atomic-red-team/atomics/Indexes/Matrices/linux-matrix.md

Linux Atomic Tests by ATT&CK Tactic & Technique

initial-access	execution	persistence	privilege-escalation	defense-evasion	credential-access	discovery	lateral-movement	collection	exfiltration	command-and-control	impact
External Remote Services CONTRIBUTE A TEST	Shared Modules CONTRIBUTE A TEST	Socket Filters CONTRIBUTE A TEST	Boot or Logon Initialization Scripts CONTRIBUTE A TEST	Socket Filters CONTRIBUTE A TEST	Adversary-in-the-Middle CONTRIBUTE A TEST	System Owner/User Discovery	Remote Services:VNC CONTRIBUTE A TEST	Archive Collected Data: Archive via Utility	Exfiltration Over Web Service CONTRIBUTE A TEST	Socket Filters CONTRIBUTE A TEST	Disk Structure Wipe CONTRIBUTE A TEST
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST	Command and Scripting Interpreter: JavaScript CONTRIBUTE A TEST	Malicious Shell Modification CONTRIBUTE A TEST	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	Indicator Removal from Tools CONTRIBUTE A TEST	Modify Authentication Process: Pluggable Authentication Modules	Internet Connection Discovery CONTRIBUTE A TEST	Taint Shared Content CONTRIBUTE A TEST	Screen Capture	Exfiltration Over Webhook CONTRIBUTE A TEST	Data Encoding: Standard Encoding	Direct Network Flood CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST	User Execution: Malicious File CONTRIBUTE A TEST	Bootkit CONTRIBUTE A TEST	File System Permissions Weakness CONTRIBUTE A TEST	Embedded Payloads CONTRIBUTE A TEST	Input Capture: Keylogging	Permission Groups Discovery CONTRIBUTE A TEST	SSH CONTRIBUTE A TEST	Adversary-in-the-Middle CONTRIBUTE A TEST	Scheduled Transfer CONTRIBUTE A TEST	Domain Generation Algorithms CONTRIBUTE A TEST	Stored Data Manipulation CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST	Scheduled Task/Job: Cron	Boot or Logon Initialization Scripts CONTRIBUTE A TEST	Create or Modify System Process CONTRIBUTE A TEST	Modify Authentication Process: Pluggable Authentication Modules	Brute Force: Password Guessing	Device Driver Discovery CONTRIBUTE A TEST	Application Deployment Software CONTRIBUTE A TEST	Input Capture: Keylogging	Exfiltration Over Other Network Medium CONTRIBUTE A TEST	Application Layer Protocol: DNS CONTRIBUTE A TEST	External Defacement CONTRIBUTE A TEST
Phishing: Spearphishing Attachment CONTRIBUTE A TEST	Scheduled Task/Job CONTRIBUTE A TEST	Modify Authentication Process: Pluggable Authentication Modules	Abuse Elevation Control Mechanism: Sudo and Sudo Caching	HISTCONTROL CONTRIBUTE A TEST	OS Credential Dumping CONTRIBUTE A TEST	Account Discovery: Domain Account	SSH Hijacking CONTRIBUTE A TEST	Audio Capture CONTRIBUTE A TEST	Exfiltration Over Bluetooth CONTRIBUTE A TEST	Domain Fronting CONTRIBUTE A TEST	OS Exhaustion Flood CONTRIBUTE A TEST
Compromise Hardware Supply Chain CONTRIBUTE A TEST	Native API CONTRIBUTE A TEST	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	Boot or Logon Autostart Execution CONTRIBUTE A TEST	File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification	Steal Web Session Cookie CONTRIBUTE A TEST	Account Discovery: Local Account	Remote Services CONTRIBUTE A TEST	Archive via Custom Method CONTRIBUTE A TEST	Automated Exfiltration CONTRIBUTE A TEST	Symmetric Cryptography CONTRIBUTE A TEST	Application Exhaustion Flood CONTRIBUTE A TEST
