Changelog

Here you will find information about introduced modifications, new lab scenarios, and PurpleLabs components:

2025/10/22:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430286-04-blue-dfir-components-host/10886694-host-ghostscan
2025/09/26:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/4760783-us-msf-shellcode-from-bash [UPDATED]
2025/09/22:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427384-06-establishing-baseline-vs-attack-vectors/10746275-dnf-yum
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430416-07-linux-memory-forensics [UPDATED]
2025/08/03:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/3184420-linux-edr-architecture/10357676-introduction
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/3184420-linux-edr-architecture/10357683-what-is-linux-edr-engine
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/3184420-linux-edr-architecture/10357687-how-does-linux-edr-work
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/3184420-linux-edr-architecture/10357691-core-functionalities-and-key-features
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/3184420-linux-edr-architecture/10357694-visibility-events-indexes-data-sources
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/3184420-linux-edr-architecture/10357718-syscalls-kernel-functions-and-tracing-visibility
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/3184420-linux-edr-architecture/10357750-detection-logic-rulesets
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/3184420-linux-edr-architecture/10358020-engine-modes
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/3184420-linux-edr-architecture/10358024-dashboards-analytics-query-language
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/3184420-linux-edr-architecture/10358069-response-triage-and-forensics
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/3184420-linux-edr-architecture/10358072-deployment-and-operations
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/3184420-linux-edr-architecture/10358076-alerts-incidents-detections
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/3184420-linux-edr-architecture/10358078-query-language
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/3184420-linux-edr-architecture/10358082-linux-edr-telemetry-project
2025/08/03:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427317-02-introduction-to-the-course/4429258-current-linux-threat-landscape-2022-2023-2024-2025 [UPDATED]
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430286-04-blue-dfir-components-host/7406361-host-fleetdm-osquery [UPDATED]
2025/05/31:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430286-04-blue-dfir-components-host/8406955-host-journal [UPDATED]
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430286-04-blue-dfir-components-host/4429367-host-syslog [UPDATED]
2025/05/22:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430286-04-blue-dfir-components-host/10139592-host-jibril-runtime-security
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430286-04-blue-dfir-components-host/10139685-host-tetragon-runtime-security
2025/04/07:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430286-04-blue-dfir-components-host/7735289-host-sunlight-ir_executor [UPDATED]
2025/01/22:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/9365422-us-rootkits-hide-ssh-key-with-ld-so-preload
2025/01/21:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430287-05-blue-dfir-components-network/9208797-network-zeek-ja4
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427384-06-establishing-baseline-vs-attack-vectors/4443048-lkm-off [UPDATED]
2025/01/15:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/9443073-us-beacon-object-file-bof-stager
2024/12/19:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427326-08-linux-shells-c2-implants/9399121-python-tls-ssl-reverse-shell
2024/11/29:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/9287675-ks-rootkits-bds-ftrace-hooking-3
2024/11/26:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/8480655-us-capturing-ssh-with-strace [UPDATED]
2024/11/8:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430286-04-blue-dfir-components-host/8973896-host-bpftrace
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/9171082-us-memexec-xor-loader
2024/10/29:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427384-06-establishing-baseline-vs-attack-vectors/9117127-sys-exploration
2024/10/04:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/8973833-us-udev-persistence
2024/09/13:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/8877012-ks-rootkits-ftrace-hooking-2
2024/09/03:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/8818980-ks-rootkits-offensive-bpftrace
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/6842175-ebpf-slides-practical-linux-rootkits-for-red-and-blue-pdf [UPDATED]
2024/08/02:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430312-11-default-targets-exploitation-detection/8679424-attack-emulation-panix
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427384-06-establishing-baseline-vs-attack-vectors/4451036-initialization-scripts [UPDATED]
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427384-06-establishing-baseline-vs-attack-vectors/4438430-process-names [UPDATED]
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427384-06-establishing-baseline-vs-attack-vectors/4438231-proc-exploration [UPDATED]
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430286-04-blue-dfir-components-host/8675903-host-argus-runtime-security
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/8672908-us-hiding-process-with-bind-mounts
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430286-04-blue-dfir-components-host/7920400-host-kunai [UPDATED]
2024/07/31:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/8669268-us-python-pth-extension
2024/07/04:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/8480655-us-capturing-ssh-with-strace
2024/06/21:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/2104188-13-active-security-research/8480552-os-security-stacks
2024/06/07:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430286-04-blue-dfir-components-host/8406955-host-journal
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427384-06-establishing-baseline-vs-attack-vectors/4429062-basic-linux-investigation-tools [UPDATED]
2024/05/06:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427385-09-tunnels-pivots-redirectors/8234306-global-socket
2024/05/06:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427384-06-establishing-baseline-vs-attack-vectors/8232965-linux-capabilities
2024/04/22:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430312-11-default-targets-exploitation-detection/8106967-xz-liblzma-backdoor-cve-2024-3094
2024/04/05:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/7668545-us-rootkits-sneaky-bedevil
