atomic-red-team/atomics/Indexes/Matrices/linux-matrix.md

Linux Atomic Tests by ATT&CK Tactic & Technique

initial-access	execution	persistence	privilege-escalation	defense-evasion	credential-access	discovery	lateral-movement	collection	exfiltration	command-and-control	impact
External Remote Services CONTRIBUTE A TEST	JavaScript CONTRIBUTE A TEST	Malicious Shell Modification CONTRIBUTE A TEST	Boot or Logon Initialization Scripts CONTRIBUTE A TEST	Indicator Removal from Tools CONTRIBUTE A TEST	Adversary-in-the-Middle CONTRIBUTE A TEST	System Owner/User Discovery	VNC CONTRIBUTE A TEST	Archive via Utility	Exfiltration Over Web Service CONTRIBUTE A TEST	Standard Encoding	Disk Structure Wipe CONTRIBUTE A TEST
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST	Container Orchestration Job	Bootkit CONTRIBUTE A TEST	File System Permissions Weakness CONTRIBUTE A TEST	Pluggable Authentication Modules	Pluggable Authentication Modules	Container and Resource Discovery CONTRIBUTE A TEST	Taint Shared Content CONTRIBUTE A TEST	Screen Capture	Scheduled Transfer CONTRIBUTE A TEST	Domain Generation Algorithms CONTRIBUTE A TEST	Direct Network Flood CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST	Malicious File CONTRIBUTE A TEST	Boot or Logon Initialization Scripts CONTRIBUTE A TEST	Create or Modify System Process CONTRIBUTE A TEST	Revert Cloud Instance CONTRIBUTE A TEST	Keylogging	Internet Connection Discovery CONTRIBUTE A TEST	Application Access Token CONTRIBUTE A TEST	Adversary-in-the-Middle CONTRIBUTE A TEST	Exfiltration Over Other Network Medium CONTRIBUTE A TEST	DNS CONTRIBUTE A TEST	Stored Data Manipulation CONTRIBUTE A TEST
Spearphishing Link CONTRIBUTE A TEST	Cron	Pluggable Authentication Modules	Container Orchestration Job	HISTCONTROL CONTRIBUTE A TEST	Password Guessing	Permission Groups Discovery CONTRIBUTE A TEST	SSH CONTRIBUTE A TEST	Keylogging	Exfiltration Over Bluetooth CONTRIBUTE A TEST	Domain Fronting CONTRIBUTE A TEST	External Defacement CONTRIBUTE A TEST
Spearphishing Attachment CONTRIBUTE A TEST	Scheduled Task/Job CONTRIBUTE A TEST	File System Permissions Weakness CONTRIBUTE A TEST	Sudo and Sudo Caching	Linux and Mac File and Directory Permissions Modification	OS Credential Dumping CONTRIBUTE A TEST	Cloud Groups CONTRIBUTE A TEST	Application Deployment Software CONTRIBUTE A TEST	Data from Configuration Repository CONTRIBUTE A TEST	Automated Exfiltration CONTRIBUTE A TEST	Symmetric Cryptography CONTRIBUTE A TEST	OS Exhaustion Flood CONTRIBUTE A TEST
Compromise Hardware Supply Chain CONTRIBUTE A TEST	Native API CONTRIBUTE A TEST	Systemd Service CONTRIBUTE A TEST	Boot or Logon Autostart Execution CONTRIBUTE A TEST	Email Hiding Rules CONTRIBUTE A TEST	Steal Web Session Cookie CONTRIBUTE A TEST	Domain Account CONTRIBUTE A TEST	SSH Hijacking CONTRIBUTE A TEST	Sharepoint CONTRIBUTE A TEST	Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST	Fast Flux DNS CONTRIBUTE A TEST	Application Exhaustion Flood CONTRIBUTE A TEST
