Defensive-Security Store/Linux Attack and Live Forensics At Scale MATERIALS-ONLY
Buy now

  • €99

Linux Attack and Live Forensics - MATERIALS ONLY

  • Course
  • 184 Lessons

Learn Linux attack, detection, and live forensics based on hands-on analyses of user space and kernel space Linux rootkits, C2 frameworks, and tools. Create low-level Linux attack paths, know better Linux internals, improve your Linux detection, understand the need for Linux telemetry, and stay prepared for Linux threats. 
Buy now

Recommendations

"Great content, very informative, Super training!, Learned new ways to detect attacks and defend on Linux, Good overview of offensive/defensive tools, I mostly like the level of content of this course, Good overview of different attacks and their traces in multiple monitoring systems, Content: Excellent."

BruCON 2022

From official training feedback

"We utilized PurpleLabs to further develop our SOC team skills. We have found that Defensive Security's hands-on content enabled them to better understand Linux internals and threats landscape in a unique hands-on format. Many step-by-step offsec lab modules ready to chain into low-level Linux attack paths, different detection layers, live telemetry streams and forensics tooling allow for a unique and challenging hands-on experience. Highly recommended!"

Przemysław Dęba

Head of Cybersecurity @ Orange

"Content and labs are interesting, Hands-on, Purple lab focus on the ability to simulate offensive so that we can deal with the defensive. I love all the additional things shared by the instructor. Deploying and using C2, rootkits, etc, and seeing this reflected in the detection tooling."

Hack In The Box Singapore 2022

From official training feedback

"It is funny, out of all courses and labs, PurpleLabs was the best lab in terms of knowledge that I use today."

Stefan Waldvogel

SIEM Engineer @ Graylog

I've been having fun doing the Defensive Security Linux Attack and Live Forensics course.

Craig Rowland

Founder @ SandflySecurity, Agentless Linux security and EDR

About the course

Attackers constantly find new ways to attack and infect Linux boxes using more and more sophisticated techniques and tools. As defenders, we need to stay up to date with adversaries, understand their TTPs and be able to respond quickly. The combination of low-level network and endpoint visibility is crucial to achieving that goal. For DFIR needs
we could go even further with proactive forensics inspections. This training will guide you through different attack-detection-inspection-response use cases and teach critical aspects of how to handle Linux incidents properly.

This course helps create and understand low-level Linux attack paths, improve your Linux detection coverage, see in action many Open Source DFIR/defensive projects, and understand the need for Linux telemetry, especially including Kubernetes clusters where Runtime Security solutions are a must these days. The techniques and attack paths covered in this training include many different implementations of eBPF, XDP, Ftrace, Kprobe, Uprobe, Netfilter, Systemtap, PAM, SSHD, HTTPD/Nginx, LD_PRELOAD-based code samples, and PoCs. Detection and forensics layers include LKRG, bpftool, Velociraptor IR, OSQuery, CLI-based /proc/ and /sys/ analysis, memory forensics with Volatility  2/3 Framework with the semi-automated RAM acquisition, Sysmon4Linux, Falco, Tracee, Sysdig, Tetragon, Sandfly Security, Zeek IDS, Suricata IDS, Moloch/Arkime FPC, Yara rules and more.

The hands-on content has been divided into user-space and kernel-space sub-sections. When you are done, dig deeper and create your own custom attack paths, then improve your detection coverage. Purple teaming for life!
 
If you want to enhance your understanding of Linux x86/x64 internals and stay prepared for Linux threats, this course is a must have!

 


Through the hands-on labs, you will gain a perfect understanding of important DFIR Linux/Network internals and investigation steps needed to get the full picture of Linux attack paths including post-exploitation activities and artifacts left behind.

Dive into the world of Linux syscall hooking techniques, see hands-on how rootkits work in well-prepared Detection PurpleLabs Cyber Range, analyze and modify the source codes, find interesting behavior patterns in binaries and logs, learn what telemetry is needed to catch modern Linux threat actors, and find how to proactively validate and improve detection coverage with step-by-step Linux adversary emulations.