Supply Chain Compromise CONTRIBUTE A TEST	Source CONTRIBUTE A TEST	File System Permissions Weakness CONTRIBUTE A TEST	Sudo Caching CONTRIBUTE A TEST	Path Interception by PATH Environment Variable CONTRIBUTE A TEST	Securityd Memory CONTRIBUTE A TEST	Virtualization/Sandbox Evasion: System Checks	Remote Service Session Hijacking CONTRIBUTE A TEST	Email Collection CONTRIBUTE A TEST	Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST	Fast Flux DNS CONTRIBUTE A TEST	Disk Wipe CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST	At (Linux) CONTRIBUTE A TEST	Systemd Service CONTRIBUTE A TEST	Scheduled Task/Job: Cron	Email Hiding Rules CONTRIBUTE A TEST	Brute Force: Password Cracking CONTRIBUTE A TEST	Permission Groups Discovery: Domain Groups	Software Deployment Tools CONTRIBUTE A TEST	Data from Removable Media CONTRIBUTE A TEST	Exfiltration to Code Repository CONTRIBUTE A TEST	Application Layer Protocol CONTRIBUTE A TEST	Stored Data Manipulation CONTRIBUTE A TEST
Content Injection CONTRIBUTE A TEST	Command and Scripting Interpreter CONTRIBUTE A TEST	Create or Modify System Process CONTRIBUTE A TEST	Scheduled Task/Job CONTRIBUTE A TEST	Rootkit	OS Credential Dumping: Proc Filesystem	System Service Discovery	Exploitation of Remote Services CONTRIBUTE A TEST	Data Staged: Local Data Staging	Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Custom Cryptographic Protocol CONTRIBUTE A TEST	Service Stop CONTRIBUTE A TEST
Valid Accounts: Default Accounts CONTRIBUTE A TEST	Scripting CONTRIBUTE A TEST	External Remote Services CONTRIBUTE A TEST	Process Injection CONTRIBUTE A TEST	Timestomp CONTRIBUTE A TEST	Password Managers CONTRIBUTE A TEST	Network Sniffing	Internal Spearphishing CONTRIBUTE A TEST	Automated Collection CONTRIBUTE A TEST	Exfiltration Over C2 Channel CONTRIBUTE A TEST	Remote Access Software CONTRIBUTE A TEST	Application or System Exploitation CONTRIBUTE A TEST
Spearphishing Attachment CONTRIBUTE A TEST	User Execution CONTRIBUTE A TEST	Bootkit CONTRIBUTE A TEST	Escape to Host CONTRIBUTE A TEST	Abuse Elevation Control Mechanism: Sudo and Sudo Caching	Network Sniffing	Network Share Discovery	Lateral Tool Transfer CONTRIBUTE A TEST	Clipboard Data	Exfiltration Over Alternative Protocol	Multilayer Encryption CONTRIBUTE A TEST	Disk Structure Wipe CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST	Software Deployment Tools CONTRIBUTE A TEST	Boot or Logon Autostart Execution CONTRIBUTE A TEST	Valid Accounts: Default Accounts CONTRIBUTE A TEST	Bootkit CONTRIBUTE A TEST	Steal or Forge Kerberos Tickets CONTRIBUTE A TEST	Peripheral Device Discovery CONTRIBUTE A TEST	SSH Hijacking CONTRIBUTE A TEST	Remote Data Staging CONTRIBUTE A TEST	Exfiltration over USB CONTRIBUTE A TEST	Content Injection CONTRIBUTE A TEST	Runtime Data Manipulation CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST	Scheduled Task/Job: Systemd Timers	Scheduled Task/Job: Cron	Event Triggered Execution: Trap	Masquerading: Match Legitimate Name or Location	Credentials from Password Stores CONTRIBUTE A TEST	System Information Discovery		Data from Local System	Data Compressed CONTRIBUTE A TEST	Traffic Signaling CONTRIBUTE A TEST	Reflection Amplification CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST	Graphical User Interface CONTRIBUTE A TEST	Server Software Component: Transport Agent CONTRIBUTE A TEST	Hijack Execution Flow: LD_PRELOAD	Masquerade File Type CONTRIBUTE A TEST	Unsecured Credentials	Wi-Fi Discovery CONTRIBUTE A TEST		Archive Collected Data: Archive via Library	Exfiltration Over Web Service: Exfiltration to Text Storage Sites CONTRIBUTE A TEST	Standard Cryptographic Protocol CONTRIBUTE A TEST	Service Exhaustion Flood CONTRIBUTE A TEST
