PurpleLabs Cyber Range 30-days Access

€199

PurpleLabs Cyber Range 30-days Extended Access

Closed
Course
58 Lessons

PurpleLABS is a dedicated Cyber Range infrastructure for running detection and analysis of attackers' behaviors in terms of used techniques, tactics, procedures, and offensive tools. The environment has been created to constantly improve competencies in the field of Linux/Windows/Network threat hunting and learning about current trends of offensive actions vs direct detection and live forensics.

Get Access

Cyber Range Playground with Hands-On Labs

Use PurpleLABS as Cyber Range advanced R&D environment for your own red/blue security research needs or as a part of training courses where you will study hands-on labs that we have carefully prepared.

Learn more about PurpleLabs

PurpleLabs Cyber Range Key Values

By providing high-quality Cyber Range environment we want to enable businesses to improve the detection capacity of their SOC teams and achieve better visibility and resistance to attacks.

Full Host/Network Visibility

Deep network and host visibility in hunting friendly environment allows you to easily get on the right track to find even the most sophisticated symptoms of chained tactics, techniques, and procedures of modern attackers.

Real Security Events

Generate real symptoms of different attack phases including C2 channels, persistence, defense evasion, data exfiltration, tunneling, and pivoting between critical network segments and run host/network detections.

Dedicated Installations

Cost-effective virtual infrastructure hosted on the pre-configured dedicated servers eliminates the need to deploy and maintain Cyber Range internal components.

Continouos Knowledge Transfer

Deliver a periodic knowledge transfer and systematic expansion of team competencies in the field of Red + Blue = Purple teaming

Hunting Dashboard

PurpleLabs Introduction

PurpleLABS Cyber Range Network Architecture

795 KB

0x02. Blue/DFIR Components: SIEM

In this chapter, you are going to get familiar with different SIEM stacks running in PurpleLabs including Splunk, Hunting ELK (HELK), Graylog, and Wazuh. Through different security analysis tools, you will get access to real and live data sources including network and host telemetry coming from different nodes in the Cyber Range network.

SIEM/HELK introduction

SIEM/HELK Data sources

SIEM/Splunk introduction

SIEM/Splunk Data sources

SIEM/Graylog intro

SIEM/Graylog Data sources

SIEM/Wazuh Data Sources

0x01. PurpleLabs User Setup Overview

PurpleLabs User Setup Overview

Welcome to PurpleLABS!

PurpleLabs Hunting Dashboard

Open Source Community

Network Addressing

795 KB

Your Virtual Machines

Data sources and SIEM/DFIR components

Troubleshooting

Rules and policies

Threat Detection and Hunting with PurpleLabs #1

Threat Detection and Hunting with PurpleLabs #2

0x03. Blue/DFIR Components: HOST

This chapter is fully dedicated to Linux endpoint/server security monitoring and live forensics at scale. A set of low-level visibility tools like Tracee, Falco, Sysdig, or Sysmon4Linux have been used to enhance host visibility. You will play with short use-case scenarios that effectively show not only the tool's values, but first of all, allow you to "see" and better understand the true behavior of attacks and corresponding TTPs at scale through the visibility/DFIR layers you can find in PurpleLabs.

Host/Syslog

Host/Auditd

Host/Falco Runtime Security

Host/Tracee Syscall Tracing

Host/Sysdig Syscall tracing

Host/Sysmon4Linux

Host/Velociraptor

Host/OSQuery

Host/Sandfly

Host/Wazuh

Host/CatScale

Host/rkhunter

Host/Yara Scanning

Host/LKRG

Host/SELinux

0x04. Blue/DFIR Components: NETWORK

In this chapter, you will learn about different network data sources available in PurpleLabs. From Netflow to signature-less Zeek IDS and signature-based Suricata IDS to Full PCAP Capture based on Moloch/Arkime. True experience based on a real network with cool network visibility. Connect to your PurpleLabs VMS and generate the first network activities. Simple network behavior of your hosts (HASSH, JA3, DNS, NTP, ICMP, SMB, etc.) sounds like a great idea to learn more about network protocols and specific behaviors of Linux boxes in the context of running applications during an attack.

