In-memory Execution

In-memory Execution

Preview unavailable

You must log in or sign up to view this lesson.

Linux Attack, Detection and Live Forensics v1.0 - MATERIALS ONLY - Lifetime Access

Buy nowLearn more

Course Mindmap.png

Linux Detection and Forensics Cheatsheet v0.4.pdf

00. PurpleFlows Rapid Track

PurpleFlow#1

01. PurpleLabs Cyber Range Navigation

Welcome to PurpleLABS!

PurpleLabs Detection and Hunting Dashboard8

PurpleLabs Components - Helicopter View

PurpleLabs Components - EDRmetry Matrix

EDRmetry Matrix Generic Flow

Data sources and SIEM/DFIR components4

Your Virtual Machines1

Your Virtual Machines - TARGET_X

PurpleLabs Network Architecture

PurpleLabs VM Robot Tool

Troubleshooting

Rules and policies

Technical Support Service

Open Source Community

Changelog

Threat Detection and Hunting with PurpleLabs #1

Threat Detection and Hunting with PurpleLabs #2

02. Introduction to the course

About the course

Best strategy for taking the course

Why Linux as a target?

Current Linux threat landscape (2022/2023/2024/2025)

Linux Appliances Exploitation Cases

Active Defense

Purple teaming approach

Threat Hunting vs Incident Response

Linux MITRE ATT&CK

Linux EDR/Security Products

Recommended books

03. Blue/DFIR Components: SIEM

SIEM/Elastic Security

SIEM/Splunk

SIEM/Wazuh

Sigma Rules Hands-on Introduction2

Protections Artifacts from Elastic3

SIEM/Graylog [RETIRED]2

SIEM/HELK introduction [RETIRED]2

04. Blue/DFIR Components: HOST

Host/Syslog2

Host/Journal3

Host/Auditd4

Host/Falco Runtime Security2

Host/Tracee Syscall Tracing5

Host/Kunai Runtime Security1

Host/Kunai Hunting Queries

Host/Sysdig Syscall tracing4

Host/Tetragon Runtime Security

Host/Jibril Runtime Security2

Host/Sysmon4Linux4

Host/Velociraptor

Host/FleetDM OSquery

Host/Sandfly Security

Host/Wazuh

Host/Sunlight

Host/Sunlight IR_Executor

Host/ghostscan

Host/CatScale1

Host/UAC1

Host/varc1

Host/rkhunter & chkrootkit

Host/Yara Scanning2

Host/Capa6

Host/LKRG

Host/SELinux

Host/Clamav

Host/Entropyscan vs ELFCrypt

Host/BPFMon

Host/bpftrace

Host/Argus Runtime Security [RETIRED]2

05. Blue/DFIR Components: NETWORK

Network/Zeek

Network/Zeek JA4

Network/Suricata

Network/Arkime Full Packet Capture

Network/Forward Proxy Squid SSL Decryption

Network/WAF Modsecurity

Network/RITA

Network/Elastiflow [RETIRED]

06. Establishing baseline vs Attack Vectors

Basic Linux Investigation tools

Process names

Process arguments

Parent-child process relationship2

/proc exploration

/sys exploration1

sysctl

Linker / LD_PRELOAD

Linux Kernel Modules

LKM Off4

Dmesg

eBPF programs1

DNS Settings

Network profiling1

Open Ports

iptables1

At / cron / systemd timers2

Users

Shell Configuration2

Initialization scripts / systemd4

Special File Attributes

DNF / yum

File Hashing / checksums2

OS / application logging behavior

SSH keys

Linux namespaces2

Linux Capabilities

07. Linux Memory Forensics

Linux Report Sections3

Introduction to Volatility Framework 3

Providing Volatility 3 ISF JSON Profiles2

Providing Volatility 2 Profiles

Memory Acquisition

Memory Forensics with Volatility 3

Volatility 3 External Fileless plugin2

Volatility 3 External eBPF plugins

Memory Forensics with Volatility 23

Building Volatility 3 ISF JSON Profiles [RETIRED]

Building Volatility 2 Linux Profiles [RETIRED]4

08. Linux Shells / C2 Implants

Python TLS/SSL Reverse Shell8

Sliver C2 Setup4

Sliver Transports and Pivoting

Sliver in details

Meterpreter Setup1

Sliver to Meterpreter Sideload2

Meterpreter shell_to_meterpreter

Merlin Setup

Merlin Transports

Merlin libprocesshider1

TLS/sniCAT3

DNS/AXFR Payload Delivery3

DNS/dnscat23

ICMP-based C2 and Exfiltration2

Port knocking

Hidden NTP Exfiltration1

FreeIPA LDAP as Hidden Storage

DNS/Weasel AAAA [RETIRED]

