Linux Attack, Detection and Forensics v2.0 - Hands-on Purple Teaming Playbook
Buy now
Learn more
Discussions
Introduction
Welcome to the v2.0 party!
Goals / What to expect
Active Defense, Purple Teaming & DE
Linux DFIR Introduction
PurpleLabs Detection and Hunting Dashboard
General Course Flow Design
Private Virtual Machines
Shared Virtual Machines
PurpleLabs VM Robot Tool
EDRmetry Matrix
EDRmetry Matrix + HexStrike AI Integration
Why Linux as a target?
Linux Threat Landscape
Open Source Community
Recommended books
[ Changelog / Updates ]
Golden Rules - Before You Start Hands-on
Explore widely, think broadly
Enable Runtime Security/DFIR Agents
SOCKS Proxy or SSH Tunneling is required
KALI_X or C2_X?
TARGET_X - Kernel upgrade/downgrade
Multi-tab terminal
What is O- ?
"Don't" Policies
Troubleshooting
Defensive/DFIR Tooling
Host/Exploration of CLI tools
Host/Exploration of /proc
Host/Exploration of /sys
Host/Splunk Forwarder
Host/Falco Runtime Security
Host/Kunai Runtime Security
Host/Tetragon Runtime Security
Host/Tracee Runtime Security
Host/Jibril Runtime Security
Host/Elastic Security Agent
Host/Wazuh Agent
Host/Velociraptor Agent
Host/FleetDM OSquery Agent
Host/Sandfly Security
Host/Sysmon4Linux
Host/Syslog
Host/auditd
Host/Linux IR Scripts - SecureProbes
Host/UAC
Host/Ghostscan
Host/bpftrace
Host/LKRG
Host/SELinux
Host/Capa
Host/Yara / Yara-x Scanning
Network/Zeek NIDS
Network/Suricata NIDS
Network/WAF Modsecurity
Memory/Volatility3 Framework
Memory/Volatility2 Framework
Commercial Linux EDR/Security Products
Linux EDR Architecture
Introduction
What is Linux EDR engine?
How does Linux EDR work?
Core functionalities and key features
Visibility Events / Indexes / Data sources
Syscalls, Kernel Functions and Tracing Visibility
Detection logic / rulesets
Support for Sigma Rules
Engine Modes
Dashboards, Analytics & Query language
Response, Triage and Forensics
Deployment and Operations
Alerts / Incidents / Detections
Query Language
Linux EDR Telemetry Project
Linux MITRE ATT&CK Matrix
Introduction
Initial Access - TA0001
TA0001 - Introduction
EDR-T6261 - Remote UAF Exploitation - user
EDR-T6119 - Remote UAF Exploitation - root
EDR-T6354 - Remote UAF+Heap Overflow
EDR-T6062 - Kafka CVE-2023-25194
EDR-T6355 - Langflow API CVE-2025-3248
EDR-T6114 - ActiveMQ CVE-2023-46604
EDR-T6105 - Apache HTTP CVE-2021-41773
O-EDR-T6116 - Tomcat Upload Manager
EDR-T6110 - Solr Log4J JNDI CVE-2021-44228
EDR-T6233 - XZ Backdoor CVE-2024-3094
EDR-T6113 - Spring CVE-2022-22963
EDR-T6416 - React2shell - CVE-2025-55182
Execution - TA0002
TA0002 - Introduction
EDR-T6277 - Built-in System Tools Execution
EDR-T6041 - Execute binary listening from a hidden directory
Persistence - TA0003
TA0003 - Introduction
EDR-T6395 - LKM LibZeroEvil r00tme
EDR-T6394 - LKM Singularity Rootkit