Supply Chain Compromise CONTRIBUTE A TEST	Source CONTRIBUTE A TEST	Create or Modify System Process CONTRIBUTE A TEST	Sudo Caching CONTRIBUTE A TEST	Rootkit	Cloud Instance Metadata API	Local Account	Use Alternate Authentication Material CONTRIBUTE A TEST	Audio Capture CONTRIBUTE A TEST	Traffic Duplication CONTRIBUTE A TEST	Application Layer Protocol CONTRIBUTE A TEST	Disk Wipe CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST	Deploy Container CONTRIBUTE A TEST	External Remote Services CONTRIBUTE A TEST	Domain Trust Modification	Timestomp CONTRIBUTE A TEST	Securityd Memory CONTRIBUTE A TEST	System Checks	Remote Services CONTRIBUTE A TEST	Archive via Custom Method CONTRIBUTE A TEST	Exfiltration to Code Repository CONTRIBUTE A TEST	Custom Cryptographic Protocol CONTRIBUTE A TEST	Stored Data Manipulation CONTRIBUTE A TEST
Default Accounts CONTRIBUTE A TEST	At (Linux) CONTRIBUTE A TEST	Container Orchestration Job	Cron	Sudo and Sudo Caching	Cloud Instance Metadata API CONTRIBUTE A TEST	Domain Groups CONTRIBUTE A TEST	Remote Service Session Hijacking CONTRIBUTE A TEST	Email Collection CONTRIBUTE A TEST	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Remote Access Software CONTRIBUTE A TEST	Service Stop CONTRIBUTE A TEST
Spearphishing Attachment CONTRIBUTE A TEST	Command and Scripting Interpreter CONTRIBUTE A TEST	Bootkit CONTRIBUTE A TEST	Scheduled Task/Job CONTRIBUTE A TEST	Modify Cloud Compute Infrastructure CONTRIBUTE A TEST	Password Cracking CONTRIBUTE A TEST	System Service Discovery	Software Deployment Tools CONTRIBUTE A TEST	Data from Removable Media CONTRIBUTE A TEST	Exfiltration Over C2 Channel CONTRIBUTE A TEST	Multilayer Encryption CONTRIBUTE A TEST	Application or System Exploitation CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST	Container Administration Command	Boot or Logon Autostart Execution CONTRIBUTE A TEST	Process Injection CONTRIBUTE A TEST	Bootkit CONTRIBUTE A TEST	SAML Tokens	Network Sniffing	Exploitation of Remote Services CONTRIBUTE A TEST	Local Data Staging	Exfiltration Over Alternative Protocol	Traffic Signaling CONTRIBUTE A TEST	Disk Structure Wipe CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST	Scripting CONTRIBUTE A TEST	TFTP Boot CONTRIBUTE A TEST	Escape to Host	Match Legitimate Name or Location	Proc Filesystem	Network Share Discovery	Internal Spearphishing CONTRIBUTE A TEST	Automated Collection CONTRIBUTE A TEST	Exfiltration over USB CONTRIBUTE A TEST	Standard Cryptographic Protocol CONTRIBUTE A TEST	Runtime Data Manipulation CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST	Network Device CLI CONTRIBUTE A TEST	Cron	Default Accounts CONTRIBUTE A TEST	Weaken Encryption CONTRIBUTE A TEST	Password Managers CONTRIBUTE A TEST	Peripheral Device Discovery CONTRIBUTE A TEST	Lateral Tool Transfer CONTRIBUTE A TEST	Clipboard Data CONTRIBUTE A TEST	Data Compressed CONTRIBUTE A TEST	Protocol Tunneling CONTRIBUTE A TEST	Reflection Amplification CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST	User Execution CONTRIBUTE A TEST	Office Application Startup