Samba / CIFS + SSH Honey Key
Samba / CIFS + SSH Honey Key
Linux Attack, Detection and Live Forensics v1.0 - MATERIALS ONLY - Lifetime Access
Buy now
Learn more
Course Mindmap.png
Linux Detection and Forensics Cheatsheet v0.4.pdf
00. PurpleFlows Rapid Track
PurpleFlow#1
01. PurpleLabs Cyber Range Navigation
Welcome to PurpleLABS!
PurpleLabs Detection and Hunting Dashboard
8
PurpleLabs Components - Helicopter View
PurpleLabs Components - EDRmetry Matrix
EDRmetry Matrix Generic Flow
Data sources and SIEM/DFIR components
4
Your Virtual Machines
1
Your Virtual Machines - TARGET_X
PurpleLabs Network Architecture
PurpleLabs VM Robot Tool
Troubleshooting
Rules and policies
Technical Support Service
Open Source Community
Changelog
Threat Detection and Hunting with PurpleLabs #1
Threat Detection and Hunting with PurpleLabs #2
02. Introduction to the course
About the course
Best strategy for taking the course
Why Linux as a target?
Current Linux threat landscape (2022/2023/2024/2025)
Linux Appliances Exploitation Cases
Active Defense
Purple teaming approach
Threat Hunting vs Incident Response
Linux MITRE ATT&CK
Linux EDR/Security Products
Recommended books
03. Blue/DFIR Components: SIEM
SIEM/Elastic Security
SIEM/Splunk
SIEM/Wazuh
Sigma Rules Hands-on Introduction
2
Protections Artifacts from Elastic
3
SIEM/Graylog [RETIRED]
2
SIEM/HELK introduction [RETIRED]
2
04. Blue/DFIR Components: HOST
Host/Syslog
2
Host/Journal
3
Host/Auditd
4
Host/Falco Runtime Security
2
Host/Tracee Syscall Tracing
5
Host/Kunai Runtime Security
1
Host/Kunai Hunting Queries
Host/Sysdig Syscall tracing
4
Host/Tetragon Runtime Security
Host/Jibril Runtime Security
2
Host/Sysmon4Linux
4
Host/Velociraptor
Host/FleetDM OSquery
Host/Sandfly Security
Host/Wazuh
Host/Sunlight
Host/Sunlight IR_Executor
Host/ghostscan
Host/CatScale
1
Host/UAC
1
Host/varc
1
Host/rkhunter & chkrootkit
Host/Yara Scanning
2
Host/Capa
6
Host/LKRG
Host/SELinux
Host/Clamav
Host/Entropyscan vs ELFCrypt
Host/BPFMon
Host/bpftrace
Host/Argus Runtime Security [RETIRED]
2
05. Blue/DFIR Components: NETWORK
Network/Zeek
Network/Zeek JA4
Network/Suricata
Network/Arkime Full Packet Capture
Network/Forward Proxy Squid SSL Decryption
Network/WAF Modsecurity
Network/RITA
Network/Elastiflow [RETIRED]
06. Establishing baseline vs Attack Vectors
Basic Linux Investigation tools
Process names
Process arguments
Parent-child process relationship
2
/proc exploration
/sys exploration
1
sysctl
Linker / LD_PRELOAD
Linux Kernel Modules
LKM Off
4
Dmesg
eBPF programs
1
DNS Settings
Network profiling
1
Open Ports
iptables
1
At / cron / systemd timers
2
Users
Shell Configuration
2
Initialization scripts / systemd
4
Special File Attributes
DNF / yum
File Hashing / checksums
2
OS / application logging behavior
SSH keys
Linux namespaces
2
Linux Capabilities
07. Linux Memory Forensics
Linux Report Sections