EDR-T6100 - LKM Char Device + LPE
EDR-T6163 - LKM Reveng Rootkit
EDR-T6023 - LKM Diamorphine Rootkit
EDR-T6289 - LKM Ftrace Rootkit - Rebellion
EDR-T6161 - LKM BDS Ftrace Hooking Rootkit
EDR-T6154 - LKM Suterusu Rootkit
EDR-T6155 - LKM KoviD Rootkit
EDR-T6152 - eBPF Boopkit Rootkit
EDR-T6151 - eBPF TripleCross Rootkit
EDR-T6104 - SSHD Dummy Cipher Suite BYOT
EDR-T6235 - LD_PRELOAD Re-adding SSH key
O-EDR-T6327 - LD_PRELOAD Father Rootkit
EDR-T6422 - bdvl - Patch Dynamic Linker
EDR-T6423 - SSHD id_ed25519 Key Backdoor
EDR-T6170 - Cap_setuid over LD linker
EDR-T6139 - Python .pth Extensions
O-EDR-T6407 - Shadow SUID binfmt_misc
EDR-T6093 - Crontab root Backdoor
EDR-T6431 - Supervisor persistence
EDR-T6015 - Systemd Backdoor service
EDR-T6179 - Udev+atd C2 persistence
O-EDR-T6213 - Malicious RPM package
EDR-T6164 - PAM Sneaky Backdoor
EDR-T6144 - DNF Package Manager
EDR-T6051 - Modify core_pattern
EDR-T6347 - Nginx Shell Module
O-EDR-T6017 - HTTPD mod_backdoor
EDR-T6011 - PHP Webshells
Privilege Escalation - TA0004
TA0004 - Introduction
EDR-T6109 - LPE Socket Command Injection
EDR-T6360 - Huge pages Kernel UAF LPE
EDR-T6184 - PATH Hijacking
O-EDR-T6315 - Add SSH key via iptables-save
EDR-T6335 - sudo chroot CVE-2025-32463
EDR-T6147 - Docker Escape with socket+Chisel
EDR-T6417 - Docker Escape with core_pattern
EDR-T6187 - NFS SUID Escalation
EDR-T6230 - pkexec CVE-2021-4034
EDR-T6231 - DirtyPipe CVE-2022-0847 LPE
O-EDR-T6177 - MySQL UDF Command Exec
Defense Evasion - TA0005
TA0005 - Introduction
EDR-T6039 - File Transfer to a hidden directory
EDR-T6138 - Bash HTTP GET data with /dev/tcp
EDR-T6173 - Hackshell + OpenSSL download
EDR-T6340 - Python HTTP POST and Exec
O-EDR-T6363 - Base64 Payload inside ZIP
EDR-T6370 - Sneaky_remap + Ptrace() Process Injection in Rust + SSL/TLS callback
EDR-T6127 - dd+/proc/PID/mem Injection
EDR-T6256 - STOP/CONT Process Injection
EDR-T6108 - ASM Injection over /proc/PID/mem
EDR-T6037 - Python3 Fileless memfd_create
EDR-T6188 - Fileless Execution with memexec
EDR-T6171 - Easy Proc Name Masquerading
EDR-T6038 - Proc Name Masq with exec
EDR-T6140 - Proc Name Masq with prctl()
EDR-T6345 - Proc Masq with mount NS
EDR-T6046 - LD_PRELOAD Proc Hiding
EDR-T6053 - mount --bind process hiding
EDR-T6253 - eBPF Process Hider
EDR-T6107 - LKM Fileless Remote Loading
EDR-T6396 - LKM Hooking init_module
EDR-T6293 - LKM Disabling SELinux
EDR-T6282 - LKM Reset Yama ptrace_scope
EDR-T6167 - BOF Loading with BOF-Stager
EDR-T6067 - SSH notty session
EDR-T6133 - File immutable with chattr
EDR-T6089 - Bashrc File Hiding with ls Alias
O-EDR-T6078 - Execute tools via PRoot BYOF
Command and Control - TA0011
TA0011 - Introduction
EDR-T6123.023 - curlrevshell
EDR-T6123.008 - Revshell openssl+/dev/fd/3
EDR-T6123.004 - Revshell mkfifo+nc
