Linux Attack and Live Forensics At Scale MATERIALS-ONLY
Buy now
Learn more
Course Mindmap - Linux Attack and Forensics Inspection at scale-v3.png
PurpleLABS Cyber Range Network Architecture
0x01. PurpleLabs Hunting Components Dashboard
PurpleLabs Dashboard
PurpleLabs Components - Helicopter View
0x02. PurpleLabs User Setup Overview
Welcome to PurpleLABS!
Open Source Community
Network Addressing
Your Virtual Machines
Data sources and SIEM/DFIR components
Troubleshooting
Rules and policies
Threat Detection and Hunting with PurpleLabs #1
Threat Detection and Hunting with PurpleLabs #2
0x03. PurpleLabs Default Targets
Reverse Shell / Backdoor payloads
File transfers
Apache Tomcat
Apache HTTP CVE-2021-41773
NFS no_root_squash
Dirty Pipe CVE-2022-0847
pkexec CVE-2021-4034
CVE-2022-2588
CVE-2022-22963: Spring Cloud Function RCE
Solr Log4j
Samba / CIFS
Weblogic SSRF
SSH Brute force
Docker escape
Exiftool CVE-2021-22204
Remote Heap Exploitation
Attack emulation: Red Canary Atomics against your VMs
0x04. Blue/DFIR Components: SIEM
SIEM/HELK introduction
SIEM/HELK Data sources
SIEM/Splunk introduction
SIEM/Splunk Data sources
SIEM/Graylog intro
SIEM/Graylog Data sources
SIEM/Wazuh Data Sources
0x05. Blue/DFIR Components: HOST
Host/Syslog
Host/Auditd
Host/Falco Runtime Security
Host/Tracee Syscall Tracing
Host/Sysdig Syscall tracing
Host/Sysmon4Linux
Host/Velociraptor
Host/OSQuery
Host/Sandfly
Host/Wazuh
Host/CatScale
Host/UAC
Host/varc
Host/rkhunter
Host/Yara Scanning
Host/LKRG
Host/SELinux
Host/Clamav
0x06. Blue/DFIR Components: NETWORK
Network/Zeek
Network/Suricata
Network/Arkime Full Packet Capture
Network/Forward Proxy Squid SSL Decryption
Network/WAF Modsecurity
0x07. Introduction to the course
About the course
Why Linux as a target?
Current Linux threat landscape (2022/2023)
Linux Appliances Exploitation Cases
Purple teaming approach
Threat Hunting vs Incident Response
Linux MITRE ATT&CK
Linux EDR/Security Products
DFIR basics
DFIR Preparation
Basic TCP/IP stack
Basic Linux Investigation tools
General rootkits behavior
Recommended books
0x08. Establishing baseline vs Attack Vectors
Process names
Process arguments
Parent-child process relationship
/proc/ exploration
sysctl
Linker / LD_PRELOAD
Linux Kernel Modules
LKM Off
DNS Settings
Network profiling
Open Ports
iptables
At / cron / systemd timers
Users
Shell Configuration
Initialization scripts
Special File Attributes
File Hashing / checksums
OS / application logging behavior
SSH keys
Linux namespaces
0x09. Rule-based Linux Log Analysis
Sigma Rules Hands-on Introduction
Protections Artifacts from Elastic
Detection Rules from Elastic
0x0a. Linux Memory forensics
Linux Report Sections
Building Volatility 2 Linux Profiles
Building Volatility 3 ISF JSON
Memory Acquisition
Forensics with Volatility2
Forensics with Volatility 3
Fileless plugin
0x0b. Linux Shells / C2 Implants
Sliver C2 Setup
Sliver Transports and Pivoting
Sliver in details
Meterpreter Setup
Sliver to Meterpreter Sideload
Meterpreter shell_to_meterpreter
TLS/sniCAT
Merlin Setup
Merlin Transports
Merlin libprocesshider
DNS/AXFR Payload Delivery
DNS/Weasel
DNS/dnscat2
ICMP-based C2 and Exfiltration
Port knocking
0x0c. Tunnels / pivots / redirectors
SSH Socks Proxy
SSH Tunneling
Reverse SSH
Shootback Protocol Tunneling
SSHimpanzee
socat
Chisel
ngrok
0x0d. Incident response
IRIS Introduction
IR Playbooks
0x0e. Linux ATTACK/Detection Analysis
Evaluation of Linux Rootkits and Detection INTRO SLIDES - Practical Linux Rootkits for Red and Blue .pdf
eBPF SLIDES - Practical Linux Rootkits for Red and Blue .pdf
[US] Rootkits: Shared Library Injection
[US] Rootkits: Oh my Father!
