Linux Atomic Tests by ATT&CK Tactic & Technique

| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact | |—–|—–|—–|—–|—–|—–|—–|—–|—–|—–|—–|—–| | External Remote Services CONTRIBUTE A TEST | Server Software Component CONTRIBUTE A TEST | Socket Filters CONTRIBUTE A TEST | Boot or Logon Initialization Scripts CONTRIBUTE A TEST | Socket Filters CONTRIBUTE A TEST | Adversary-in-the-Middle CONTRIBUTE A TEST | System Owner/User Discovery | Remote Services:VNC CONTRIBUTE A TEST | Archive Collected Data: Archive via Utility | Exfiltration Over Web Service CONTRIBUTE A TEST | Socket Filters CONTRIBUTE A TEST | Disk Structure Wipe CONTRIBUTE A TEST | | Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST | Command and Scripting Interpreter: JavaScript CONTRIBUTE A TEST | Boot or Logon Initialization Scripts CONTRIBUTE A TEST | Path Interception by PATH Environment Variable CONTRIBUTE A TEST | Embedded Payloads CONTRIBUTE A TEST | Modify Authentication Process: Pluggable Authentication Modules | Internet Connection Discovery CONTRIBUTE A TEST | Taint Shared Content CONTRIBUTE A TEST | Screen Capture | Exfiltration Over Webhook CONTRIBUTE A TEST | Data Encoding: Standard Encoding | Direct Network Flood CONTRIBUTE A TEST | | Spearphishing Link CONTRIBUTE A TEST | User Execution: Malicious File CONTRIBUTE A TEST | Modify Authentication Process: Pluggable Authentication Modules | Create or Modify System Process CONTRIBUTE A TEST | Modify Authentication Process: Pluggable Authentication Modules | Input Capture: Keylogging | Permission Groups Discovery CONTRIBUTE A TEST | Remote Services: SSH | Adversary-in-the-Middle CONTRIBUTE A TEST | Scheduled Transfer CONTRIBUTE A TEST | Domain Generation Algorithms CONTRIBUTE A TEST | External Defacement CONTRIBUTE A TEST | | Phishing: Spearphishing Attachment CONTRIBUTE A TEST | Scheduled Task/Job: Cron | Path Interception by PATH Environment Variable CONTRIBUTE A TEST | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | File/Path Exclusions CONTRIBUTE A TEST | Brute Force: Password Guessing | Device Driver Discovery CONTRIBUTE A TEST | SSH Hijacking CONTRIBUTE A TEST | Input Capture: Keylogging | Exfiltration Over Other Network Medium CONTRIBUTE A TEST | Application Layer Protocol: DNS CONTRIBUTE A TEST | OS Exhaustion Flood CONTRIBUTE A TEST | | Compromise Hardware Supply Chain CONTRIBUTE A TEST | Scheduled Task/Job CONTRIBUTE A TEST | Create or Modify System Process CONTRIBUTE A TEST | Boot or Logon Autostart Execution CONTRIBUTE A TEST | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | OS Credential Dumping CONTRIBUTE A TEST | Account Discovery: Domain Account | Remote Services CONTRIBUTE A TEST | Audio Capture CONTRIBUTE A TEST | Exfiltration Over Bluetooth CONTRIBUTE A TEST | Symmetric Cryptography CONTRIBUTE A TEST | Application Exhaustion Flood CONTRIBUTE A TEST | | Supply Chain Compromise CONTRIBUTE A TEST | Native API CONTRIBUTE A TEST | External Remote Services CONTRIBUTE A TEST | Scheduled Task/Job: Cron | Path Interception by PATH Environment Variable CONTRIBUTE A TEST | Steal Web Session Cookie CONTRIBUTE A TEST | Account Discovery: Local Account | Remote Service Session Hijacking CONTRIBUTE A TEST | Archive via Custom Method CONTRIBUTE A TEST | Automated Exfiltration CONTRIBUTE A TEST | Fast Flux DNS CONTRIBUTE A TEST | Disk Wipe CONTRIBUTE A TEST | | Exploit Public-Facing Application CONTRIBUTE A TEST | Command and Scripting Interpreter CONTRIBUTE A TEST | Bootkit CONTRIBUTE A TEST | Scheduled Task/Job CONTRIBUTE A TEST | Email Hiding Rules CONTRIBUTE A TEST | Securityd Memory CONTRIBUTE A TEST | Virtualization/Sandbox Evasion: System Checks | Software Deployment Tools CONTRIBUTE A TEST | Email Collection CONTRIBUTE A TEST | Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST | Application Layer Protocol CONTRIBUTE A TEST | Stored Data Manipulation CONTRIBUTE A TEST | | Content Injection CONTRIBUTE A TEST | User Execution CONTRIBUTE A TEST | Boot or Logon Autostart Execution CONTRIBUTE A TEST | Process Injection CONTRIBUTE A TEST | Encrypted/Encoded File CONTRIBUTE A TEST | Brute Force: Password Cracking CONTRIBUTE A TEST | Permission Groups Discovery: Domain Groups | Exploitation of Remote Services CONTRIBUTE A TEST | Data from Removable Media CONTRIBUTE A TEST | Exfiltration to Code Repository CONTRIBUTE A TEST | Remote Access Software CONTRIBUTE A TEST | Service Stop CONTRIBUTE A TEST | | Valid Accounts: Default Accounts CONTRIBUTE A TEST | Software Deployment Tools CONTRIBUTE A TEST | Scheduled Task/Job: Cron | Escape to Host CONTRIBUTE A TEST | Rootkit | OS Credential Dumping: Proc Filesystem | System Service Discovery | Internal Spearphishing CONTRIBUTE A TEST | Data Staged: Local Data Staging | Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Content Injection CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST | | Trusted Relationship CONTRIBUTE A TEST | Scheduled Task/Job: Systemd Timers | Server Software Component: Transport Agent CONTRIBUTE A TEST | Valid Accounts: Default Accounts CONTRIBUTE A TEST | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | Password Managers CONTRIBUTE A TEST | Network Sniffing | Lateral Tool Transfer CONTRIBUTE A TEST | Automated Collection CONTRIBUTE A TEST | Exfiltration Over C2 Channel CONTRIBUTE A TEST | Traffic Signaling CONTRIBUTE A TEST | Runtime Data Manipulation CONTRIBUTE A TEST | | Phishing CONTRIBUTE A TEST | Command and Scripting Interpreter: Bash | Scheduled Task/Job CONTRIBUTE A TEST | Event Triggered Execution: Trap | Bootkit CONTRIBUTE A TEST | Network Sniffing | Network Share Discovery | | Clipboard Data | Exfiltration Over Alternative Protocol | Protocol Tunneling CONTRIBUTE A TEST | Reflection Amplification CONTRIBUTE A TEST | | Valid Accounts CONTRIBUTE A TEST | Inter-Process Communication CONTRIBUTE A TEST | Browser Extensions | Hijack Execution Flow: LD_PRELOAD | Masquerading: Match Legitimate Name or Location | Steal or Forge Kerberos Tickets CONTRIBUTE A TEST | Peripheral Device Discovery CONTRIBUTE A TEST | | Remote Data Staging CONTRIBUTE A TEST | Exfiltration over USB CONTRIBUTE A TEST | Mail Protocols CONTRIBUTE A TEST | Service Exhaustion Flood CONTRIBUTE A TEST | | Spearphishing Voice CONTRIBUTE A TEST | Exploitation for Client Execution CONTRIBUTE A TEST | Traffic Signaling CONTRIBUTE A TEST | Abuse Elevation Control Mechanism CONTRIBUTE A TEST | Masquerade File Type CONTRIBUTE A TEST | Credentials from Password Stores CONTRIBUTE A TEST | System Information Discovery | | Data from Local System | Exfiltration Over Web Service: Exfiltration to Text Storage Sites CONTRIBUTE A TEST | Communication Through Removable Media CONTRIBUTE A TEST | Defacement CONTRIBUTE A TEST | | Compromise Software Supply Chain CONTRIBUTE A TEST | Command and Scripting Interpreter: Python | Server Software Component: Web Shell CONTRIBUTE A TEST | Abuse Elevation Control Mechanism: Setuid and Setgid | Hide Artifacts CONTRIBUTE A TEST | Unsecured Credentials | System Network Configuration Discovery: Wi-Fi Discovery CONTRIBUTE A TEST | | Archive Collected Data: Archive via Library | Exfiltration Over Web Service: Exfiltration to Cloud Storage CONTRIBUTE A TEST | External Proxy CONTRIBUTE A TEST | Financial Theft CONTRIBUTE A TEST | | Domain Accounts CONTRIBUTE A TEST | System Services CONTRIBUTE A TEST | Valid Accounts: Default Accounts CONTRIBUTE A TEST | SSH Authorized Keys | Virtualization/Sandbox Evasion: System Checks | Credentials from Password Stores: Credentials from Web Browsers | Application Window Discovery CONTRIBUTE A TEST | | Archive Collected Data CONTRIBUTE A TEST | Data Transfer Size Limits | Proxy CONTRIBUTE A TEST | Defacement: Internal Defacement CONTRIBUTE A TEST | | Hardware Additions CONTRIBUTE A TEST | Command and Scripting Interpreter: Visual Basic CONTRIBUTE A TEST | Event Triggered Execution: Trap | VDSO Hijacking CONTRIBUTE A TEST | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | DHCP Spoofing CONTRIBUTE A TEST | Time Based Evasion CONTRIBUTE A TEST | | DHCP Spoofing CONTRIBUTE A TEST | Exfiltration Over Physical Medium CONTRIBUTE A TEST | Dynamic Resolution CONTRIBUTE A TEST | Data Manipulation CONTRIBUTE A TEST | | Drive-by Compromise CONTRIBUTE A TEST | Malicious Link CONTRIBUTE A TEST | Hijack Execution Flow: LD_PRELOAD | Account Manipulation CONTRIBUTE A TEST | Stripped Payloads CONTRIBUTE A TEST | Unsecured Credentials: Private Keys | Browser Bookmark Discovery | | Web Portal Capture CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | Web Service CONTRIBUTE A TEST | Account Access Removal | | Spearphishing via Service CONTRIBUTE A TEST | Scheduled Task/Job: At | Create Account: Local Account | Boot or Logon Autostart Execution: Kernel Modules and Extensions | Break Process Trees CONTRIBUTE A TEST | Brute Force: Password Spraying CONTRIBUTE A TEST | System Network Configuration Discovery | | Video Capture CONTRIBUTE A TEST | | DNS Calculation CONTRIBUTE A TEST | Data Encrypted for Impact | | Valid Accounts: Local Accounts | | SSH Authorized Keys | Scheduled Task/Job: Systemd Timers | Clear Network Connection History and Configurations CONTRIBUTE A TEST | Web Portal Capture CONTRIBUTE A TEST | Account Discovery CONTRIBUTE A TEST | | Email Collection: Email Forwarding Rule CONTRIBUTE A TEST | | Multi-Stage Channels CONTRIBUTE A TEST | Endpoint Denial of Service CONTRIBUTE A TEST | | | | Create Account: Domain Account | Hijack Execution Flow CONTRIBUTE A TEST | Indicator Removal on Host: Clear Command History | OS Credential Dumping: Cached Domain Credentials CONTRIBUTE A TEST | File and Directory Discovery | | Data Staged CONTRIBUTE A TEST | | Port Knocking CONTRIBUTE A TEST | Resource Hijacking | | | | Component Firmware CONTRIBUTE A TEST | Valid Accounts CONTRIBUTE A TEST | Deobfuscate/Decode Files or Information | Steal or Forge Authentication Certificates CONTRIBUTE A TEST | System Network Connections Discovery | | Input Capture: GUI Input Capture CONTRIBUTE A TEST | | File Transfer Protocols CONTRIBUTE A TEST | Transmitted Data Manipulation CONTRIBUTE A TEST | | | | Pre-OS Boot CONTRIBUTE A TEST | Exploitation for Privilege Escalation CONTRIBUTE A TEST | Impair Defenses | Unsecured Credentials: Bash History | Virtualization/Sandbox Evasion CONTRIBUTE A TEST | | Data from Network Shared Drive CONTRIBUTE A TEST | | One-Way Communication CONTRIBUTE A TEST | Data Destruction | | | | Port Knocking CONTRIBUTE A TEST | Event Triggered Execution CONTRIBUTE A TEST | Masquerading CONTRIBUTE A TEST | Unsecured Credentials: Credentials In Files | Log Enumeration CONTRIBUTE A TEST | | Input Capture CONTRIBUTE A TEST | | Proxy: Multi-hop Proxy | Network Denial of Service CONTRIBUTE A TEST | | | | Compromise Host Software Binary CONTRIBUTE A TEST | Event Triggered Execution: .bash_profile .bashrc and .shrc | Email