web Shell | | [Install Root Certificate](Defense_Evasion/Install_Root_Certificate.md) | | System Owner/User Discovery | | | Screen Capture | | Multiband Communication | -| | | Masquerading | | | | | | | Multilayer Encryption | -| | | Redundant Access | -| | | [Rootkits](Defense_Evasion/Rootkits.md) | | | | | | | [Remote File Copy](Command_and_Control/Remote_File_Copy.md) | -| | | Scripting | | | | | | | Standard Application Layer Protocol | -| | | Space after Filename | | | | | | | Standard Cryptographic Protocol | -| | | [Timestomp](Defense_Evasion/Timestomp.md) | | | | | | | Standard Non-Application Layer Protocol | -| | | Valid Accounts | | | | | | | Uncommonly Used Port | -| | | | | | | | | | Web Service | +| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control| +|-------------------------------------------------------|----------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| +| Drive-by Compromise | Command-Line Interface | [.bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md) | Exploitation for Privilege Escalation | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | Audio Capture | Automated Exfiltration | Commonly Used Port| +| Exploit Public-Facing Application | Exploitation for Client Execution | Bootkit | Process Injection | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | Browser Bookmark Discovery | Exploitation of Remote Services | Automated Collection | Data Compressed | Communication Through Removable Media| +| Hardware Additions | Graphical User Interface | [Browser Extensions](Persistence/Browser_Extensions.md) | [Setuid and Setgid](Privilege_Escalation/Setuid_and_Setgid.md) |[Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md) | [Credentials in Files](Credential_Access/Credentials_in_Files.md) | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md) | Remote File Copy | Clipboard Data | Data Encrypted | Connection Proxy| +| Spearphishing Attachment | [Local Job Scheduling](Persistence/Local_Job_Scheduling.md)e | [Create Account](Persistence/Create_Account.md) | Sudo | Exploitation for Defense Evasion | Exploitation for Credential Access | [Network Service Scanning](Discovery/Network_Service_Scanning.md) | Remote Services | Data Staged | Data Transfer Size Limits | [Custom Command and Control Protocol](Command_and_Control/Custom_Command_and_Control_Protocol.md)l| +| Spearphishing Link | Scripting | [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories) | Sudo Caching | File Deletion | Input Capture | Password Policy Discovery | SSH Hijacking | Data from Information Repositories | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol| +| Spearphishing via Service | Source | Kernel Modules and Extensions | Valid Accounts | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Network Sniffing | [Permission Groups Discovery](Discovery/Permissions_Groups_Discovery.md) | Third-party Software | Data from Local System | Exfiltration Over Command and Control Channel | Data Encoding| +| Supply Chain Compromise | [Space after Filename](Execution/Space_After_Filename.md) | [Local Job Scheduling](Persistence/Local_Job_Scheduling.md) | Web Shell | [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories) | Private Keys | [Process Discovery](Discovery/Process_Discovery.md) | | Data from Network Shared Drive | Exfiltration Over Other Network Medium | Data Obfuscation| +| Trusted Relationship | Third-party Software | Port Knocking | | Indicator Removal from Tools | Two-Factor Authentication Interception |[Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Data from Removable Media | Exfiltration Over Physical Medium | Domain Fronting| +| Valid Accounts | Trap | Redundant Access | | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_On_Host.md) | |[System Information Discovery](Discovery/System_Information_Discovery.md) | | Input Capture | Scheduled Transfer | Fallback Channels| +| | User Execution | Trap | | Install Root Certificate | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | Screen Capture | | Multi-Stage Channels| +| | | Valid Accounts | | Masquerading | | System Network Connection Discovery | | | | Multi-hop Proxy| +| | | Web Shell | | Obfuscated Files or Information | | System Owner/User Discovery | | | | Multiband Communication | +| | | | | Port Knocking | | | | | | Multilayer Encryption| +| | | | | Process Injection | | | | | | Port Knocking| +| | | | | Redundant Access | | | | | | Remote Access Tools| +| | | | | Rootkit | | | | | | Remote File Copy | +| | | | | Scripting | | | | | | Standard Application Layer Protocol| +| | | | |[Space after Filename](Execution/Space_After_Filename.md) | | | | | | Standard Cryptographic Protocol| +| | | | | Timestomp | | | | | | Standard Non-Application Layer Protocol +| | | | | Valid Account | | | | | | Uncommonly Used Port| +| | | | | Web Service | | | | | | Web Service|