Linux Atomic Tests by ATT&CK Tactic & Technique

persistence

T1156 .bash_profile and .bashrc
T1067 Bootkit
T1176 Browser Extensions
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
T1136 Create Account
- Atomic Test #1: Create a user account on a Linux system [linux]
T1158 Hidden Files and Directories
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
T1215 Kernel Modules and Extensions
T1168 Local Job Scheduling
T1205 Port Knocking
T1108 Redundant Access
T1154 Trap
T1078 Valid Accounts
T1100 Web Shell

discovery

T1087 Account Discovery
- Atomic Test #1: List all accounts [linux, macos]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #5: Show if a user account has ever logger in remotely [linux, macos]
T1217 Browser Bookmark Discovery
T1083 File and Directory Discovery
T1046 Network Service Scanning
- Atomic Test #1: Scan a bunch of ports to see if they are open [linux, macos]
T1201 Password Policy Discovery
T1069 Permission Groups Discovery
T1057 Process Discovery
T1018 Remote System Discovery
T1082 System Information Discovery
T1016 System Network Configuration Discovery
T1049 System Network Connections Discovery
T1033 System Owner/User Discovery

lateral-movement

T1017 Application Deployment Software
T1210 Exploitation of Remote Services
T1105 Remote File Copy
- Atomic Test #1: xxxx [linux, macos]
T1021 Remote Services
T1184 SSH Hijacking
T1072 Third-party Software

collection

T1123 Audio Capture
T1119 Automated Collection
T1115 Clipboard Data
T1074 Data Staged
T1213 Data from Information Repositories
T1005 Data from Local System
T1039 Data from Network Shared Drive
T1025 Data from Removable Media
T1056 Input Capture
T1113 Screen Capture
- Atomic Test #3: X Windows Capture [linux]
- Atomic Test #4: Import [linux]

exfiltration

credential-access

T1139 Bash History
- Atomic Test #1: xxxx [linux, macos]
T1110 Brute Force
T1081 Credentials in Files
T1212 Exploitation for Credential Access
T1056 Input Capture
T1040 Network Sniffing
T1145 Private Keys
T1111 Two-Factor Authentication Interception

defense-evasion

T1009 Binary Padding
T1146 Clear Command History
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux, macos]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux]
T1089 Disabling Security Tools
- Atomic Test #1: Disable iptables firewall [linux]
- Atomic Test #2: Disable syslog [linux]
- Atomic Test #3: Disable Cb Response [linux]
- Atomic Test #4: Disable SELinux [linux]
T1211 Exploitation for Defense Evasion
T1107 File Deletion
- Atomic Test #1: Victim configuration [linux]
- Atomic Test #2: Delete a single file [linux]
- Atomic Test #3: Delete an entire folder [linux]
- Atomic Test #4: Overwrite and delete a file with shred [linux]
T1148 HISTCONTROL
T1158 Hidden Files and Directories
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
T1066 Indicator Removal from Tools
T1070 Indicator Removal on Host
T1130 Install Root Certificate
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
T1036 Masquerading
T1027 Obfuscated Files or Information
T1205 Port Knocking
T1055 Process Injection
T1108 Redundant Access
T1014 Rootkit
T1064 Scripting
T1151 Space after Filename
T1099 Timestomp
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
T1078 Valid Accounts
T1102 Web Service

15 KiB

Raw Blame History

Linux Atomic Tests by ATT&CK Tactic & Technique

persistence

discovery

lateral-movement

collection

exfiltration

credential-access

defense-evasion

execution

command-and-control

initial-access

privilege-escalation

15 KiB Raw Blame History

Linux Atomic Tests by ATT&CK Tactic & Technique

persistence

discovery

lateral-movement

collection

exfiltration

credential-access

defense-evasion

execution

command-and-control

initial-access

privilege-escalation

15 KiB

Raw Blame History