2024/03/11:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430286-04-blue-dfir-components-host/7920400-host-kunai
2024/03/06:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427326-08-linux-shells-c2-implants/7892716-freeipa-ldap-as-hidden-storage
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430312-11-default-targets-exploitation-detection/7891999-owasp-juice-shop
2024/02/26:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430286-04-blue-dfir-components-host/7838238-host-bpfmon
2024/02/23:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/5949632-ks-rootkits-ebpf-boopkit-analysis
2024/02/22:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430416-07-linux-memory-forensics/7818971-bpf-plugins
2024/02/21:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430286-04-blue-dfir-components-host/7815520-host-capa
2024/02/20:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430312-11-default-targets-exploitation-detection/7806861-gameover-lay-cve-2023-2640-cve-2023-32629
2024/02/19:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430312-11-default-targets-exploitation-detection/7799938-wordpress-rce
2024/02/14:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427385-09-tunnels-pivots-redirectors/7742744-frp-fast-reverse-proxy
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430312-11-default-targets-exploitation-detection/4441666-samba-cifs-ssh-honey-key [UPDATED]
2024/02/08:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430286-04-blue-dfir-components-host/7735289-host-sunlight-ir_executor
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/7674331-elf-kiteshield-anti-forensics
2024/01/19:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430312-11-default-targets-exploitation-detection/7577549-activemq-cve-2023-46604
2024/01/10:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/7437937-ks-rootkits-diamorphine
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430286-04-blue-dfir-components-host/7532320-host-sunlight
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1431567-01-purplelabs-cyber-range-navigation/7514846-technical-support-service
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1431567-01-purplelabs-cyber-range-navigation/4429419-your-virtual-machines [UPDATES]
2024/01/08:
- Reorganization of the course structure
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427384-06-establishing-baseline-vs-attack-vectors/7521552-ebpf-programs
2023/12/13:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/4429293-ks-rootkits-ebpf-hooking-triplecross [UPDATED]
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430312-11-default-targets-exploitation-detection/7270555-k8s-kafka-cve-2023-25194
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430287-05-blue-dfir-components-network/7393457-network-rita
- Elastic Security + FleetDM OSquery has been added to the PurpleLabs Cyber Range
2023/11/19:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427326-08-linux-shells-c2-implants/7260121-hidden-ntp-exfiltration
2023/11/10:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/7190858-ks-us-backdooring-initramfs
2023/11/03:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/7139633-us-linux-process-snooping
2023/10/23:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/7087019-ks-rootkits-ebpf-kovid-analysis
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427385-09-tunnels-pivots-redirectors/4438471-chisel [UPDATED]
2023/09/17:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/6873861-us-rootkits-sshd-dummy-cipher-suite
2023/08/11:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427385-09-tunnels-pivots-redirectors/6660278-sshimpanzee
2023/08/10:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430312-11-default-targets-exploitation-detection/4429223-reverse-shell-backdoor-payloads [UPDATED]
2023/08/09:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430312-11-default-targets-exploitation-detection/6655206-spring-cloud-function-cve-2022-22963
2023/08/05:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430416-07-linux-memory-forensics/6632836-fileless-plugin
2023/08/04:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427317-02-introduction-to-the-course/6627113-linux-mitre-att-ck
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430286-04-blue-dfir-components-host/6627098-host-clamav
2023/07/19:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/6525289-us-fileless-scripting-execution
2023/07/17:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/6524685-us-rootkits-oh-my-father
2023/07/12:
- The overall experience around semi-automated memory forensics experience has been improved greatly
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427384-06-establishing-baseline-vs-attack-vectors/4438853-linker-ld_preload [UPDATED]
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430416-07-linux-memory-forensics/6502921-forensics-with-volatility-3
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430416-07-linux-memory-forensics/4438837-forensics-with-volatility2
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430416-07-linux-memory-forensics/4438835-memory-acquisition [UPDATED]
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430416-07-linux-memory-forensics/6408099-building-volatility-2-linux-profiles
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430416-07-linux-memory-forensics/6503903-building-volatility-3-isf-json
2023/07/10:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430416-07-linux-memory-forensics/6490944-linux-report-sections
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430286-04-blue-dfir-components-host/4438402-host-tracee-syscall-tracing [UPDATED]
2023/06/22:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/5963551-ks-rootkits-bad-bpf-trip
2023/04/17:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/6018906-ks-rootkits-in-memory-lkm-loading
2023/04/07:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/5949506-ks-rootkits-xdp-udp-backdoor-retired
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/5949497-ks-rootkits-ftrace-hooking-1
2023/04/06:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430312-11-default-targets-exploitation-detection/5960559-remote-heap-exploitation
2023/04/04:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427385-09-tunnels-pivots-redirectors/5947615-reverse-ssh
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1430312-11-default-targets-exploitation-detection/5947855-cve-2022-2588
2023/04/01:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427326-08-linux-shells-c2-implants/5946619-sliver-in-details
2023/03/25:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/5806299-ks-rootkits-xt_conntrack-ko-infection
2023/02/24:
- https://edu.defensive-security.com/view/courses/linux-attack-live-forensics-at-scale/1427336-12-linux-rootkits-for-red-and-blue-teams/5704325-us-rootkits-zombie-ant-farm-pypreloader-1