Network/Zeek

Network/Suricata

Network/Elastiflow

Network/Arkime Full Packet Capture

Network/Forward Proxy Squid SSL Decryption

Network/WAF Modsecurity

0x05. Linux Memory forensics

Linux Memory forensics

Memory Acquisition

Volatility Framework

Attack/Defense

5 Labs from Linux Attack and Live Forensic course

Attack/Defense: Backdooring Apache HTTP Server

Attack/Defense: DNS/AXFR Payload Delivery

Attack/Defense: Yara scanning

Attack/Defense: Zombie Ant Farm Pypreloader #1

Attack/Defense: Netfilter hooking #1

0x06. PurpleLabs Default Targets

Lab Targets

Apache Tomcat

Apache HTTP CVE-2021-41773

NFS no_root_squash

Dirty Pipe CVE-2022-0847

pkexec CVE-2021-4034

Solr Log4j

Samba / CIFS

Weblogic SSRF

SSH Brute force

Docker escape

Exiftool

Attack emulation: Red Canary Atomics against your VMs

KEY VALUES

Get to know the newest Linux/Windows attack paths and hiding techniques vs proactive detection
Learn current trends, techniques, and offensive tools for Discovery, C2, Lateral Movement, Persistence, Evasion, Exfiltration, Execution, and Credential Access against Windows and Linux machines ← Matrix ATT&Ck Framework
Learn ways to improve detection and sharpen your event correlation skills across many different Linux/Windows/network data sources
Get to know visibility/detection methods and capabilities of well-recognized Hunting and Detection tools including Velociraptor, HELK+Sigma, Splunk, Sysmon, Falco, Tracee, Elastiflow, Moloch/Arkime, Kolide Fleet, Wazuh, Graylog, IRIS and Sandfly
Find the malicious Windows / Linux activities and identify threat details on the network
Prepare your SOC team for fast filtering out Windows/Linux network noise that allows for better incident response handling
Find out how Detection / DFIR Open Source Software can support your SOC infrastructure
Understand the values of proactive Windows and Linux forensics scans vs manual and automated approaches to simulate attackers and generate anomalies
Identify Windows and Linux configuration blind spots in your network security posture
Understand the value of the purple teaming approach where you hands-on hunt for yourself and your teammates

Benefits

SOC/CSIRT Skills Development

Develop the team's analytical skills required to work in the Security Operation Center environment.

Attack Paths

Learn how to create attack paths and generate chains of security events by combining attackers’ techniques, tactics, and procedures (Chain Attack Scenarios).

Assume Breach

Understand the value of the Assume Breach approach and simulation of threats after early access (C2, post-exploitation, Lateral Movement, Persistence, Evasion).

Threat Hunting

Understand what threat hunting is and why it is important. Feel the power of data sources you have and learn how to distinguish between normal vs malicious behaviors.

Detection As Code

Understand the power of Sigma rules/Protections Artifacts and their values for SIEM solutions and DFIR needs.

Security Validation

Run a validation of the current security status of the organization's network and the understand risks.

Open Source SOC

Obtain knowledge on creating a complete SOC environment using Open Source software components.

Live Forensics

Learn how to run live forensics inspections at scale for Windows and Linux including Velociraptor, Volatility Framework, and more.

Incident Response

Create and understand incident response playbooks, quarantine default actions and more

Target Audience

CSIRT / Incident Response Specialists
Red and Blue team members
Penetration testers
Threat Hunters
Security / Data Analytics
IT Security Professionals, Experts & Consultants
SOC Analysts and SIEM Engineers
AI / Machine Learning Developers
Open Source Security Enthusiasts

Prerequisite Knowledge

The general initial skill level needed for a lab is intermediate - challenge yourself and grab a hands-on Attack/Detection experience!
An intermediate level of command-line syntax experience using Linux.
Fundament knowledge of TCP/IP network protocols.
Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required.
Having basic programming skills is a plus, but not essential.
Recommended reading material:
- Adversarial Tradecraft in Cybersecurity
- Privilege Escalation Techniques
- Linux System Programming
- Practical Threat Intelligence and Data-Driven Threat Hunting
- Transmetropolitan ;-)

€399

Linux Attack, Detection and Live Forensics - MATERIALS ONLY - Lifetime Access

Course
264 Lessons

After learning PurpleLabs Introduction material in depth, you are ready for the next huge step of your career. Dedicated hands-on material including rootkits, process injection types, C2 Frameworks, and more. Don't mind asking for a discount!

Buy now Learn more

Frequently Asked Questions

Just a bunch of questions and answers. Hope you will find them helpful. If not, send me a DM.

CAN I GET A CERTIFICATE OF COMPLETION?

Yes, on request. Just send me an email at lm+certificate@defensive-security.com and within 7 days you should get your cert.

HOW IS ACCESS TO PURPLELABS PROVIDED?

We are using the simplest solution based on Wireguard VPN. All you have to do is install the VPN client and import one configuration file.
We are going to support soon a "PurpleLabs in the browser" access as an alternative option.

CAN I GET AN INVOICE?

Of course.

CAN YOU DELIVER A DEDICATED TRAINING ONSITE FOR MY COMPANY?

Yes, I am always open to new collaborations, all over the world, or just online. Just send me a DM.

WHAT LANGUAGE ARE THE MATERIALS IN?

All materials and lab instructions are in English. For live/online sessions you can choose between Polish and English.

WHAT DOES THE ACCESS INCLUDING?

After the payment, you will get instant lifetime access to online walkthrough materials in the hands-on lab format.
Within 2-4 days after your payment, you will get also a dedicated set of dedicated VPN credentials to PurpleLabs Cyber Range for 30 days.
For every student, we deliver a set of five exclusive Linux machines (CentOS7/8, Kali Linux, Ubuntu 21.04, Ubuntu 20.04) that at the same time are a part of the shared detection/hunting playground.

IS VIDEO CONTENT INCLUDED IN THE COURSE?

No, and it has never been a priority.
Hands-on lab instructions and the Cyber Range environment have been built in such a way that you can easily repeat the steps in the step by step style.

WHEN WILL I GET ACCESS TO PURPLELABS?

You will get PurpleLabs VPN access credentials within 2-4 days after you made a payment.