CONTRIBUTE A TEST	Trap	Hide Artifacts CONTRIBUTE A TEST	Network Sniffing	System Information Discovery	SSH Hijacking CONTRIBUTE A TEST	Data from Cloud Storage Object	Exfiltration to Cloud Storage CONTRIBUTE A TEST	Domain Generation Algorithms CONTRIBUTE A TEST	Service Exhaustion Flood CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST	Software Deployment Tools CONTRIBUTE A TEST	Additional Cloud Roles CONTRIBUTE A TEST	Dynamic Linker Hijacking	Domain Trust Modification	Steal or Forge Kerberos Tickets CONTRIBUTE A TEST	Application Window Discovery CONTRIBUTE A TEST	Web Session Cookie CONTRIBUTE A TEST	Remote Data Staging CONTRIBUTE A TEST	Data Transfer Size Limits	Mail Protocols CONTRIBUTE A TEST	Defacement CONTRIBUTE A TEST
Spearphishing via Service CONTRIBUTE A TEST	Systemd Timers	Add-ins CONTRIBUTE A TEST	At (Linux) CONTRIBUTE A TEST	Application Access Token CONTRIBUTE A TEST	Credentials from Password Stores CONTRIBUTE A TEST	Email Account CONTRIBUTE A TEST	Web Session Cookie CONTRIBUTE A TEST	Data from Local System CONTRIBUTE A TEST	Transfer Data to Cloud Account CONTRIBUTE A TEST	Communication Through Removable Media CONTRIBUTE A TEST	Internal Defacement CONTRIBUTE A TEST
Hardware Additions CONTRIBUTE A TEST	Graphical User Interface CONTRIBUTE A TEST	Transport Agent CONTRIBUTE A TEST	Abuse Elevation Control Mechanism CONTRIBUTE A TEST	TFTP Boot CONTRIBUTE A TEST	Unsecured Credentials CONTRIBUTE A TEST	Time Based Evasion CONTRIBUTE A TEST	Application Access Token CONTRIBUTE A TEST	Archive via Library	Data Encrypted CONTRIBUTE A TEST	External Proxy CONTRIBUTE A TEST	Data Manipulation CONTRIBUTE A TEST
Drive-by Compromise CONTRIBUTE A TEST	Unix Shell	Scheduled Task/Job CONTRIBUTE A TEST	Setuid and Setgid	System Checks	Bash History CONTRIBUTE A TEST	Cloud Infrastructure Discovery CONTRIBUTE A TEST		Network Device Configuration Dump CONTRIBUTE A TEST	Exfiltration Over Physical Medium CONTRIBUTE A TEST	Proxy CONTRIBUTE A TEST	Account Access Removal CONTRIBUTE A TEST
Cloud Accounts	Inter-Process Communication CONTRIBUTE A TEST	Browser Extensions	VDSO Hijacking CONTRIBUTE A TEST	Clear Linux or Mac System Logs	Credentials from Web Browsers CONTRIBUTE A TEST	Browser Bookmark Discovery		Archive Collected Data CONTRIBUTE A TEST	Exfiltration Over Unencrypted Non-C2 Protocol	Dynamic Resolution CONTRIBUTE A TEST	Data Encrypted for Impact
Spearphishing via Service CONTRIBUTE A TEST	Malicious Image CONTRIBUTE A TEST	Outlook Rules CONTRIBUTE A TEST	Sudo CONTRIBUTE A TEST	Disabling Security Tools CONTRIBUTE A TEST	Private Keys CONTRIBUTE A TEST	System Network Configuration Discovery		DHCP Spoofing CONTRIBUTE A TEST		Multi-hop Proxy CONTRIBUTE A TEST	Disk Content Wipe CONTRIBUTE A TEST
Local Accounts CONTRIBUTE A TEST	Trap CONTRIBUTE A TEST	Traffic Signaling CONTRIBUTE A TEST	Kernel Modules and Extensions	Reduce Key Space CONTRIBUTE A TEST	Credentials from Web Browsers	Account Discovery CONTRIBUTE A TEST		Web Portal Capture CONTRIBUTE A TEST		Web Service CONTRIBUTE A TEST	Endpoint Denial of Service CONTRIBUTE A TEST