Collection: Mailbox Manipulation | Web Cookies CONTRIBUTE A TEST | Process Discovery | | ARP Cache Poisoning CONTRIBUTE A TEST | | Data Obfuscation CONTRIBUTE A TEST | Firmware Corruption CONTRIBUTE A TEST | | | | Account Manipulation CONTRIBUTE A TEST | Domain Accounts CONTRIBUTE A TEST | Process Injection CONTRIBUTE A TEST | Forge Web Credentials CONTRIBUTE A TEST | User Activity Based Checks CONTRIBUTE A TEST | | Data from Information Repositories CONTRIBUTE A TEST | | Non-Standard Port | Inhibit System Recovery CONTRIBUTE A TEST | | | | Boot or Logon Autostart Execution: Kernel Modules and Extensions | Proc Memory CONTRIBUTE A TEST | Traffic Signaling CONTRIBUTE A TEST | Multi-Factor Authentication Request Generation CONTRIBUTE A TEST | Permission Groups Discovery: Local Groups | | | | Encrypted Channel CONTRIBUTE A TEST | Disk Content Wipe CONTRIBUTE A TEST | | | | Scheduled Task/Job: Systemd Timers | Installer Packages CONTRIBUTE A TEST | Signed Binary Proxy Execution CONTRIBUTE A TEST | Exploitation for Credential Access CONTRIBUTE A TEST | Password Policy Discovery | | | | Bidirectional Communication CONTRIBUTE A TEST | System Shutdown/Reboot | | | | Hijack Execution Flow CONTRIBUTE A TEST | Boot or Logon Initialization Scripts: Rc.common | Indicator Removal on Host: Timestomp | Input Capture: GUI Input Capture CONTRIBUTE A TEST | System Location Discovery: System Language Discovery | | | | Asymmetric Cryptography CONTRIBUTE A TEST | | | | | Valid Accounts CONTRIBUTE A TEST | Create or Modify System Process: SysV/Systemd Service | Reflective Code Loading CONTRIBUTE A TEST | Brute Force CONTRIBUTE A TEST | System Location Discovery CONTRIBUTE A TEST | | | | Non-Application Layer Protocol CONTRIBUTE A TEST | | | | | Multi-Factor Authentication CONTRIBUTE A TEST | XDG Autostart Entries CONTRIBUTE A TEST | Ignore Process Interrupts CONTRIBUTE A TEST | Brute Force: Credential Stuffing | Software Discovery: Security Software Discovery | | | | Protocol Impersonation CONTRIBUTE A TEST | | | | | Event Triggered Execution CONTRIBUTE A TEST | Ptrace System Calls CONTRIBUTE A TEST | Time Based Evasion CONTRIBUTE A TEST | Multi-Factor Authentication CONTRIBUTE A TEST | Remote System Discovery | | | | Domain Fronting CONTRIBUTE A TEST | | | | | Event Triggered Execution: .bash_profile .bashrc and .shrc | Scheduled Task/Job: At | Impair Defenses: Disable or Modify System Firewall | Input Capture CONTRIBUTE A TEST | Network Service Discovery | | | | Data Encoding CONTRIBUTE A TEST | | | | | Domain Accounts CONTRIBUTE A TEST | Valid Accounts: Local Accounts | Electron Applications CONTRIBUTE A TEST | ARP Cache Poisoning CONTRIBUTE A TEST | Software Discovery CONTRIBUTE A TEST | | | | Non-Standard Encoding CONTRIBUTE A TEST | | | | | Server Software Component CONTRIBUTE A TEST | | Impair Defenses: Disable or Modify Linux Audit System | OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow | Debugger Evasion CONTRIBUTE A TEST | | | | Application Layer Protocol: Web Protocols | | | | | Installer Packages CONTRIBUTE A TEST | | Obfuscated Files or Information: Binary Padding | Multi-Factor Authentication Interception CONTRIBUTE A TEST | System Time Discovery | | | | Ingress Tool Transfer | | | | | Boot or Logon Initialization Scripts: Rc.common | | Valid Accounts: Default Accounts CONTRIBUTE A TEST | Modify Authentication Process CONTRIBUTE A TEST | | | | | Hide Infrastructure CONTRIBUTE A TEST | | | | | Create or Modify System Process: SysV/Systemd Service | | Hijack Execution Flow: LD_PRELOAD | | | | | | Data Obfuscation via Steganography | | | | | Create