3
Introduction to Volatility Framework 3
Providing Volatility 3 ISF JSON Profiles
2
Providing Volatility 2 Profiles
Memory Acquisition
Memory Forensics with Volatility 3
Volatility 3 External Fileless plugin
2
Volatility 3 External eBPF plugins
Memory Forensics with Volatility 2
3
Building Volatility 3 ISF JSON Profiles [RETIRED]
Building Volatility 2 Linux Profiles [RETIRED]
4
08. Linux Shells / C2 Implants
Python TLS/SSL Reverse Shell
8
Sliver C2 Setup
4
Sliver Transports and Pivoting
Sliver in details
Meterpreter Setup
1
Sliver to Meterpreter Sideload
2
Meterpreter shell_to_meterpreter
Merlin Setup
Merlin Transports
Merlin libprocesshider
1
TLS/sniCAT
3
DNS/AXFR Payload Delivery
3
DNS/dnscat2
3
ICMP-based C2 and Exfiltration
2
Port knocking
Hidden NTP Exfiltration
1
FreeIPA LDAP as Hidden Storage
DNS/Weasel AAAA [RETIRED]
09. Tunnels / pivots / redirectors
SSH Socks Proxy
3
SSH Tunneling
Reverse SSH
Shootback Protocol Tunneling
SSHimpanzee
FRP Fast Reverse Proxy
Global Socket
socat
ngrok
10. Incident Response
DFIR basics
1
DFIR Preparation
Linux IR Investigation
IR Playbooks
IRIS Introduction
2
11. Default Targets Exploitation & Detection
Reverse Shell / Backdoor payloads
File transfers
Apache Tomcat
3
Apache HTTP CVE-2021-41773
NFS no_root_squash
3
Dirty Pipe CVE-2022-0847
2
pkexec CVE-2021-4034
CVE-2022-2588
2
GameOver(lay) CVE-2023-2640/CVE-2023-32629
Spring Cloud Function CVE-2022-22963
5
Solr Log4j CVE-2021-44228
Kafka CVE 2023-25194
ActiveMQ CVE-2023-46604
XZ / liblzma backdoor CVE-2024-3094
2
Samba / CIFS + SSH Honey Key
Weblogic SSRF
2
Wordpress RCE
SSH Brute force
Docker escape
2
Exiftool CVE-2021-22204
Remote Heap Exploitation
Attack Emulation: Atomic Operator
Attack Emulation: Panix
12. Linux Rootkits for Red and Blue Teams
Evaluation of Linux Rootkits and Detection INTRO SLIDES - Practical Linux Rootkits for Red and Blue .pdf
eBPF SLIDES - Practical Linux Rootkits for Red and Blue .pdf
Linux System calls
General Linux rootkits behavior
2
[US] Rootkits: Shared Library Injection
3
[US] Rootkits: Hide SSH key with ld.so.preload
[US] Rootkits: Oh my Father!
[US] Rootkits: Sneaky Bedevil
[US] Rootkits: Socket Command Injection
[US] ELF injection with ptrace()
[US] ELF injection without ptrace()
[US] Proxy execution with DDexec
[US] In-memory execution with memrun
[US] memfd_vs_no_exec
1
[US] memexec + XOR Loader
[US] Fileless Scripting Execution
[US] Rootkits: Dynamic Linker Preloading
[US] Rootkits: Zombie Ant Farm Pypreloader
1
[US] MSF Shellcode from bash
[US] Rootkits: sshd injection
[US] Rootkits: sshd dummy cipher suite
[US] PAM-based Rootkits #1
[US] PAM-based Rootkits #2
3
[US] PAM-based Rootkits #3
[US] Python .pth Extension
[US] Yum/RPM Persistence
[US] Udev persistence
[US] Rootkits: Apache mod_authg
[US] Rootkits: HTTPD mod_backdoor
[US] Webshells: SOCKS from JSP