[US] Rootkits: Socket Command Injection
[US] ELF injection with ptrace()
[US] ELF injection without ptrace()
[US] Proxy execution with DDexec
[US] In-memory execution with memrun
[US] memfd_vs_no_exec
[US] Fileless Scripting Execution
[US] Rootkits: Dynamic Linker Preloading
[US] Rootkits: Zombie Ant Farm Pypreloader #1
[US] MSF Shellcode from bash
[US] Rootkits: sshd injection
[US] Rootkits: sshd dummy cipher suite
[US] PAM-based Rootkits #1
[US] PAM-based Rootkits #2
[US] PAM-based Rootkits #3
[US] Yum/RPM Persistence
[US] Rootkits: Apache mod_authg
[US] Rootkits: HTTPD mod_backdoor
[US] Webshells: SOCKS from JSP
[US] Webshells: meterphp
[US] Webshells slopshell
[KS] Rootkits: Usermode Helper on ICMP
[KS] Rootkits: In-Memory LKM Loading
[KS] Rootkits: Reptile Analysis
[KS] Rootkits: Suterusu Analysis
[KS] Rootkits: Reveng_rtkit Analysis
[KS] Rootkits: iptables evil bit
[KS] Rootkits: systemtap creds() upgrade
[KS] Rootkits: Netfilter hooking #1
[KS] Rootkits: xt_conntrack.ko Infection
[KS] Rootkits: Ftrace Hooking #1
[KS] Rootkits: bad-bpf trip
[KS] Rootkits: XDP-UDP-Backdoor
[KS] Rootkits: eBPF hooking / TripleCross
[KS] Rootkits: eBPF SSL/TLS text capturing
[KS] Rootkits: eBPF Raw Tracepoint Interception
[KS] Rootkits: eBPF PAM creds stealing
[KS] Rootkits: eBPF KoviD Analysis
[KS] Rootkits: eBPF bpfdoor
[KS] Rootkits: ebpfkit Analysis
[KS] Randomized Faulter [RETIRED]
0x0f. Changelog
Changelog
0x10. Active Security Research
Active Research
Rootkits: Syscall hooking
Linux Incident Response
In-memory Execution
Evasion / Bypassing techniques
Exploitation
Memory Forensics
Linux Internals
Products
Course
Section
Lesson
[US] PAM-based Rootkits #3
[US] PAM-based Rootkits #3
Linux Attack and Live Forensics At Scale MATERIALS-ONLY
Buy now
Learn more
Course Mindmap - Linux Attack and Forensics Inspection at scale-v3.png
PurpleLABS Cyber Range Network Architecture
0x01. PurpleLabs Hunting Components Dashboard
PurpleLabs Dashboard
PurpleLabs Components - Helicopter View
0x02. PurpleLabs User Setup Overview
Welcome to PurpleLABS!
Open Source Community
Network Addressing
Your Virtual Machines
Data sources and SIEM/DFIR components
Troubleshooting
Rules and policies
Threat Detection and Hunting with PurpleLabs #1
Threat Detection and Hunting with PurpleLabs #2
0x03. PurpleLabs Default Targets
Reverse Shell / Backdoor payloads
File transfers
Apache Tomcat
Apache HTTP CVE-2021-41773
NFS no_root_squash
Dirty Pipe CVE-2022-0847
pkexec CVE-2021-4034
CVE-2022-2588
CVE-2022-22963: Spring Cloud Function RCE
Solr Log4j
Samba / CIFS
Weblogic SSRF
SSH Brute force
Docker escape
Exiftool CVE-2021-22204
Remote Heap Exploitation
Attack emulation: Red Canary Atomics against your VMs
0x04. Blue/DFIR Components: SIEM
SIEM/HELK introduction
SIEM/HELK Data sources
SIEM/Splunk introduction
SIEM/Splunk Data sources
SIEM/Graylog intro
SIEM/Graylog Data sources
SIEM/Wazuh Data Sources
0x05. Blue/DFIR Components: HOST
Host/Syslog
Host/Auditd
Host/Falco Runtime Security
Host/Tracee Syscall Tracing
Host/Sysdig Syscall tracing
Host/Sysmon4Linux
Host/Velociraptor
Host/OSQuery
Host/Sandfly
Host/Wazuh
Host/CatScale
Host/UAC
Host/varc
Host/rkhunter
Host/Yara Scanning
Host/LKRG
Host/SELinux
Host/Clamav
0x06. Blue/DFIR Components: NETWORK
Network/Zeek
Network/Suricata
Network/Arkime Full Packet Capture
Network/Forward Proxy Squid SSL Decryption
Network/WAF Modsecurity
0x07. Introduction to the course
About the course
Why Linux as a target?