EDR-T6123.022 - Oneshell - echo and chmod
EDR-T6123.015 - Revshell Python TLS
O-EDR-T6126.002 - Sliver C2 MTLS
EDR-T6126.013 - Sliver C2 HTTPS
O-EDR-T6126.007 - Sliver C2 DNS
O-EDR-T6126.011 - Sliver C2 TCP Pivots
EDR-T6212 - Emp3r0r HTTP2 AES Stager C2
EDR-T6317 - SOA/ECS DNS C2 Channel
EDR-T6115 - DNS Tunneling with dnscat2
O-EDR-T6409 - Venom C2
O-EDR-T6126.006 - Platypus C2
EDR-T6126.004 - Merlin HTTP2 C2
EDR-T6126.010 - Mythic C2 Deployment
O-EDR-T6126.003 - Mythic C2 Thanatos ELF
O-EDR-T6126.009 - Mythic C2 Medusa Python
O-EDR-T6126.005 - Mythic C2 Poseidon ELF
O-EDR-T6148 - XOR shell_reverse_tcp Loader
EDR-T6117 - UPX Reverse SSH server
EDR-T6123.017 - Shell over HTTP streams
Credential Access - TA0006
TA0006 - Introduction
EDR-T6242 - eBPF Spy on PAM with python3
EDR-T6199 - eBPF pamspy
EDR-T6012 - Sniff sshd with strace
EDR-T6415 - ptrace() ssh-inject
EDR-T6319 - Dump heap memory from Java
Discovery - TA0007
TA0007 - Introduction
EDR-T6225 - Execute "What Server"
EDR-T6040 - Execute LinPEAS from /dev/tcp
EDR-T6065 - /proc/PID/ Enumeration
EDR-T6251 - Process Snooping with pspy
EDR-T6280 - Find loaded eBPF programs/maps
EDR-T6218 - Linux VM Check via Hardware
EDR-T6204 - Read local file using curl
EDR-T6010 - Check my public IP
EDR-T6412 - DNS Reconnaissance
Lateral Movement - TA0008
TA0008 - Introduction
EDR-T6189 - Reverse SOCKS5 proxy
EDR-T6357 - Chisel Reverse Socks Proxy
EDR-T6255 - KCP - FRP Fast Reverse Proxy
EDR-T6404 - mTLS Reverse SOCKS5
O-EDR-T6387 - SOCKS5 over Tailscale
EDR-T6392 - Cloudflared Tunneling
EDR-T6131 - Hijacking SSH Client Session
O-EDR-T6364 - Hijacking ssh-agent session
EDR-T6057 - Execute Port Scanning
Exfiltration - TA0010
TA0010 - Introduction
EDR-T6120 - Python FTP Upload
EDR-T6180 - SMB Data Exfiltration
EDR-T6112 - NTP Data Exfiltration
EDR-T6137 - HTTP PUT method + transfer.sh
EDR-T6181 - Upload/download data over SSHFS
O-EDR-T6135 - Upload data over WebDAV
EDR-T6234 - pam_exec SSHD Exfiltration
O-EDR-T6103 - PAM creds over HTTP Post
O-EDR-T6168 - ICMP_exfil + nping
EDR-T6418 - LDAP Data Hiding - FreeIPA
Impact - TA0040
TA0040 - Introduction
O-EDR-T6063 - Ransomware C - lokpack
O-EDR-T6252 - Crypto Mining CPU stress
O-EDR-T6018 - Ransomware bash+openssl
Attack Flows & Combos
Introduction
Combo Flows
Attack Flow #1
Attack Flow #2
Attack Flow #3
Active Security Research
Extra Research
Linux Internals
LSM Sandboxes
eBPF
Exploitation
Kubernetes
Evasion / Bypassing techniques
Rootkits
Malware
OS Security Stacks
Memory Forensics
Fun
Products
Course
Section
Lesson
Syscalls, Kernel Functions and Tracing Visibility
Syscalls, Kernel Functions and Tracing Visibility
Linux Attack, Detection and Forensics v2.0 - Hands-on Purple Teaming Playbook
Buy now
Learn more
Discussions
Introduction
Welcome to the v2.0 party!