[US] Webshells: meterphp
[US] Linux Process Snooping
[US] Capturing SSH with strace
[US] Hiding process with bind mounts
[US] Beacon Object File (BOF) Stager
[KS] Rootkits: Usermode Helper on ICMP
1
[KS] Rootkits: In-Memory LKM Loading
[KS] Rootkits: Diamorphine
1
[KS] Rootkits: Reptile Analysis
[KS] Rootkits: Suterusu Analysis
[KS] Rootkits: Reveng_rtkit Analysis
[KS] Rootkits: Registering Char Device
[KS] Rootkits: iptables evil bit
[KS] Rootkits: systemtap creds() upgrade
3
[KS] Rootkits: Netfilter hooking #1
[KS] Rootkits: xt_conntrack.ko Infection
[KS] Rootkits: Ftrace Hooking #1
[KS] Rootkits: Ftrace Hooking #2
[KS] Rootkits: BDS Ftrace Hooking #3
[KS] Rootkits: Bad-bpf trip
[KS] Rootkits: Offensive bpftrace
[KS] Rootkits: eBPF hooking / TripleCross
5
[KS] Sniffer: eBPF SSL/TLS text capturing
1
[KS] Rootkits: eBPF Raw Tracepoint Interception
[KS] Sniffer: eBPF PAM creds stealing
[KS] Rootkits: eBPF KoviD Analysis
1
[KS] Rootkits: eBPF Boopkit Analysis
[KS] Rootkits: eBPF Hiding with nysm
[KS] Rootkits: eBPF bpfdoor
2
[KS] Rootkits: ebpfkit Analysis
[KS/US] Backdooring Initramfs
[ELF] Kiteshield Anti Forensics
[KS] Randomized Faulter [RETIRED]
[KS] Rootkits: XDP-UDP-Backdoor [RETIRED]
Linux EDR Architecture
Introduction
What is Linux EDR engine?
How does Linux EDR work?
Core functionalities and key features
Visibility Events / Indexes / Data sources
Syscalls, Kernel Functions and Tracing Visibility
1
Detection logic / rulesets
Engine Modes
Response, Triage and Forensics
Deployment and Operations
Alerts / Incidents / Detections
Query Language
Linux EDR Telemetry Project
1
13. Active Security Research
Active Research
Rootkits: Syscall hooking
Linux Incident Response
In-memory Execution
Evasion / Bypassing techniques
OS Security Stacks
Exploitation
Memory Forensics
Linux Internals
LSM/Sandboxes
eBPF
Anti-Forensics
Tunneling/Proxying
Malware
Fun
Kubernetes/Cloud
Preview unavailable
You must log in or sign up to view this lesson.
Login
Sign up
Linux Attack, Detection and Live Forensics v1.0 - MATERIALS ONLY - Lifetime Access
Buy now
Learn more
Course Mindmap.png
Linux Detection and Forensics Cheatsheet v0.4.pdf
00. PurpleFlows Rapid Track
PurpleFlow#1
01. PurpleLabs Cyber Range Navigation
Welcome to PurpleLABS!
PurpleLabs Detection and Hunting Dashboard
8
PurpleLabs Components - Helicopter View
PurpleLabs Components - EDRmetry Matrix
EDRmetry Matrix Generic Flow
Data sources and SIEM/DFIR components
4
Your Virtual Machines
1
Your Virtual Machines - TARGET_X
PurpleLabs Network Architecture
PurpleLabs VM Robot Tool
Troubleshooting
Rules and policies
Technical Support Service
Open Source Community
Changelog
Threat Detection and Hunting with PurpleLabs #1
Threat Detection and Hunting with PurpleLabs #2
02. Introduction to the course
About the course
Best strategy for taking the course
Why Linux as a target?