Spearphishing Voice CONTRIBUTE A TEST	Command and Scripting Interpreter: Bash	Scheduled Task/Job CONTRIBUTE A TEST	At (Linux) CONTRIBUTE A TEST	Hide Artifacts CONTRIBUTE A TEST	Bash History CONTRIBUTE A TEST	Application Window Discovery CONTRIBUTE A TEST		Archive Collected Data CONTRIBUTE A TEST	Exfiltration Over Web Service: Exfiltration to Cloud Storage CONTRIBUTE A TEST	Protocol Tunneling CONTRIBUTE A TEST	Defacement CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST	Inter-Process Communication CONTRIBUTE A TEST	Browser Extensions	Abuse Elevation Control Mechanism CONTRIBUTE A TEST	Virtualization/Sandbox Evasion: System Checks	Credentials from Web Browsers CONTRIBUTE A TEST	Time Based Evasion CONTRIBUTE A TEST		DHCP Spoofing CONTRIBUTE A TEST	Data Transfer Size Limits	Domain Generation Algorithms CONTRIBUTE A TEST	Financial Theft CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST	Trap CONTRIBUTE A TEST	Traffic Signaling CONTRIBUTE A TEST	Abuse Elevation Control Mechanism: Setuid and Setgid	Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs	Private Keys CONTRIBUTE A TEST	Browser Bookmark Discovery		Web Portal Capture CONTRIBUTE A TEST	Data Encrypted CONTRIBUTE A TEST	Mail Protocols CONTRIBUTE A TEST	Defacement: Internal Defacement CONTRIBUTE A TEST
Spearphishing via Service CONTRIBUTE A TEST	Exploitation for Client Execution CONTRIBUTE A TEST	Server Software Component: Web Shell CONTRIBUTE A TEST	SSH Authorized Keys	Disabling Security Tools CONTRIBUTE A TEST	Credentials from Password Stores: Credentials from Web Browsers	System Network Configuration Discovery		Video Capture CONTRIBUTE A TEST	Exfiltration Over Physical Medium CONTRIBUTE A TEST	Communication Through Removable Media CONTRIBUTE A TEST	Data Manipulation CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST	Local Job Scheduling CONTRIBUTE A TEST	Valid Accounts: Default Accounts CONTRIBUTE A TEST	VDSO Hijacking CONTRIBUTE A TEST	Stripped Payloads CONTRIBUTE A TEST	DHCP Spoofing CONTRIBUTE A TEST	Account Discovery CONTRIBUTE A TEST		Email Collection: Email Forwarding Rule CONTRIBUTE A TEST	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	External Proxy CONTRIBUTE A TEST	Account Access Removal
Drive-by Compromise CONTRIBUTE A TEST	Command and Scripting Interpreter: Python	Event Triggered Execution: Trap	Sudo CONTRIBUTE A TEST	Break Process Trees CONTRIBUTE A TEST	Unsecured Credentials: Private Keys	File and Directory Discovery		Data Staged CONTRIBUTE A TEST		Proxy CONTRIBUTE A TEST	Data Encrypted for Impact
Spearphishing via Service CONTRIBUTE A TEST	System Services CONTRIBUTE A TEST	Hijack Execution Flow: LD_PRELOAD	Account Manipulation CONTRIBUTE A TEST	Clear Network Connection History and Configurations CONTRIBUTE A TEST	Brute Force: Password Spraying CONTRIBUTE A TEST	System Network Connections Discovery		Input Capture: GUI Input Capture CONTRIBUTE A TEST		Dynamic Resolution CONTRIBUTE A TEST	Disk Content Wipe CONTRIBUTE A TEST
Valid Accounts: Local Accounts	Command and Scripting Interpreter: Visual Basic CONTRIBUTE A TEST	Create Account: Local Account	Boot or Logon Autostart Execution: Kernel Modules and Extensions	Indicator Removal on Host: Clear Command History	Web Portal Capture CONTRIBUTE A TEST	Virtualization/Sandbox Evasion CONTRIBUTE A TEST		Data from Network Shared Drive CONTRIBUTE A TEST		Multi-hop Proxy CONTRIBUTE A TEST	Endpoint Denial of Service CONTRIBUTE A TEST
	Space after Filename CONTRIBUTE A TEST	At (Linux) CONTRIBUTE A TEST	Scheduled Task/Job: Systemd Timers	Deobfuscate/Decode Files or Information	Steal or Forge Authentication Certificates CONTRIBUTE A TEST	Log Enumeration CONTRIBUTE A TEST		Input Capture CONTRIBUTE A TEST		Web Service CONTRIBUTE A TEST	Runtime Data Manipulation CONTRIBUTE A TEST
	Malicious Link CONTRIBUTE A TEST	Redundant Access CONTRIBUTE A TEST	Hijack Execution Flow CONTRIBUTE A TEST	Impair Defenses	Unsecured Credentials: Bash History	Process Discovery		ARP Cache Poisoning CONTRIBUTE A TEST		DNS Calculation CONTRIBUTE A TEST	Transmitted Data Manipulation CONTRIBUTE A TEST