Course Mindmap - Linux Attack and Forensics Inspection at scale-v3.png
PurpleLABS Cyber Range Network Architecture
Preview

0x01. PurpleLabs Hunting Components Dashboard

PurpleLABS Playground Hunting Components Dashboard and navigation that allows for the best experience during your research and material studies.
PurpleLabs Dashboard
PurpleLabs Components - Helicopter View

0x02. PurpleLabs User Setup Overview

This module is dedicated to the introduction to the PurpleLabs environment, network setup and assigned virtual machines, available tools, hunting components, datasets, and telemetry. Short and easy section to make better use of the PurpleLabs platform and hands-on materials.

Welcome to PurpleLABS!
Open Source Community
Network Addressing
Your Virtual Machines
Preview
Data sources and SIEM/DFIR components
Troubleshooting
Rules and policies
Threat Detection and Hunting with PurpleLabs #1
Threat Detection and Hunting with PurpleLabs #2

0x03. PurpleLabs Default Targets

A section dedicated to local and remote exploitation. Sample targets allow you to better understand the attack methods and corresponding offensive tools and frameworks. Detailed analysis of individual cases will allow you a better understanding of the detection engineering process and will allow obtaining the real values from the "show me the change" approach where comparing the behavior of infected systems vs the golden images is crucial.

Reverse Shell / Backdoor payloads
File transfers
Apache Tomcat
Apache HTTP CVE-2021-41773
NFS no_root_squash
Dirty Pipe CVE-2022-0847
pkexec CVE-2021-4034
CVE-2022-2588
CVE-2022-22963: Spring Cloud Function RCE
Solr Log4j
Samba / CIFS
Weblogic SSRF
SSH Brute force
Docker escape
Exiftool CVE-2021-22204
Remote Heap Exploitation
Attack emulation: Red Canary Atomics against your VMs

0x04. Blue/DFIR Components: SIEM

In this chapter, you are going to get familiar with different SIEM stacks running in PurpleLabs including Splunk, Hunting ELK (HELK), Graylog, and Wazuh. Through different security analysis tools, you will get access to real and live data sources including network and host telemetry coming from different nodes in the Cyber Range network.

SIEM/HELK introduction
SIEM/HELK Data sources
SIEM/Splunk introduction
SIEM/Splunk Data sources
SIEM/Graylog intro
SIEM/Graylog Data sources
SIEM/Wazuh Data Sources

0x05. Blue/DFIR Components: HOST

This chapter is fully dedicated to Linux endpoint/server security monitoring and live forensics at scale. A set of low-level visibility tools like Tracee, Falco, Sysdig, or Sysmon4Linux have been used to enhance host visibility. You will play with short use-case scenarios that effectively show not only the tool's values, but first of all, allow you to "see" and better understand the true behavior of attacks and corresponding TTPs at scale through the visibility/DFIR layers you can find in PurpleLabs.

Host/Syslog
Host/Auditd
Host/Falco Runtime Security
Host/Tracee Syscall Tracing
Host/Sysdig Syscall tracing
Host/Sysmon4Linux
Host/Velociraptor
Host/OSQuery
Host/Sandfly
Host/Wazuh
Host/CatScale
Host/UAC
Host/varc
Host/rkhunter
Host/Yara Scanning
Host/LKRG
Host/SELinux
Host/Clamav

0x06. Blue/DFIR Components: NETWORK

In this chapter, you will learn about different network data sources available in PurpleLabs. From Netflow to signature-less Zeek IDS and signature-based Suricata IDS to Full PCAP Capture based on Moloch/Arkime. True experience based on a real network with cool network visibility. Connect to your PurpleLabs VMS and generate the first network activities. Simple network behavior of your hosts (HASSH, JA3, DNS, NTP, ICMP, SMB, etc.) sounds like a great idea to learn more about network protocols and specific behaviors of Linux boxes in the context of running applications during an attack.

Network/Zeek
Network/Suricata
Network/Arkime Full Packet Capture
Network/Forward Proxy Squid SSL Decryption
Network/WAF Modsecurity

0x07. Introduction to the course

This chapter is a course introduction and the technical scope you can expect from the materials. By analyzing the current Linux threat landscape you will jump into the area of Linux attack paths/offensive operations vs detection engineering and live forensics inspections. This chapter is just an entry point to the broader true hands-on Linux/Network Purple Teaming journey I am going to kidnap you on during this course.