Current Linux threat landscape (2022/2023/2024/2025)
Linux Appliances Exploitation Cases
Active Defense
Purple teaming approach
Threat Hunting vs Incident Response
Linux MITRE ATT&CK
Linux EDR/Security Products
Recommended books
03. Blue/DFIR Components: SIEM
SIEM/Elastic Security
SIEM/Splunk
SIEM/Wazuh
Sigma Rules Hands-on Introduction
2
Protections Artifacts from Elastic
3
SIEM/Graylog [RETIRED]
2
SIEM/HELK introduction [RETIRED]
2
04. Blue/DFIR Components: HOST
Host/Syslog
2
Host/Journal
3
Host/Auditd
4
Host/Falco Runtime Security
2
Host/Tracee Syscall Tracing
5
Host/Kunai Runtime Security
1
Host/Kunai Hunting Queries
Host/Sysdig Syscall tracing
4
Host/Tetragon Runtime Security
Host/Jibril Runtime Security
2
Host/Sysmon4Linux
4
Host/Velociraptor
Host/FleetDM OSquery
Host/Sandfly Security
Host/Wazuh
Host/Sunlight
Host/Sunlight IR_Executor
Host/ghostscan
Host/CatScale
1
Host/UAC
1
Host/varc
1
Host/rkhunter & chkrootkit
Host/Yara Scanning
2
Host/Capa
6
Host/LKRG
Host/SELinux
Host/Clamav
Host/Entropyscan vs ELFCrypt
Host/BPFMon
Host/bpftrace
Host/Argus Runtime Security [RETIRED]
2
05. Blue/DFIR Components: NETWORK
Network/Zeek
Network/Zeek JA4
Network/Suricata
Network/Arkime Full Packet Capture
Network/Forward Proxy Squid SSL Decryption
Network/WAF Modsecurity
Network/RITA
Network/Elastiflow [RETIRED]
06. Establishing baseline vs Attack Vectors
Basic Linux Investigation tools
Process names
Process arguments
Parent-child process relationship
2
/proc exploration
/sys exploration
1
sysctl
Linker / LD_PRELOAD
Linux Kernel Modules
LKM Off
4
Dmesg
eBPF programs
1
DNS Settings
Network profiling
1
Open Ports
iptables
1
At / cron / systemd timers
2
Users
Shell Configuration
2
Initialization scripts / systemd
4
Special File Attributes
DNF / yum
File Hashing / checksums
2
OS / application logging behavior
SSH keys
Linux namespaces
2
Linux Capabilities
07. Linux Memory Forensics
Linux Report Sections
3
Introduction to Volatility Framework 3
Providing Volatility 3 ISF JSON Profiles
2
Providing Volatility 2 Profiles
Memory Acquisition
Memory Forensics with Volatility 3
Volatility 3 External Fileless plugin
2
Volatility 3 External eBPF plugins
Memory Forensics with Volatility 2
3
Building Volatility 3 ISF JSON Profiles [RETIRED]
Building Volatility 2 Linux Profiles [RETIRED]
4
08. Linux Shells / C2 Implants
Python TLS/SSL Reverse Shell
8
Sliver C2 Setup
4
Sliver Transports and Pivoting
Sliver in details
Meterpreter Setup
1
Sliver to Meterpreter Sideload
2
Meterpreter shell_to_meterpreter
Merlin Setup
Merlin Transports
Merlin libprocesshider
1
TLS/sniCAT
3
DNS/AXFR Payload Delivery
3
DNS/dnscat2
3
ICMP-based C2 and Exfiltration
2
Port knocking
Hidden NTP Exfiltration
1
FreeIPA LDAP as Hidden Storage
DNS/Weasel AAAA [RETIRED]
09. Tunnels / pivots / redirectors
SSH Socks Proxy
3
SSH Tunneling
Reverse SSH
Shootback Protocol Tunneling
SSHimpanzee
FRP Fast Reverse Proxy
Global Socket
socat
ngrok
10. Incident Response
DFIR basics
1
DFIR Preparation
Linux IR Investigation
IR Playbooks
IRIS Introduction
2
11. Default Targets Exploitation & Detection
Reverse Shell / Backdoor payloads
File transfers
Apache Tomcat
3
Apache HTTP CVE-2021-41773
NFS no_root_squash
3
Dirty Pipe CVE-2022-0847
2
pkexec CVE-2021-4034
CVE-2022-2588
2
GameOver(lay) CVE-2023-2640/CVE-2023-32629
Spring Cloud Function CVE-2022-22963
5
Solr Log4j CVE-2021-44228
Kafka CVE 2023-25194
ActiveMQ CVE-2023-46604
XZ / liblzma backdoor CVE-2024-3094
2
Samba / CIFS + SSH Honey Key
Weblogic SSRF
2
Wordpress RCE
SSH Brute force
Docker escape
2
Exiftool CVE-2021-22204
Remote Heap Exploitation
Attack Emulation: Atomic Operator
Attack Emulation: Panix
12. Linux Rootkits for Red and Blue Teams
Evaluation of Linux Rootkits and Detection INTRO SLIDES - Practical Linux Rootkits for Red and Blue .pdf
eBPF SLIDES - Practical Linux Rootkits for Red and Blue .pdf
Linux System calls
General Linux rootkits behavior
2
[US] Rootkits: Shared Library Injection
3
[US] Rootkits: Hide SSH key with ld.so.preload
[US] Rootkits: Oh my Father!