	Scheduled Task/Job: At	SSH Authorized Keys	Valid Accounts CONTRIBUTE A TEST	Masquerading CONTRIBUTE A TEST	Unsecured Credentials: Credentials In Files	User Activity Based Checks CONTRIBUTE A TEST		Data from Information Repositories CONTRIBUTE A TEST		Multi-Stage Channels CONTRIBUTE A TEST	Resource Hijacking
		Kernel Modules and Extensions CONTRIBUTE A TEST	Exploitation for Privilege Escalation CONTRIBUTE A TEST	Email Collection: Mailbox Manipulation	Web Cookies CONTRIBUTE A TEST	Permission Groups Discovery: Local Groups				Port Knocking CONTRIBUTE A TEST	Transmitted Data Manipulation CONTRIBUTE A TEST
		Create Account: Domain Account	Event Triggered Execution CONTRIBUTE A TEST	Process Injection CONTRIBUTE A TEST	Forge Web Credentials CONTRIBUTE A TEST	Password Policy Discovery				Multiband Communication CONTRIBUTE A TEST	Data Destruction
		Component Firmware CONTRIBUTE A TEST	Event Triggered Execution: .bash_profile .bashrc and .shrc	Traffic Signaling CONTRIBUTE A TEST	Multi-Factor Authentication Request Generation CONTRIBUTE A TEST	System Location Discovery: System Language Discovery				File Transfer Protocols CONTRIBUTE A TEST	Network Denial of Service CONTRIBUTE A TEST
		Pre-OS Boot CONTRIBUTE A TEST	Setuid and Setgid CONTRIBUTE A TEST	Signed Binary Proxy Execution CONTRIBUTE A TEST	Exploitation for Credential Access CONTRIBUTE A TEST	System Location Discovery CONTRIBUTE A TEST				One-Way Communication CONTRIBUTE A TEST	Firmware Corruption CONTRIBUTE A TEST
		Port Knocking CONTRIBUTE A TEST	Web Shell CONTRIBUTE A TEST	Indicator Removal on Host: Timestomp	Input Capture: GUI Input Capture CONTRIBUTE A TEST	Software Discovery: Security Software Discovery				Proxy: Multi-hop Proxy	Inhibit System Recovery CONTRIBUTE A TEST
		Compromise Client Software Binary CONTRIBUTE A TEST	Domain Accounts CONTRIBUTE A TEST	Reflective Code Loading CONTRIBUTE A TEST	Brute Force CONTRIBUTE A TEST	Remote System Discovery				Data Obfuscation CONTRIBUTE A TEST	Disk Content Wipe CONTRIBUTE A TEST
		Account Manipulation CONTRIBUTE A TEST	Proc Memory CONTRIBUTE A TEST	Ignore Process Interrupts CONTRIBUTE A TEST	Brute Force: Credential Stuffing	Network Service Discovery				Non-Standard Port	System Shutdown/Reboot
		Boot or Logon Autostart Execution: Kernel Modules and Extensions	Installer Packages CONTRIBUTE A TEST	Time Based Evasion CONTRIBUTE A TEST	Multi-Factor Authentication CONTRIBUTE A TEST	Software Discovery CONTRIBUTE A TEST				Encrypted Channel CONTRIBUTE A TEST
		Scheduled Task/Job: Systemd Timers	Boot or Logon Initialization Scripts: Rc.common	Binary Padding CONTRIBUTE A TEST	Credentials in Files CONTRIBUTE A TEST	Debugger Evasion CONTRIBUTE A TEST				Bidirectional Communication CONTRIBUTE A TEST
		Hijack Execution Flow CONTRIBUTE A TEST	Create or Modify System Process: SysV/Systemd Service	Impair Defenses: Disable or Modify System Firewall	Input Capture CONTRIBUTE A TEST					Asymmetric Cryptography CONTRIBUTE A TEST
		Valid Accounts CONTRIBUTE A TEST	XDG Autostart Entries CONTRIBUTE A TEST	Disable or Modify Linux Audit System CONTRIBUTE A TEST	ARP Cache Poisoning CONTRIBUTE A TEST					Non-Application Layer Protocol CONTRIBUTE A TEST
		Multi-Factor Authentication CONTRIBUTE A TEST	Ptrace System Calls CONTRIBUTE A TEST	File Deletion CONTRIBUTE A TEST	OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow					Protocol Impersonation CONTRIBUTE A TEST
		Trap CONTRIBUTE A TEST	Scheduled Task/Job: At	Obfuscated Files or Information: Binary Padding	Multi-Factor Authentication Interception CONTRIBUTE A TEST					Uncommonly Used Port CONTRIBUTE A TEST
		Event Triggered Execution CONTRIBUTE A TEST	Valid Accounts: Local Accounts	Valid Accounts: Default Accounts CONTRIBUTE A TEST	Modify Authentication Process CONTRIBUTE A TEST					Domain Fronting CONTRIBUTE A TEST