	Exploitation for Client Execution CONTRIBUTE A TEST	Implant Internal Image CONTRIBUTE A TEST	Systemd Timers	Clear Command History	DHCP Spoofing CONTRIBUTE A TEST	File and Directory Discovery		Video Capture CONTRIBUTE A TEST		DNS Calculation CONTRIBUTE A TEST	Runtime Data Manipulation CONTRIBUTE A TEST
	Local Job Scheduling CONTRIBUTE A TEST	Web Shell CONTRIBUTE A TEST	Hijack Execution Flow CONTRIBUTE A TEST	Revert Cloud Instance CONTRIBUTE A TEST	Private Keys	System Network Connections Discovery		Confluence CONTRIBUTE A TEST		Multi-Stage Channels CONTRIBUTE A TEST	Transmitted Data Manipulation CONTRIBUTE A TEST
	Python	Default Accounts CONTRIBUTE A TEST	Valid Accounts CONTRIBUTE A TEST	Deobfuscate/Decode Files or Information	Password Spraying	Virtualization/Sandbox Evasion CONTRIBUTE A TEST		Email Forwarding Rule CONTRIBUTE A TEST		Port Knocking CONTRIBUTE A TEST	Resource Hijacking
	System Services CONTRIBUTE A TEST	Trap	Exploitation for Privilege Escalation CONTRIBUTE A TEST	Impair Defenses CONTRIBUTE A TEST	Web Portal Capture CONTRIBUTE A TEST	Cloud Storage Object Discovery CONTRIBUTE A TEST		Data Staged CONTRIBUTE A TEST		Multiband Communication CONTRIBUTE A TEST	Transmitted Data Manipulation CONTRIBUTE A TEST
	Visual Basic CONTRIBUTE A TEST	Dynamic Linker Hijacking	Event Triggered Execution CONTRIBUTE A TEST	Masquerading CONTRIBUTE A TEST	Bash History	Cloud Account CONTRIBUTE A TEST		GUI Input Capture CONTRIBUTE A TEST		File Transfer Protocols CONTRIBUTE A TEST	Data Destruction
	Space after Filename CONTRIBUTE A TEST	Local Account	Unix Shell Configuration Modification	Process Injection CONTRIBUTE A TEST	Credentials In Files	Process Discovery		Data from Network Shared Drive CONTRIBUTE A TEST		One-Way Communication CONTRIBUTE A TEST	Network Denial of Service CONTRIBUTE A TEST
	Malicious Link CONTRIBUTE A TEST	At (Linux) CONTRIBUTE A TEST	Setuid and Setgid CONTRIBUTE A TEST	Traffic Signaling CONTRIBUTE A TEST	Web Cookies CONTRIBUTE A TEST	User Activity Based Checks CONTRIBUTE A TEST		Remote Email Collection CONTRIBUTE A TEST		Multi-hop Proxy	Firmware Corruption CONTRIBUTE A TEST
	At	Redundant Access CONTRIBUTE A TEST	Web Shell CONTRIBUTE A TEST	System Binary Proxy Execution CONTRIBUTE A TEST	Steal Application Access Token CONTRIBUTE A TEST	Local Groups		Input Capture CONTRIBUTE A TEST		Data Obfuscation CONTRIBUTE A TEST	Inhibit System Recovery CONTRIBUTE A TEST
		SSH Authorized Keys	Domain Accounts CONTRIBUTE A TEST	Timestomp	Forge Web Credentials CONTRIBUTE A TEST	Password Policy Discovery		ARP Cache Poisoning CONTRIBUTE A TEST		Non-Standard Port	Disk Content Wipe CONTRIBUTE A TEST
		Kernel Modules and Extensions CONTRIBUTE A TEST	Proc Memory CONTRIBUTE A TEST	Reflective Code Loading CONTRIBUTE A TEST	Multi-Factor Authentication Request Generation CONTRIBUTE A TEST	System Language Discovery CONTRIBUTE A TEST		Code Repositories CONTRIBUTE A TEST		Encrypted Channel CONTRIBUTE A TEST	System Shutdown/Reboot