About the course
Preview
Why Linux as a target?
Current Linux threat landscape (2022/2023)
Linux Appliances Exploitation Cases
Purple teaming approach
Threat Hunting vs Incident Response
Linux MITRE ATT&CK
Linux EDR/Security Products
DFIR basics
DFIR Preparation
Basic TCP/IP stack
Basic Linux Investigation tools
General rootkits behavior
Recommended books

0x08. Establishing baseline vs Attack Vectors

Baseline profiling is the key to getting a better and faster incident handling process. While analyzing different Linux components, core system services, filesystem paths, and other subsystem configurations, you are going to better understand where exactly attackers can leave backdoors as a persistence method. In this chapter, you will learn about various OS  locations and persistence methods including one-liners and obfuscation vs Live Forensics at scale using OSquery, Sandfly, Velociraptor, and more.

Process names
Process arguments
Parent-child process relationship
/proc/ exploration
sysctl
Linker / LD_PRELOAD
Linux Kernel Modules
LKM Off
DNS Settings
Network profiling
Open Ports
iptables
At / cron / systemd timers
Users
Shell Configuration
Initialization scripts
Special File Attributes
File Hashing / checksums
OS / application logging behavior
SSH keys
Linux namespaces

0x09. Rule-based Linux Log Analysis

A chapter dedicated to different open-source detection rule sets, their formats, use cases, and detection logic. During Sigma rules analysis I always think also from the red team perspective asking myself: "What's the goal of a technique? How to generate a similar behavior? How to avoid generating this behavior?" Then after hands-on offsec research, new questions appear: "How to detect it? On what layers? What telemetry would be helpful, Is there any relation between available data sources? What about missing data sources? etc.?" Take your time and carefully analyze Sigma rules - a generic Signature Format for SIEM Systems and Protections Artifacts from Elastic and get a true hands-on purple teaming experience.

Sigma Rules Hands-on Introduction
Protections Artifacts from Elastic
Detection Rules from Elastic

0x0a. Linux Memory forensics

This section is about dynamic memory acquisition and live memory forensics of Linux boxes. Improve your memory forensics skills by playing with Volatility Framework 2/3 against a huge set of Linux attack use cases. The idea is simple. You make an offensive operation and in the next step, you download the RAM image and use Volatility Framework to find artifacts. The entire process has been automated, which allows you to focus on the merits. Memory forensics is also a cool approach for baselining low levels of your OS and apps!

Linux Report Sections
Building Volatility 2 Linux Profiles
Building Volatility 3 ISF JSON
Memory Acquisition
Forensics with Volatility2
Forensics with Volatility 3
Fileless plugin

0x0b. Linux Shells / C2 Implants

This chapter is all about playing with different C2 frameworks you could use as an attacker against your Linux targets. You will focus on different types of payloads and listeners, and various types of execution methods including sideloading, process injection/hiding, and C2 armoring to execute malicious code even in a more stealthy manner. The detection part comes in next as you will use PurpleLabs host and network visibility to learn more about different C2 behaviors, their TTPs, implant process structures, and configurations.
Sliver C2 Setup
Sliver Transports and Pivoting
Sliver in details
Meterpreter Setup
Sliver to Meterpreter Sideload
Meterpreter shell_to_meterpreter
TLS/sniCAT
Merlin Setup
Merlin Transports
Merlin libprocesshider
DNS/AXFR Payload Delivery
Preview
DNS/Weasel
DNS/dnscat2
ICMP-based C2 and Exfiltration
Port knocking

0x0c. Tunnels / pivots / redirectors

A section about different kinds of network tunneling and pivoting techniques. Thanks to PurpleLabs you can easily jump through different subnets and hosts using protocols of your choice, then analyze your network flows and prepare IoC in IRIS.
SSH Socks Proxy
SSH Tunneling
Reverse SSH
Shootback Protocol Tunneling
SSHimpanzee
socat
Chisel
ngrok

0x0d. Incident response

Live forensics is an important part of Incident Response. During a course, use IRIS - an Incident Response Investigation System that helps incident responders share technical details. Create and simulate your own Attack Paths and use IRIS for custom hands-on investigation needs. In this section, you will also get introduced to the extensive IR playbooks.
IRIS Introduction
IR Playbooks

0x0e. Linux ATTACK/Detection Analysis

This is the main and the largest part of the course where you will play with a set of real Linux offensive use cases vs detection/forensics. The hands-on content has been divided into user-space and kernel-space subsections. When you are done, dig deeper and create your own custom attack paths, then build your detection against them. Purple teaming for life!