Changelog

Linux Attack, Detection and Live Forensics v1.0 - MATERIALS ONLY - Lifetime Access

00. PurpleFlows Rapid Track

01. PurpleLabs Cyber Range Navigation

02. Introduction to the course

03. Blue/DFIR Components: SIEM

04. Blue/DFIR Components: HOST

05. Blue/DFIR Components: NETWORK

06. Establishing baseline vs Attack Vectors

07. Linux Memory Forensics

08. Linux Shells / C2 Implants

09. Tunnels / pivots / redirectors

10. Incident Response

11. Default Targets Exploitation & Detection

12. Linux Rootkits for Red and Blue Teams

Linux EDR Architecture

13. Active Security Research

Linux Attack, Detection and Live Forensics v1.0 - MATERIALS ONLY - Lifetime Access

00. PurpleFlows Rapid Track

01. PurpleLabs Cyber Range Navigation

02. Introduction to the course

03. Blue/DFIR Components: SIEM

04. Blue/DFIR Components: HOST

05. Blue/DFIR Components: NETWORK

06. Establishing baseline vs Attack Vectors

07. Linux Memory Forensics

08. Linux Shells / C2 Implants

09. Tunnels / pivots / redirectors

10. Incident Response

11. Default Targets Exploitation & Detection

12. Linux Rootkits for Red and Blue Teams

Linux EDR Architecture

13. Active Security Research