		Domain Account CONTRIBUTE A TEST	RC Scripts	Time Based Evasion CONTRIBUTE A TEST	Exploitation for Credential Access CONTRIBUTE A TEST	System Location Discovery CONTRIBUTE A TEST		Data from Information Repositories CONTRIBUTE A TEST		Bidirectional Communication CONTRIBUTE A TEST
		Component Firmware CONTRIBUTE A TEST	Systemd Service	Network Address Translation Traversal CONTRIBUTE A TEST	GUI Input Capture CONTRIBUTE A TEST	Security Software Discovery		SNMP (MIB Dump) CONTRIBUTE A TEST		Asymmetric Cryptography CONTRIBUTE A TEST
		Office Template Macros CONTRIBUTE A TEST	XDG Autostart Entries CONTRIBUTE A TEST	Binary Padding CONTRIBUTE A TEST	Brute Force CONTRIBUTE A TEST	Cloud Service Discovery CONTRIBUTE A TEST				Non-Application Layer Protocol CONTRIBUTE A TEST
		Device Registration CONTRIBUTE A TEST	Ptrace System Calls CONTRIBUTE A TEST	Use Alternate Authentication Material CONTRIBUTE A TEST	Credential Stuffing	Remote System Discovery				Protocol Impersonation CONTRIBUTE A TEST
		Pre-OS Boot CONTRIBUTE A TEST	Domain Policy Modification CONTRIBUTE A TEST	Disable or Modify System Firewall	Credentials in Files CONTRIBUTE A TEST	Network Service Discovery				Uncommonly Used Port CONTRIBUTE A TEST
		Port Knocking CONTRIBUTE A TEST	Cloud Accounts	Deploy Container CONTRIBUTE A TEST	Input Capture CONTRIBUTE A TEST	Software Discovery CONTRIBUTE A TEST				Domain Fronting CONTRIBUTE A TEST
		Additional Cloud Credentials	At	File Deletion CONTRIBUTE A TEST	ARP Cache Poisoning CONTRIBUTE A TEST	Cloud Service Dashboard CONTRIBUTE A TEST				Data Encoding CONTRIBUTE A TEST
		Compromise Client Software Binary CONTRIBUTE A TEST	Local Accounts CONTRIBUTE A TEST	Unused/Unsupported Cloud Regions CONTRIBUTE A TEST	/etc/passwd and /etc/shadow	Debugger Evasion CONTRIBUTE A TEST				Non-Standard Encoding CONTRIBUTE A TEST
		Cloud Account		Binary Padding	Multi-Factor Authentication Interception CONTRIBUTE A TEST					Web Protocols
		Account Manipulation		Default Accounts CONTRIBUTE A TEST	Modify Authentication Process CONTRIBUTE A TEST					Ingress Tool Transfer
		Kernel Modules and Extensions		Dynamic Linker Hijacking	Container API					Steganography CONTRIBUTE A TEST
		Systemd Timers		File and Directory Permissions Modification CONTRIBUTE A TEST	Network Device Authentication CONTRIBUTE A TEST					Fallback Channels CONTRIBUTE A TEST
		ROMMONkit CONTRIBUTE A TEST		Abuse Elevation Control Mechanism CONTRIBUTE A TEST						Internal Proxy
		Outlook Forms CONTRIBUTE A TEST		Setuid and Setgid						Custom Command and Control Protocol CONTRIBUTE A TEST
		Hijack Execution Flow CONTRIBUTE A TEST		Redundant Access CONTRIBUTE A TEST						Dead Drop Resolver CONTRIBUTE A TEST
		Valid Accounts CONTRIBUTE A TEST		Delete Cloud Instance CONTRIBUTE A TEST						Junk Data CONTRIBUTE A TEST
		Trap CONTRIBUTE A TEST		Indicator Blocking						Commonly Used Port CONTRIBUTE A TEST
		Event Triggered Execution CONTRIBUTE A TEST		Disable or Modify Cloud Firewall CONTRIBUTE A TEST
		Unix Shell Configuration Modification		Right-to-Left Override CONTRIBUTE A TEST