Goals / What to expect
Active Defense, Purple Teaming & DE
Linux DFIR Introduction
PurpleLabs Detection and Hunting Dashboard
General Course Flow Design
Private Virtual Machines
Shared Virtual Machines
PurpleLabs VM Robot Tool
EDRmetry Matrix
EDRmetry Matrix + HexStrike AI Integration
Why Linux as a target?
Linux Threat Landscape
Open Source Community
Recommended books
[ Changelog / Updates ]
Golden Rules - Before You Start Hands-on
Explore widely, think broadly
Enable Runtime Security/DFIR Agents
SOCKS Proxy or SSH Tunneling is required
KALI_X or C2_X?
TARGET_X - Kernel upgrade/downgrade
Multi-tab terminal
What is O- ?
"Don't" Policies
Troubleshooting
Defensive/DFIR Tooling
Host/Exploration of CLI tools
Host/Exploration of /proc
Host/Exploration of /sys
Host/Splunk Forwarder
Host/Falco Runtime Security
Host/Kunai Runtime Security
Host/Tetragon Runtime Security
Host/Tracee Runtime Security
Host/Jibril Runtime Security
Host/Elastic Security Agent
Host/Wazuh Agent
Host/Velociraptor Agent
Host/FleetDM OSquery Agent
Host/Sandfly Security
Host/Sysmon4Linux
Host/Syslog
Host/auditd
Host/Linux IR Scripts - SecureProbes
Host/UAC
Host/Ghostscan
Host/bpftrace
Host/LKRG
Host/SELinux
Host/Capa
Host/Yara / Yara-x Scanning
Network/Zeek NIDS
Network/Suricata NIDS
Network/WAF Modsecurity
Memory/Volatility3 Framework
Memory/Volatility2 Framework
Commercial Linux EDR/Security Products
Linux EDR Architecture
Introduction
What is Linux EDR engine?
How does Linux EDR work?
Core functionalities and key features
Visibility Events / Indexes / Data sources
Syscalls, Kernel Functions and Tracing Visibility
Detection logic / rulesets
Support for Sigma Rules
Engine Modes
Dashboards, Analytics & Query language
Response, Triage and Forensics
Deployment and Operations
Alerts / Incidents / Detections
Query Language
Linux EDR Telemetry Project
Linux MITRE ATT&CK Matrix
Introduction
Initial Access - TA0001
TA0001 - Introduction
EDR-T6261 - Remote UAF Exploitation - user
EDR-T6119 - Remote UAF Exploitation - root
EDR-T6354 - Remote UAF+Heap Overflow
EDR-T6062 - Kafka CVE-2023-25194
EDR-T6355 - Langflow API CVE-2025-3248
EDR-T6114 - ActiveMQ CVE-2023-46604
EDR-T6105 - Apache HTTP CVE-2021-41773
O-EDR-T6116 - Tomcat Upload Manager
EDR-T6110 - Solr Log4J JNDI CVE-2021-44228
EDR-T6233 - XZ Backdoor CVE-2024-3094
EDR-T6113 - Spring CVE-2022-22963
EDR-T6416 - React2shell - CVE-2025-55182
Execution - TA0002
TA0002 - Introduction
EDR-T6277 - Built-in System Tools Execution
EDR-T6041 - Execute binary listening from a hidden directory
Persistence - TA0003
TA0003 - Introduction
EDR-T6395 - LKM LibZeroEvil r00tme
EDR-T6394 - LKM Singularity Rootkit
EDR-T6100 - LKM Char Device + LPE