[US] = user space
[KS] = kernel space

Evaluation of Linux Rootkits and Detection INTRO SLIDES - Practical Linux Rootkits for Red and Blue .pdf
eBPF SLIDES - Practical Linux Rootkits for Red and Blue .pdf
[US] Rootkits: Shared Library Injection
[US] Rootkits: Oh my Father!
[US] Rootkits: Socket Command Injection
[US] ELF injection with ptrace()
[US] ELF injection without ptrace()
[US] Proxy execution with DDexec
[US] In-memory execution with memrun
[US] memfd_vs_no_exec
[US] Fileless Scripting Execution
[US] Rootkits: Dynamic Linker Preloading
[US] Rootkits: Zombie Ant Farm Pypreloader #1
[US] MSF Shellcode from bash
[US] Rootkits: sshd injection
[US] Rootkits: sshd dummy cipher suite
[US] PAM-based Rootkits #1
[US] PAM-based Rootkits #2
[US] PAM-based Rootkits #3
[US] Yum/RPM Persistence
[US] Rootkits: Apache mod_authg
[US] Rootkits: HTTPD mod_backdoor
Preview
[US] Webshells: SOCKS from JSP
[US] Webshells: meterphp
[US] Webshells slopshell
[KS] Rootkits: Usermode Helper on ICMP
[KS] Rootkits: In-Memory LKM Loading
[KS] Rootkits: Reptile Analysis
[KS] Rootkits: Suterusu Analysis
[KS] Rootkits: Reveng_rtkit Analysis
[KS] Rootkits: iptables evil bit
[KS] Rootkits: systemtap creds() upgrade
[KS] Rootkits: Netfilter hooking #1
Preview
[KS] Rootkits: xt_conntrack.ko Infection
[KS] Rootkits: Ftrace Hooking #1
[KS] Rootkits: bad-bpf trip
[KS] Rootkits: XDP-UDP-Backdoor
[KS] Rootkits: eBPF hooking / TripleCross
[KS] Rootkits: eBPF SSL/TLS text capturing
[KS] Rootkits: eBPF Raw Tracepoint Interception
[KS] Rootkits: eBPF PAM creds stealing
[KS] Rootkits: eBPF KoviD Analysis
[KS] Rootkits: eBPF bpfdoor
[KS] Rootkits: ebpfkit Analysis
[KS] Randomized Faulter [RETIRED]
Preview

0x0f. Changelog

This is the list of changes/new lab scenarios that have been made over time

Changelog
Preview

0x10. Active Security Research

Active Research
Rootkits: Syscall hooking
Linux Incident Response
In-memory Execution
Evasion / Bypassing techniques
Exploitation
Memory Forensics
Linux Internals

Certificate of Completion

Complete all labs scenarios, learn Linux attack, detection, and forensics at scale, create your own Linux attack paths while looking for DFIR artifacts, and get your PurpleLabs Certificate of Completion.

Benefits for Red Teams

  • Understand the advantages and values of the purple teaming approach in the Linux red/blue ecosystem
  • Learn about the full scope of Linux offensive techniques, tools, and newest community research
  • Learn about different detection/response tools and techniques vs attacks
  • Learn how to hide effectively in the Linux OS and how to exfiltrate data in stealthy ways
  • Learn how to deploy and use C2, low-level rootkits and see this reflected in the detection/DFIR tooling
  • Get code and command snippets ready to use during your red team and adversary operations/emulations
  • Get experience with Sigma Rules/Protections Artifacts for staying stealthier and improving your defense evasion skills