Current Linux threat landscape (2022/2023)
Linux Appliances Exploitation Cases
Purple teaming approach
Threat Hunting vs Incident Response
Linux MITRE ATT&CK
Linux EDR/Security Products
DFIR basics
DFIR Preparation
Basic TCP/IP stack
Basic Linux Investigation tools
General rootkits behavior
Recommended books
0x08. Establishing baseline vs Attack Vectors
Process names
Process arguments
Parent-child process relationship
/proc/ exploration
sysctl
Linker / LD_PRELOAD
Linux Kernel Modules
LKM Off
DNS Settings
Network profiling
Open Ports
iptables
At / cron / systemd timers
Users
Shell Configuration
Initialization scripts
Special File Attributes
File Hashing / checksums
OS / application logging behavior
SSH keys
Linux namespaces
0x09. Rule-based Linux Log Analysis
Sigma Rules Hands-on Introduction
Protections Artifacts from Elastic
Detection Rules from Elastic
0x0a. Linux Memory forensics
Linux Report Sections
Building Volatility 2 Linux Profiles
Building Volatility 3 ISF JSON
Memory Acquisition
Forensics with Volatility2
Forensics with Volatility 3
Fileless plugin
0x0b. Linux Shells / C2 Implants
Sliver C2 Setup
Sliver Transports and Pivoting
Sliver in details
Meterpreter Setup
Sliver to Meterpreter Sideload
Meterpreter shell_to_meterpreter
TLS/sniCAT
Merlin Setup
Merlin Transports
Merlin libprocesshider
DNS/AXFR Payload Delivery
DNS/Weasel
DNS/dnscat2
ICMP-based C2 and Exfiltration
Port knocking
0x0c. Tunnels / pivots / redirectors
SSH Socks Proxy
SSH Tunneling
Reverse SSH
Shootback Protocol Tunneling
SSHimpanzee
socat
Chisel
ngrok
0x0d. Incident response
IRIS Introduction
IR Playbooks
0x0e. Linux ATTACK/Detection Analysis
Evaluation of Linux Rootkits and Detection INTRO SLIDES - Practical Linux Rootkits for Red and Blue .pdf
eBPF SLIDES - Practical Linux Rootkits for Red and Blue .pdf
[US] Rootkits: Shared Library Injection
[US] Rootkits: Oh my Father!
[US] Rootkits: Socket Command Injection
[US] ELF injection with ptrace()
[US] ELF injection without ptrace()
[US] Proxy execution with DDexec
[US] In-memory execution with memrun
[US] memfd_vs_no_exec
[US] Fileless Scripting Execution
[US] Rootkits: Dynamic Linker Preloading
[US] Rootkits: Zombie Ant Farm Pypreloader #1
[US] MSF Shellcode from bash
[US] Rootkits: sshd injection
[US] Rootkits: sshd dummy cipher suite
[US] PAM-based Rootkits #1
[US] PAM-based Rootkits #2
[US] PAM-based Rootkits #3
[US] Yum/RPM Persistence
[US] Rootkits: Apache mod_authg
[US] Rootkits: HTTPD mod_backdoor
[US] Webshells: SOCKS from JSP
[US] Webshells: meterphp
[US] Webshells slopshell
[KS] Rootkits: Usermode Helper on ICMP
[KS] Rootkits: In-Memory LKM Loading
[KS] Rootkits: Reptile Analysis
[KS] Rootkits: Suterusu Analysis
[KS] Rootkits: Reveng_rtkit Analysis
[KS] Rootkits: iptables evil bit
[KS] Rootkits: systemtap creds() upgrade
[KS] Rootkits: Netfilter hooking #1
[KS] Rootkits: xt_conntrack.ko Infection
[KS] Rootkits: Ftrace Hooking #1
[KS] Rootkits: bad-bpf trip
[KS] Rootkits: XDP-UDP-Backdoor
[KS] Rootkits: eBPF hooking / TripleCross
[KS] Rootkits: eBPF SSL/TLS text capturing
[KS] Rootkits: eBPF Raw Tracepoint Interception
[KS] Rootkits: eBPF PAM creds stealing
[KS] Rootkits: eBPF KoviD Analysis
[KS] Rootkits: eBPF bpfdoor
[KS] Rootkits: ebpfkit Analysis
[KS] Randomized Faulter [RETIRED]
0x0f. Changelog
Changelog
0x10. Active Security Research
Active Research
Rootkits: Syscall hooking
Linux Incident Response
In-memory Execution
Evasion / Bypassing techniques
Exploitation
Memory Forensics
Linux Internals
Lesson unavailable
Please
login to your account
or
buy the course
.