Account CONTRIBUTE A TEST | | File and Directory Permissions Modification CONTRIBUTE A TEST | | | | | | Fallback Channels CONTRIBUTE A TEST | | | | | XDG Autostart Entries CONTRIBUTE A TEST | | Abuse Elevation Control Mechanism CONTRIBUTE A TEST | | | | | | Proxy: Internal Proxy | | | | | Power Settings CONTRIBUTE A TEST | | Abuse Elevation Control Mechanism: Setuid and Setgid | | | | | | Dead Drop Resolver CONTRIBUTE A TEST | | | | | Scheduled Task/Job: At | | Impair Defenses: Indicator Blocking | | | | | | Junk Data CONTRIBUTE A TEST | | | | | Modify Authentication Process CONTRIBUTE A TEST | | Right-to-Left Override CONTRIBUTE A TEST | | | | | | | | | | | SQL Stored Procedures CONTRIBUTE A TEST | | Component Firmware CONTRIBUTE A TEST | | | | | | | | | | | Valid Accounts: Local Accounts | | Indicator Removal on Host CONTRIBUTE A TEST | | | | | | | | | | | | | Masquerading: Masquerade Task or Service | | | | | | | | | | | | | Pre-OS Boot CONTRIBUTE A TEST | | | | | | | | | | | | | Impair Defenses: Downgrade Attack | | | | | | | | | | | | | Virtualization/Sandbox Evasion CONTRIBUTE A TEST | | | | | | | | | | | | | Execution Guardrails CONTRIBUTE A TEST | | | | | | | | | | | | | Port Knocking CONTRIBUTE A TEST | | | | | | | | | | | | | Hide Artifacts: Hidden Users CONTRIBUTE A TEST | | | | | | | | | | | | | Impair Defenses: Impair Command History Logging | | | | | | | | | | | | | User Activity Based Checks CONTRIBUTE A TEST | | | | | | | | | | | | | VDSO Hijacking CONTRIBUTE A TEST | | | | | | | | | | | | | Impair Defenses: Disable or Modify Tools | | | | | | | | | | | | | Hijack Execution Flow CONTRIBUTE A TEST | | | | | | | | | | | | | Indicator Removal from Tools CONTRIBUTE A TEST | | | | | | | | | | | | | Valid Accounts CONTRIBUTE A TEST | | | | | | | | | | | | | Obfuscated Files or Information | | | | | | | | | | | | | Multi-Factor Authentication CONTRIBUTE A TEST | | | | | | | | | | | | | Run Virtual Instance CONTRIBUTE A TEST | | | | | | | | | | | | | Subvert Trust Controls CONTRIBUTE A TEST | | | | | | | | | | | | | Masquerading: Rename System Utilities | | | | | | | | | | | | | Spoof Security Alerting CONTRIBUTE A TEST | | | | | | | | | | | | | Steganography CONTRIBUTE A TEST | | | | | | | | | | | | | Domain Accounts CONTRIBUTE A TEST | | | | | | | | | | | | | Subvert Trust Controls: Install Root Certificate | | | | | | | | | | | | | Obfuscated Files or Information: Compile After Delivery | | | | | | | | | | | | | VBA Stomping CONTRIBUTE A TEST | | | | | | | | | | | | | Impersonation CONTRIBUTE A TEST | | | | | | | | | | | | | Hide Artifacts: Hidden Window CONTRIBUTE A TEST | | | | | | | | | | | | | Proc Memory CONTRIBUTE A TEST | | | | | | | | | | | | | Clear Persistence CONTRIBUTE A TEST | | | | | | | | | | | | | HTML Smuggling CONTRIBUTE A TEST | | | | | | | | | | | | | Command Obfuscation CONTRIBUTE A TEST | | | | | | | | | | | | | Indicator Removal on Host: File Deletion | | | | | | | | | | | | | Obfuscated Files or Information: Software Packing | | | | | | | | | | | | | Hidden File System CONTRIBUTE A TEST | | | | | | | | | | | | | Debugger Evasion CONTRIBUTE A TEST | | | | | | | | | | | | | Masquerading: Space after Filename | | | | | | | | | | | | | Ptrace System Calls CONTRIBUTE A TEST | | | | | | | | | | | | | Hide Artifacts: Hidden Files and Directories | | | | | | | | | | | | | Environmental Keying CONTRIBUTE A TEST | | | | | | | | | | | | | Modify Authentication Process CONTRIBUTE A TEST | | | | | | | | | | | | | Valid Accounts: Local Accounts | | | | | | | | | | | | | Exploitation for Defense Evasion CONTRIBUTE A TEST | | | | | | | |