Benefits for Blue Teams/DFIR

  • Understand the advantages and values of the purple teaming approach in the Linux ecosystem
  • Learn about the full scope of Linux Detection/Forensics techniques, tools, and the newest community research
  • Understand the structures of advanced Linux attack paths, how they really work, and how to protect
  • Learn about different offensive tools that you can use against hackers
  • See the effectiveness of Detection tooling vs attacks emulations
  • Get experience with Sigma Rules for a better understanding of the logic behind attacks and needed telemetry

Benefits for DevOps/SecOps/Admins

  • This knowledge will change the way you look at hardening and monitoring your Linux ecosystems
  • Recognize security-related enhancements in the modern Linux kernel
  • Understand kernel components and programming interfaces used to compromise a system
  • Discover recommended Open Source Security solutions against actual hands-on attacks
  • Learn about the full scope of Linux Detection/DFIR techniques, tools, and the newest community research
  • Understand the advantages and values of the purple teaming approach in the Linux red/blue scope
  • Gain experience in managing many different detection and visibility layers

KEY LEARNING OBJECTIVES

  • Get to know the newest Linux attack paths and hiding techniques vs proactive detection
  • Learn current trends, techniques, and offensive tools for Discovery, C2, Lateral Movement, Persistence, Evasion, Exfiltration, Execution, Credential Access against Linux machines ← Linux Matrix ATT&Ck Framework
  • Learn ways to improve detection and sharpen your event correlation skills across many different Linux/network data sources
  • Get to know visibility/detection methods and capabilities of well-recognized Hunting and Detection tools including Velociraptor, HELK+Linux Sigma, Splunk, Elastiflow, Moloch/Arkime, Kolide Fleet, Wazuh, Graylog, theHive, Sandfly
  • Find the malicious Linux activities and identify threat details on the network
  • Prepare your SOC team for fast filtering out Linux network noise and allow for better incident response handling
  • Find out how Detection / DFIR Open Source Software can support your SOC infrastructure
  • Understand values of proactive Linux forensics scans vs manual and automated approaches to simulate attackers and generate anomalies
  • Identify Linux blind spots in your network security posture
  • Understand the value of the purple teaming approach where you hunt for yourself and teammates

Who Should Attend

  • Cloud Security Engineers / Kubernetes Operators
  • SecDevOps / Linux Administrators
  • CSIRT / Incident Response Specialists
  • Red and Blue team members
  • Penetration testers
  • Threat Hunters
  • Security / Data Analytics
  • IT Security Professionals, Experts & Consultants
  • SOC Analysts and SIEM Engineers
  • AI / Machine Learning Developers
  • Open Source Security Enthusiasts

Prerequisite Knowledge

  • General skill level of the course: intermediate
  • An intermediate level of command-line syntax experience using Linux.
  • Fundament knowledge of TCP/IP network protocols.
  • Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required.
  • Basic programming skills are a plus, but not essential.
  • Recommended reading material:
    • Adversarial Tradecraft in Cybersecurity
    • Privilege Escalation Techniques
    • Linux System Programming
    • Practical Threat Intelligence and Data-Driven Threat Hunting
    • Transmetropolitan ;-)

WHY SHOULD YOU TAKE THIS COURSE?


This course takes on an “attack vs detection” approach in a condensed format. This will allow a gradual escalation of the level of knowledge in the scope of Linux internals and red/blue/purple teaming to both experienced specialists and beginners while maintaining the attractiveness and pleasure of performing tasks.

This class is intended for students who have a basic understanding of Linux and have to deal with advanced threats. Furthermore, the course is also interesting for experienced DFIR/SOC/CERT players who aim to dig deeper into the understanding of Linux internals and corresponding network attack analysis techniques, detection and response.
  • 100% Real-Life, Lab-oriented scenarios focusing on the latest attacks and mitigation techniques using Open Source software. Acquire required competence sets in a short period of time.

  • Minimum theory, maximum hands-on labs only. High-tech Open Source Security workshops with the unique formula of "detection vs attack”. Feel the power of the Purple Team.