		Outlook Home Page CONTRIBUTE A TEST		Component Firmware CONTRIBUTE A TEST
		Local Job Scheduling CONTRIBUTE A TEST		Indicator Removal on Host CONTRIBUTE A TEST
		Setuid and Setgid CONTRIBUTE A TEST		Masquerade Task or Service CONTRIBUTE A TEST
		Web Shell CONTRIBUTE A TEST		Disable Crypto Hardware CONTRIBUTE A TEST
		Domain Accounts CONTRIBUTE A TEST		Pre-OS Boot CONTRIBUTE A TEST
		Server Software Component CONTRIBUTE A TEST		Scripting CONTRIBUTE A TEST
		Hidden Files and Directories CONTRIBUTE A TEST		Build Image on Host CONTRIBUTE A TEST
		RC Scripts		Downgrade Attack CONTRIBUTE A TEST
		Systemd Service		Virtualization/Sandbox Evasion CONTRIBUTE A TEST
		Create Account CONTRIBUTE A TEST		Execution Guardrails CONTRIBUTE A TEST
		XDG Autostart Entries CONTRIBUTE A TEST		Port Knocking CONTRIBUTE A TEST
		Additional Email Delegate Permissions CONTRIBUTE A TEST		Hidden Users CONTRIBUTE A TEST
		Office Test CONTRIBUTE A TEST		Impair Command History Logging
		Cloud Accounts		User Activity Based Checks CONTRIBUTE A TEST
		At		VDSO Hijacking CONTRIBUTE A TEST
		Modify Authentication Process CONTRIBUTE A TEST		ROMMONkit CONTRIBUTE A TEST
		SQL Stored Procedures CONTRIBUTE A TEST		Disable or Modify Tools
		Network Device Authentication CONTRIBUTE A TEST		Modify System Image CONTRIBUTE A TEST
		Local Accounts CONTRIBUTE A TEST		Hijack Execution Flow CONTRIBUTE A TEST
				Indicator Removal from Tools CONTRIBUTE A TEST
				Valid Accounts CONTRIBUTE A TEST
				Obfuscated Files or Information
				Run Virtual Instance CONTRIBUTE A TEST
				Network Boundary Bridging CONTRIBUTE A TEST
				Subvert Trust Controls CONTRIBUTE A TEST
				Rename System Utilities
				Steganography CONTRIBUTE A TEST
				Web Session Cookie CONTRIBUTE A TEST
				Domain Accounts CONTRIBUTE A TEST
				Web Session Cookie CONTRIBUTE A TEST
				Install Root Certificate
				Compile After Delivery
				VBA Stomping CONTRIBUTE A TEST
				Disable Cloud Logs
				Hidden Window CONTRIBUTE A TEST
				Create Cloud Instance CONTRIBUTE A TEST
				Compile After Delivery CONTRIBUTE A TEST
				Proc Memory CONTRIBUTE A TEST
				Patch System Image CONTRIBUTE A TEST
				Clear Command History CONTRIBUTE A TEST
				HTML Smuggling CONTRIBUTE A TEST
				Install Root Certificate CONTRIBUTE A TEST
				File Deletion
				Hidden Files and Directories CONTRIBUTE A TEST
				Software Packing
				Hidden File System CONTRIBUTE A TEST
				Space after Filename CONTRIBUTE A TEST
				Debugger Evasion CONTRIBUTE A TEST
				Space after Filename
				Ptrace System Calls CONTRIBUTE A TEST
				Domain Policy Modification CONTRIBUTE A TEST
				Hidden Files and Directories
				Create Snapshot CONTRIBUTE A TEST
				Application Access Token CONTRIBUTE A TEST
				Cloud Accounts
				Environmental Keying CONTRIBUTE A TEST
				Modify Authentication Process CONTRIBUTE A TEST
				Network Device Authentication CONTRIBUTE A TEST
				Downgrade System Image CONTRIBUTE A TEST
				Local Accounts CONTRIBUTE A TEST
				Exploitation for Defense Evasion CONTRIBUTE A TEST