EDR-T6163 - LKM Reveng Rootkit
EDR-T6023 - LKM Diamorphine Rootkit
EDR-T6289 - LKM Ftrace Rootkit - Rebellion
EDR-T6161 - LKM BDS Ftrace Hooking Rootkit
EDR-T6154 - LKM Suterusu Rootkit
EDR-T6155 - LKM KoviD Rootkit
EDR-T6152 - eBPF Boopkit Rootkit
EDR-T6151 - eBPF TripleCross Rootkit
EDR-T6104 - SSHD Dummy Cipher Suite BYOT
EDR-T6235 - LD_PRELOAD Re-adding SSH key
O-EDR-T6327 - LD_PRELOAD Father Rootkit
EDR-T6422 - bdvl - Patch Dynamic Linker
EDR-T6423 - SSHD id_ed25519 Key Backdoor
EDR-T6170 - Cap_setuid over LD linker
EDR-T6139 - Python .pth Extensions
O-EDR-T6407 - Shadow SUID binfmt_misc
EDR-T6093 - Crontab root Backdoor
EDR-T6431 - Supervisor persistence
EDR-T6015 - Systemd Backdoor service
EDR-T6179 - Udev+atd C2 persistence
O-EDR-T6213 - Malicious RPM package
EDR-T6164 - PAM Sneaky Backdoor
EDR-T6144 - DNF Package Manager
EDR-T6051 - Modify core_pattern
EDR-T6347 - Nginx Shell Module
O-EDR-T6017 - HTTPD mod_backdoor
EDR-T6011 - PHP Webshells
Privilege Escalation - TA0004
TA0004 - Introduction
EDR-T6109 - LPE Socket Command Injection
EDR-T6360 - Huge pages Kernel UAF LPE
EDR-T6184 - PATH Hijacking
O-EDR-T6315 - Add SSH key via iptables-save
EDR-T6335 - sudo chroot CVE-2025-32463
EDR-T6147 - Docker Escape with socket+Chisel
EDR-T6417 - Docker Escape with core_pattern
EDR-T6187 - NFS SUID Escalation
EDR-T6230 - pkexec CVE-2021-4034
EDR-T6231 - DirtyPipe CVE-2022-0847 LPE
O-EDR-T6177 - MySQL UDF Command Exec
Defense Evasion - TA0005
TA0005 - Introduction
EDR-T6039 - File Transfer to a hidden directory
EDR-T6138 - Bash HTTP GET data with /dev/tcp
EDR-T6173 - Hackshell + OpenSSL download
EDR-T6340 - Python HTTP POST and Exec
O-EDR-T6363 - Base64 Payload inside ZIP
EDR-T6370 - Sneaky_remap + Ptrace() Process Injection in Rust + SSL/TLS callback
EDR-T6127 - dd+/proc/PID/mem Injection
EDR-T6256 - STOP/CONT Process Injection
EDR-T6108 - ASM Injection over /proc/PID/mem
EDR-T6037 - Python3 Fileless memfd_create
EDR-T6188 - Fileless Execution with memexec
EDR-T6171 - Easy Proc Name Masquerading
EDR-T6038 - Proc Name Masq with exec
EDR-T6140 - Proc Name Masq with prctl()
EDR-T6345 - Proc Masq with mount NS
EDR-T6046 - LD_PRELOAD Proc Hiding
EDR-T6053 - mount --bind process hiding
EDR-T6253 - eBPF Process Hider
EDR-T6107 - LKM Fileless Remote Loading
EDR-T6396 - LKM Hooking init_module
EDR-T6293 - LKM Disabling SELinux
EDR-T6282 - LKM Reset Yama ptrace_scope
EDR-T6167 - BOF Loading with BOF-Stager
EDR-T6067 - SSH notty session
EDR-T6133 - File immutable with chattr
EDR-T6089 - Bashrc File Hiding with ls Alias
O-EDR-T6078 - Execute tools via PRoot BYOF
Command and Control - TA0011
TA0011 - Introduction
EDR-T6123.023 - curlrevshell
