PurpleLabs Linux Live Training in the Netherlands

Last week I had the great privilege to deliver live, on-site 3-day 'Linux Attack, Detection and Live Forensics' training in Helmond, Netherlands. We dived deep into Linux threats focusing on user/kernel space rootkits with an Active Defense / purple teaming approach. During the training, we analyzed many interesting areas including eBPF process hiding, different syscall hooking methods, process injections, Linux persistence, C2, and many more. The hands-on session included also examples of remote and local exploitation of docker containers and network services.

The entire program simultaneously took into account the detection, hunting, and forensics part, so for each offensive part we analyzed available telemetry, alerts, network events, and memory dumps acquired on-demand ^^ We looked at /proc/kallsyms, /sys/kernel/debug/tracing/enabled_functions, /dev/shm/**, /proc/** and so many other locations for evidence of exotic behaviors.

The Blue Team stack included Elastic Security, Wazuh, Falco, Tracee, Sysmon4Linux, Velociraptor, OSquery, Sandfly Security, Zeek, Suricata, Arkime FPC, and LKRG. Not to mention about Volatility Framework 2/3 and more.

Look at these smiling faces - we've pumped in a lot of knowledge so important for fighting with Linux threats. It was a great pleasure sharing my 20+ years of experience - thank you for having me!
Special words of thanks go especially to Izak Schipper, Andy Wijnen, and Harry Beckers for organizing and hosting us.

Interested to learn more? Check out the course/training agenda here: https://edu.defensive-security.com/linux-attack-live-forensics-at-scale

You can join the self-learning program just now, or ping me, and let's organize similar private training for your team at your company office ^^

======

My next public training will have a place in Las Vegas during Black Hat USA 2024: https://lnkd.in/d3UXy7ac

and later in Bangkok, Thailand @ Hack In The Box 2024: https://lnkd.in/d62huEgU