		Event Triggered Execution: .bash_profile .bashrc and .shrc		Hijack Execution Flow: LD_PRELOAD						Data Encoding CONTRIBUTE A TEST
		Local Job Scheduling CONTRIBUTE A TEST		File and Directory Permissions Modification CONTRIBUTE A TEST						Non-Standard Encoding CONTRIBUTE A TEST
		Setuid and Setgid CONTRIBUTE A TEST		Abuse Elevation Control Mechanism CONTRIBUTE A TEST						Application Layer Protocol: Web Protocols
		Web Shell CONTRIBUTE A TEST		Abuse Elevation Control Mechanism: Setuid and Setgid						Ingress Tool Transfer
		Domain Accounts CONTRIBUTE A TEST		Redundant Access CONTRIBUTE A TEST						Steganography CONTRIBUTE A TEST
		Server Software Component CONTRIBUTE A TEST		Impair Defenses: Indicator Blocking						Fallback Channels CONTRIBUTE A TEST
		Installer Packages CONTRIBUTE A TEST		Right-to-Left Override CONTRIBUTE A TEST						Proxy: Internal Proxy
		Hidden Files and Directories CONTRIBUTE A TEST		Component Firmware CONTRIBUTE A TEST						Custom Command and Control Protocol CONTRIBUTE A TEST
		Boot or Logon Initialization Scripts: Rc.common		Indicator Removal on Host CONTRIBUTE A TEST						Dead Drop Resolver CONTRIBUTE A TEST
		Create or Modify System Process: SysV/Systemd Service		Masquerading: Masquerade Task or Service						Junk Data CONTRIBUTE A TEST
		Create Account CONTRIBUTE A TEST		Pre-OS Boot CONTRIBUTE A TEST						Commonly Used Port CONTRIBUTE A TEST
		XDG Autostart Entries CONTRIBUTE A TEST		Scripting CONTRIBUTE A TEST
		Power Settings CONTRIBUTE A TEST		Downgrade Attack CONTRIBUTE A TEST
		Scheduled Task/Job: At		Virtualization/Sandbox Evasion CONTRIBUTE A TEST
		Modify Authentication Process CONTRIBUTE A TEST		Execution Guardrails CONTRIBUTE A TEST
		SQL Stored Procedures CONTRIBUTE A TEST		Port Knocking CONTRIBUTE A TEST
		Valid Accounts: Local Accounts		Hide Artifacts: Hidden Users CONTRIBUTE A TEST
				Impair Defenses: HISTCONTROL
				User Activity Based Checks CONTRIBUTE A TEST
				VDSO Hijacking CONTRIBUTE A TEST
				Impair Defenses: Disable or Modify Tools
				Hijack Execution Flow CONTRIBUTE A TEST
				Indicator Removal from Tools CONTRIBUTE A TEST
				Valid Accounts CONTRIBUTE A TEST
				Obfuscated Files or Information
				Multi-Factor Authentication CONTRIBUTE A TEST
				Run Virtual Instance CONTRIBUTE A TEST
				Subvert Trust Controls CONTRIBUTE A TEST
				Masquerading: Rename System Utilities
				Spoof Security Alerting CONTRIBUTE A TEST
				Steganography CONTRIBUTE A TEST
				Domain Accounts CONTRIBUTE A TEST
				Subvert Trust Controls: Install Root Certificate
				Obfuscated Files or Information: Compile After Delivery
				VBA Stomping CONTRIBUTE A TEST
				Impersonation CONTRIBUTE A TEST
				Hide Artifacts: Hidden Window CONTRIBUTE A TEST
				Compile After Delivery CONTRIBUTE A TEST
				Proc Memory CONTRIBUTE A TEST
				Clear Persistence CONTRIBUTE A TEST
				Clear Command History CONTRIBUTE A TEST
				HTML Smuggling CONTRIBUTE A TEST
				Command Obfuscation CONTRIBUTE A TEST
				Install Root Certificate CONTRIBUTE A TEST
				Indicator Removal on Host: File Deletion
				Hidden Files and Directories CONTRIBUTE A TEST
				Obfuscated Files or Information: Software Packing
				Hidden File System CONTRIBUTE A TEST
				Space after Filename CONTRIBUTE A TEST
				Debugger Evasion CONTRIBUTE A TEST
				Masquerading: Space after Filename
				Ptrace System Calls CONTRIBUTE A TEST
				Hide Artifacts: Hidden Files and Directories
				Environmental Keying CONTRIBUTE A TEST
				Modify Authentication Process CONTRIBUTE A TEST
				Valid Accounts: Local Accounts
				Exploitation for Defense Evasion CONTRIBUTE A TEST