EDR-T6123.008 - Revshell openssl+/dev/fd/3
EDR-T6123.004 - Revshell mkfifo+nc
EDR-T6123.022 - Oneshell - echo and chmod
EDR-T6123.015 - Revshell Python TLS
O-EDR-T6126.002 - Sliver C2 MTLS
EDR-T6126.013 - Sliver C2 HTTPS
O-EDR-T6126.007 - Sliver C2 DNS
O-EDR-T6126.011 - Sliver C2 TCP Pivots
EDR-T6212 - Emp3r0r HTTP2 AES Stager C2
EDR-T6317 - SOA/ECS DNS C2 Channel
EDR-T6115 - DNS Tunneling with dnscat2
O-EDR-T6409 - Venom C2
O-EDR-T6126.006 - Platypus C2
EDR-T6126.004 - Merlin HTTP2 C2
EDR-T6126.010 - Mythic C2 Deployment
O-EDR-T6126.003 - Mythic C2 Thanatos ELF
O-EDR-T6126.009 - Mythic C2 Medusa Python
O-EDR-T6126.005 - Mythic C2 Poseidon ELF
O-EDR-T6148 - XOR shell_reverse_tcp Loader
EDR-T6117 - UPX Reverse SSH server
EDR-T6123.017 - Shell over HTTP streams
Credential Access - TA0006
TA0006 - Introduction
EDR-T6242 - eBPF Spy on PAM with python3
EDR-T6199 - eBPF pamspy
EDR-T6012 - Sniff sshd with strace
EDR-T6415 - ptrace() ssh-inject
EDR-T6319 - Dump heap memory from Java
Discovery - TA0007
TA0007 - Introduction
EDR-T6225 - Execute "What Server"
EDR-T6040 - Execute LinPEAS from /dev/tcp
EDR-T6065 - /proc/PID/ Enumeration
EDR-T6251 - Process Snooping with pspy
EDR-T6280 - Find loaded eBPF programs/maps
EDR-T6218 - Linux VM Check via Hardware
EDR-T6204 - Read local file using curl
EDR-T6010 - Check my public IP
EDR-T6412 - DNS Reconnaissance
Lateral Movement - TA0008
TA0008 - Introduction
EDR-T6189 - Reverse SOCKS5 proxy
EDR-T6357 - Chisel Reverse Socks Proxy
EDR-T6255 - KCP - FRP Fast Reverse Proxy
EDR-T6404 - mTLS Reverse SOCKS5
O-EDR-T6387 - SOCKS5 over Tailscale
EDR-T6392 - Cloudflared Tunneling
EDR-T6131 - Hijacking SSH Client Session
O-EDR-T6364 - Hijacking ssh-agent session
EDR-T6057 - Execute Port Scanning
Exfiltration - TA0010
TA0010 - Introduction
EDR-T6120 - Python FTP Upload
EDR-T6180 - SMB Data Exfiltration
EDR-T6112 - NTP Data Exfiltration
EDR-T6137 - HTTP PUT method + transfer.sh
EDR-T6181 - Upload/download data over SSHFS
O-EDR-T6135 - Upload data over WebDAV
EDR-T6234 - pam_exec SSHD Exfiltration
O-EDR-T6103 - PAM creds over HTTP Post
O-EDR-T6168 - ICMP_exfil + nping
EDR-T6418 - LDAP Data Hiding - FreeIPA
Impact - TA0040
TA0040 - Introduction
O-EDR-T6063 - Ransomware C - lokpack
O-EDR-T6252 - Crypto Mining CPU stress
O-EDR-T6018 - Ransomware bash+openssl
Attack Flows & Combos
Introduction
Combo Flows
Attack Flow #1
Attack Flow #2
Attack Flow #3
Active Security Research
Extra Research
Linux Internals
LSM Sandboxes
eBPF
Exploitation
Kubernetes
Evasion / Bypassing techniques
Rootkits
Malware
OS Security Stacks
Memory Forensics
Fun
Lesson unavailable
Please
login to your account
or
buy the course
.