Linux Attack, Detection and Live Forensics + 90 Days PurpleLabs Access
Buy now
Learn more
Course Mindmap.png
Linux Detection and Forensics Cheatsheet v0.4.pdf
00. PurpleFlows Rapid Track
PurpleFlow#1
01. PurpleLabs Cyber Range Navigation
Welcome to PurpleLABS!
PurpleLabs Detection and Hunting Dashboard
PurpleLabs Components - Helicopter View
Data sources and SIEM/DFIR components
Your Virtual Machines
PurpleLabs Network Architecture
PurpleLabs VM Robot Tool
Troubleshooting
Rules and policies
Technical Support Service
Open Source Community
Changelog
Threat Detection and Hunting with PurpleLabs #1
Threat Detection and Hunting with PurpleLabs #2
02. Introduction to the course
About the course
Best strategy for taking the course
Why Linux as a target?
Current Linux threat landscape (2022/2023/2024/2025)
Linux Appliances Exploitation Cases
Active Defense
Purple teaming approach
Threat Hunting vs Incident Response
Linux MITRE ATT&CK
Linux EDR/Security Products
Recommended books
03. Blue/DFIR Components: SIEM
SIEM/Elastic Security
SIEM/Splunk
SIEM/Graylog
SIEM/Wazuh
Sigma Rules Hands-on Introduction
Protections Artifacts from Elastic
SIEM/HELK introduction [RETIRED]
04. Blue/DFIR Components: HOST
Host/Syslog
Host/Journal
Host/Auditd
Host/Falco Runtime Security
Host/Tracee Syscall Tracing
Host/Argus Runtime Security
Host/Kunai Runtime Security
Host/Sysdig Syscall tracing
Host/Sysmon4Linux
Host/Velociraptor
Host/Kolide OSQuery
Host/FleetDM OSquery
Host/Sandfly
Host/Wazuh
Host/Sunlight
Host/Sunlight IR_Executor
Host/CatScale
Host/UAC
Host/varc
Host/rkhunter & chkrootkit
Host/Yara Scanning
Host/Capa
Host/LKRG
Host/SELinux
Host/Clamav
Host/Entropyscan vs ELFCrypt
Host/BPFMon
Host/bpftrace
05. Blue/DFIR Components: NETWORK
Network/Zeek
Network/Zeek JA4
Network/Suricata
Network/Arkime Full Packet Capture
Network/Forward Proxy Squid SSL Decryption
Network/WAF Modsecurity
Network/RITA
Network/Elastiflow [RETIRED]
06. Establishing baseline vs Attack Vectors
Basic Linux Investigation tools
Process names
Process arguments
Parent-child process relationship
/proc exploration
/sys exploration
sysctl
Linker / LD_PRELOAD
Linux Kernel Modules
LKM Off
Dmesg
eBPF programs
DNS Settings
Network profiling
Open Ports
iptables
At / cron / systemd timers
Users
Shell Configuration
Initialization scripts / systemd
Special File Attributes
File Hashing / checksums
OS / application logging behavior
SSH keys
Linux namespaces
Linux Capabilities
07. Linux Memory Forensics
Linux Report Sections
Building Volatility 2 Linux Profiles
Building Volatility 3 ISF JSON
Memory Acquisition
Forensics with Volatility2
Forensics with Volatility 3
Fileless plugin
BPF plugins
08. Linux Shells / C2 Implants
Python TLS/SSL Reverse Shell
Sliver C2 Setup
Sliver Transports and Pivoting
Sliver in details
Meterpreter Setup
Sliver to Meterpreter Sideload
Meterpreter shell_to_meterpreter
TLS/sniCAT
Merlin Setup
Merlin Transports
Merlin libprocesshider