09. Tunnels / pivots / redirectors

SSH Socks Proxy3

SSH Tunneling

Reverse SSH

Shootback Protocol Tunneling

SSHimpanzee

FRP Fast Reverse Proxy

Global Socket

socat

ngrok

10. Incident Response

DFIR basics1

DFIR Preparation

Linux IR Investigation

IR Playbooks

IRIS Introduction2

11. Default Targets Exploitation & Detection

Reverse Shell / Backdoor payloads

File transfers

Apache Tomcat3

Apache HTTP CVE-2021-41773

NFS no_root_squash3

Dirty Pipe CVE-2022-08472

pkexec CVE-2021-4034

CVE-2022-25882

GameOver(lay) CVE-2023-2640/CVE-2023-32629

Spring Cloud Function CVE-2022-229635

Solr Log4j CVE-2021-44228

Kafka CVE 2023-25194

ActiveMQ CVE-2023-46604

XZ / liblzma backdoor CVE-2024-30942

Samba / CIFS + SSH Honey Key

Weblogic SSRF2

Wordpress RCE

SSH Brute force

Docker escape2

Exiftool CVE-2021-22204

Remote Heap Exploitation

Attack Emulation: Atomic Operator

Attack Emulation: Panix

12. Linux Rootkits for Red and Blue Teams

Evaluation of Linux Rootkits and Detection INTRO SLIDES - Practical Linux Rootkits for Red and Blue .pdf

eBPF SLIDES - Practical Linux Rootkits for Red and Blue .pdf

Linux System calls

General Linux rootkits behavior2

[US] Rootkits: Shared Library Injection3

[US] Rootkits: Hide SSH key with ld.so.preload

[US] Rootkits: Oh my Father!

[US] Rootkits: Sneaky Bedevil

[US] Rootkits: Socket Command Injection

[US] ELF injection with ptrace()

[US] ELF injection without ptrace()

[US] Proxy execution with DDexec

[US] In-memory execution with memrun

[US] memfd_vs_no_exec1

[US] memexec + XOR Loader

[US] Fileless Scripting Execution

[US] Rootkits: Dynamic Linker Preloading

[US] Rootkits: Zombie Ant Farm Pypreloader1

[US] MSF Shellcode from bash

[US] Rootkits: sshd injection

[US] Rootkits: sshd dummy cipher suite

[US] PAM-based Rootkits #1

[US] PAM-based Rootkits #23

[US] PAM-based Rootkits #3

[US] Python .pth Extension

[US] Yum/RPM Persistence

[US] Udev persistence

[US] Rootkits: Apache mod_authg

[US] Rootkits: HTTPD mod_backdoor

[US] Webshells: SOCKS from JSP

[US] Webshells: meterphp

[US] Linux Process Snooping

[US] Capturing SSH with strace

[US] Hiding process with bind mounts

[US] Beacon Object File (BOF) Stager

[KS] Rootkits: Usermode Helper on ICMP1

[KS] Rootkits: In-Memory LKM Loading

[KS] Rootkits: Diamorphine1

[KS] Rootkits: Reptile Analysis

[KS] Rootkits: Suterusu Analysis

[KS] Rootkits: Reveng_rtkit Analysis

[KS] Rootkits: Registering Char Device

[KS] Rootkits: iptables evil bit

[KS] Rootkits: systemtap creds() upgrade3

[KS] Rootkits: Netfilter hooking #1

[KS] Rootkits: xt_conntrack.ko Infection

[KS] Rootkits: Ftrace Hooking #1

[KS] Rootkits: Ftrace Hooking #2

[KS] Rootkits: BDS Ftrace Hooking #3

[KS] Rootkits: Bad-bpf trip

[KS] Rootkits: Offensive bpftrace

[KS] Rootkits: eBPF hooking / TripleCross5

[KS] Sniffer: eBPF SSL/TLS text capturing1

[KS] Rootkits: eBPF Raw Tracepoint Interception

[KS] Sniffer: eBPF PAM creds stealing

[KS] Rootkits: eBPF KoviD Analysis1

[KS] Rootkits: eBPF Boopkit Analysis

[KS] Rootkits: eBPF Hiding with nysm

[KS] Rootkits: eBPF bpfdoor2

[KS] Rootkits: ebpfkit Analysis

[KS/US] Backdooring Initramfs

[ELF] Kiteshield Anti Forensics

[KS] Randomized Faulter [RETIRED]

[KS] Rootkits: XDP-UDP-Backdoor [RETIRED]

Linux EDR Architecture

Introduction

What is Linux EDR engine?

How does Linux EDR work?

Core functionalities and key features

Visibility Events / Indexes / Data sources

Syscalls, Kernel Functions and Tracing Visibility1

Detection logic / rulesets

Engine Modes

Response, Triage and Forensics

Deployment and Operations

Alerts / Incidents / Detections

Query Language

Linux EDR Telemetry Project1

13. Active Security Research

Active Research

Rootkits: Syscall hooking

Linux Incident Response

In-memory Execution

Evasion / Bypassing techniques

OS Security Stacks

Exploitation

Memory Forensics

Linux Internals

LSM/Sandboxes

eBPF

Anti-Forensics

Tunneling/Proxying

Malware

Fun

Kubernetes/Cloud