[US] Rootkits: Sneaky Bedevil
[US] Rootkits: Socket Command Injection
[US] ELF injection with ptrace()
[US] ELF injection without ptrace()
[US] Proxy execution with DDexec
[US] In-memory execution with memrun
[US] memfd_vs_no_exec
1
[US] memexec + XOR Loader
[US] Fileless Scripting Execution
[US] Rootkits: Dynamic Linker Preloading
[US] Rootkits: Zombie Ant Farm Pypreloader
1
[US] MSF Shellcode from bash
[US] Rootkits: sshd injection
[US] Rootkits: sshd dummy cipher suite
[US] PAM-based Rootkits #1
[US] PAM-based Rootkits #2
3
[US] PAM-based Rootkits #3
[US] Python .pth Extension
[US] Yum/RPM Persistence
[US] Udev persistence
[US] Rootkits: Apache mod_authg
[US] Rootkits: HTTPD mod_backdoor
[US] Webshells: SOCKS from JSP
[US] Webshells: meterphp
[US] Linux Process Snooping
[US] Capturing SSH with strace
[US] Hiding process with bind mounts
[US] Beacon Object File (BOF) Stager
[KS] Rootkits: Usermode Helper on ICMP
1
[KS] Rootkits: In-Memory LKM Loading
[KS] Rootkits: Diamorphine
1
[KS] Rootkits: Reptile Analysis
[KS] Rootkits: Suterusu Analysis
[KS] Rootkits: Reveng_rtkit Analysis
[KS] Rootkits: Registering Char Device
[KS] Rootkits: iptables evil bit
[KS] Rootkits: systemtap creds() upgrade
3
[KS] Rootkits: Netfilter hooking #1
[KS] Rootkits: xt_conntrack.ko Infection
[KS] Rootkits: Ftrace Hooking #1
[KS] Rootkits: Ftrace Hooking #2
[KS] Rootkits: BDS Ftrace Hooking #3
[KS] Rootkits: Bad-bpf trip
[KS] Rootkits: Offensive bpftrace
[KS] Rootkits: eBPF hooking / TripleCross
5
[KS] Sniffer: eBPF SSL/TLS text capturing
1
[KS] Rootkits: eBPF Raw Tracepoint Interception
[KS] Sniffer: eBPF PAM creds stealing
[KS] Rootkits: eBPF KoviD Analysis
1
[KS] Rootkits: eBPF Boopkit Analysis
[KS] Rootkits: eBPF Hiding with nysm
[KS] Rootkits: eBPF bpfdoor
2
[KS] Rootkits: ebpfkit Analysis
[KS/US] Backdooring Initramfs
[ELF] Kiteshield Anti Forensics
[KS] Randomized Faulter [RETIRED]
[KS] Rootkits: XDP-UDP-Backdoor [RETIRED]
Linux EDR Architecture
Introduction
What is Linux EDR engine?
How does Linux EDR work?
Core functionalities and key features
Visibility Events / Indexes / Data sources
Syscalls, Kernel Functions and Tracing Visibility
1
Detection logic / rulesets
Engine Modes
Response, Triage and Forensics
Deployment and Operations
Alerts / Incidents / Detections
Query Language
Linux EDR Telemetry Project
1
13. Active Security Research
Active Research
Rootkits: Syscall hooking
Linux Incident Response
In-memory Execution
Evasion / Bypassing techniques
OS Security Stacks
Exploitation
Memory Forensics
Linux Internals
LSM/Sandboxes
eBPF
Anti-Forensics
Tunneling/Proxying
Malware
Fun
Kubernetes/Cloud