Detecting ATT&CK techniques & tactics for Linux

defense evasion

• T1009 - Binary Padding

• T1146 - Clear Command History

• T1107 - File Deletion

• T1222 - File Permissions Modification

• T1158 - Hidden Files and Directories

• T1148 - HISTCONTROL

• T1070 - Indicator Removal on Host

• T1055 - Process Injection

discovery

• T1040 - Network Sniffing

• T1087 - Account Discovery

privilege escalation

• T1169 - Sudo

• T1206 - Sudo Caching

• T1166 - Setuid and Setgid

• T1055 - Process Injection

Credential Access

• T1139 - Bash History

• T1081 - Credentials in Files

• T1145 - Private Keys

• T1110 - Brute Force

persistence

• T1156 .bash_profile and .bashrc

• T1158 - Hidden Files and Directories

• T1168 - Local Job Scheduling

• T1166 - Setuid and Setgid

• T1154 - Trap

execution

• T1064 - Scripting

• T1168 - Local Job Scheduling

initial access

• T1136 - Create Account