  • Provided by the highest level professionals in the market. Recommended by big players to expand your Open Source Security skills and knowledge.
  • Extremely deep-dive training on Linux Attack and Detection, Open Source SOC/DFIR components in action. Based on almost 20 years of unique experience.
  • Kind of Linux ATTACK Framework in hands-on model
  • Direct use of the acquired knowledge in real production environments

Your instructor Leszek Miś

Leszek Miś is the Founder of Defensive Security, Principal Trainer, and Security Researcher with almost 20 years of experience in the Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from Linux Administrator, System Developer and DevOps Engineer, through penetration tester and security consultant delivering hardening services, penetration testing, and training for the biggest players in the European and global market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values by delivering a structured, automated adversary simulation platform.

Recognized speaker and trainer: BruCON 2017/2018, Black Hat USA 2019, OWASP Appsec US 2018, FloCon USA 2018, Hack In The Box Dubai / Amsterdam / Singapore / Abu Dhabi 2018/2019/2020, 44CON UK 2019, Confidence PL, PLNOG, Open Source Day PL, Secure PL, Advanced Threat Summit PL,Semafor PL, ISSA Polska.

Testimonials

  • "It's been a while since I was so excited (like during #LockedShield2018). Together with a group of secfreaks we had an opportunity to bring into play intensive scenarios and step into adversaries' shoes. I don’t remember when I exfiltra… took away so much knowledge. Actually is better to simply turn off computers. But try harder."

“The content of in and out was great. Lots of gained knowledge and hands-on!


I wanted my team to experience something new, different ... I wanted SOC analysts to learn practical ways to bypass security and data exfiltration and learn to detect them and learn the techniques of attackers who could already break the security and work inside. And then Leszek appeared. We did not need a single coffee for three days! Leszek shared great knowledge with us in a very accessible way. Materials, pictures, scenarios - everything prepared and working. Thank you Leszek Miś! Highly recommend !!! 

One of the best security exfiltration training so far! Lots of fun & learning! If you want to learn how hackers think and what kind of tooling they use - this is it!"

  • "If you need to get deep and broad knowledge in the scope of Defensive Security using Open Source software then don't hesitate and just grab for it - definitely worth to attend and meet Leszek in person and his experience"

“Leszek Miś is very knowledgeable in the topics covered in the course. He also shares real-life scenarios which were useful for participants to better understand the application of the material presented. The Content was very good, it covers many leading open-source projects which I find useful. I would recommend this course to my colleagues.”

Frequently asked questions

Just a bunch of questions and answers. Hope you will find them helpful. If not, send me a DM.

CAN I GET A CERTIFICATE OF COMPLETION?

Yes, on request. Just send me an email at lm+certificate@defensive-security.com and within 7 days you should get your cert.

HOW IS ACCESS TO PURPLELABS PROVIDED?

  • We are using the simplest solution based on Wireguard VPN. All you have to do is install the VPN client and import one configuration file.
  • We are going to support soon a "PurpleLabs in the browser"  access as an alternative option.

CAN I GET AN INVOICE?

Of course.

CAN YOU DELIVER A DEDICATED TRAINING ONSITE FOR MY COMPANY?

Yes, I am always open to new collaborations, all over the world, or just online. Just send me a DM.

WHAT LANGUAGE ARE THE MATERIALS IN?

All materials and lab instructions are in English. For live/online sessions you can choose between Polish and English.

WHAT DOES THE COURSE INCLUDING?

  • The course includes two types of content. After the payment, you will get instant access to online materials, of course in the hands-on lab format.
  • Within 2-4 days after your payment, you will get also a dedicated set of dedicated VPN credentials to PurpleLabs Cyber Range.
  • For every student, we deliver a set of five exclusive Linux machines (CentOS7/8, Kali Linux, Ubuntu 21.04, Ubuntu 20.04) that at the same time are a part of the shared detection/hunting playground.

IS VIDEO CONTENT INCLUDED IN THE COURSE?

  • No, it was not a priority, only hands-on lab experience.
  • Hands-on lab instructions and the Cyber Range environment have been built in such a way that you can easily handle all instructions by yourself.

WHEN WILL I GET ACCESS TO PURPLELABS?

  • You will get PurpleLabs VPN access credentials within 2-4 days after you made a payment.