DNS/AXFR Payload Delivery
DNS/dnscat2
ICMP-based C2 and Exfiltration
Port knocking
Hidden NTP Exfiltration
FreeIPA LDAP as Hidden Storage
DNS/Weasel AAAA [RETIRED]
09. Tunnels / pivots / redirectors
SSH Socks Proxy
SSH Tunneling
Reverse SSH
Shootback Protocol Tunneling
SSHimpanzee
FRP Fast Reverse Proxy
Global Socket
socat
Chisel
ngrok
10. Incident Response
DFIR basics
DFIR Preparation
Linux IR Investigation
IR Playbooks
IRIS Introduction
11. Default Targets Exploitation & Detection
Reverse Shell / Backdoor payloads
File transfers
Apache Tomcat
Apache HTTP CVE-2021-41773
NFS no_root_squash
Dirty Pipe CVE-2022-0847
pkexec CVE-2021-4034
CVE-2022-2588
GameOver(lay) CVE-2023-2640/CVE-2023-32629
Spring Cloud Function CVE-2022-22963
Solr Log4j CVE-2021-44228
Kafka CVE 2023-25194
ActiveMQ CVE-2023-46604
XZ / liblzma backdoor CVE-2024-3094
Samba / CIFS + SSH Honey Key
Weblogic SSRF
Wordpress RCE
OWASP Juice Shop
SSH Brute force
Docker escape
Exiftool CVE-2021-22204
Remote Heap Exploitation
Attack Emulation: Atomic Operator
Attack Emulation: Panix
12. Linux Rootkits for Red and Blue Teams
Evaluation of Linux Rootkits and Detection INTRO SLIDES - Practical Linux Rootkits for Red and Blue .pdf
eBPF SLIDES - Practical Linux Rootkits for Red and Blue .pdf
Linux System calls
General Linux rootkits behavior
[US] Rootkits: Shared Library Injection
[US] Rootkits: Hide SSH key with ld.so.preload
[US] Rootkits: Oh my Father!
[US] Rootkits: Sneaky Bedevil
[US] Rootkits: Socket Command Injection
[US] ELF injection with ptrace()
[US] ELF injection without ptrace()
[US] Proxy execution with DDexec
[US] In-memory execution with memrun
[US] memfd_vs_no_exec
[US] memexec + XOR Loader
[US] Fileless Scripting Execution
[US] Rootkits: Dynamic Linker Preloading
[US] Rootkits: Zombie Ant Farm Pypreloader
[US] MSF Shellcode from bash
[US] Rootkits: sshd injection
[US] Rootkits: sshd dummy cipher suite
[US] PAM-based Rootkits #1
[US] PAM-based Rootkits #2
[US] PAM-based Rootkits #3
[US] Python .pth Extension
[US] Yum/RPM Persistence
[US] Udev persistence
[US] Rootkits: Apache mod_authg
[US] Rootkits: HTTPD mod_backdoor
[US] Webshells: SOCKS from JSP
[US] Webshells: meterphp
[US] Linux Process Snooping
[US] Capturing SSH with strace
[US] Hiding process with bind mounts
[US] Beacon Object File (BOF) Stager
[KS] Rootkits: Usermode Helper on ICMP
[KS] Rootkits: In-Memory LKM Loading
[KS] Rootkits: Diamorphine
[KS] Rootkits: Reptile Analysis
[KS] Rootkits: Suterusu Analysis
[KS] Rootkits: Reveng_rtkit Analysis
[KS] Rootkits: Registering Char Device
[KS] Rootkits: iptables evil bit
[KS] Rootkits: systemtap creds() upgrade
[KS] Rootkits: Netfilter hooking #1
[KS] Rootkits: xt_conntrack.ko Infection
[KS] Rootkits: Ftrace Hooking #1
[KS] Rootkits: Ftrace Hooking #2
[KS] Rootkits: BDS Ftrace Hooking #3
[KS] Rootkits: Bad-bpf trip
[KS] Rootkits: Offensive bpftrace
[KS] Rootkits: eBPF hooking / TripleCross
[KS] Sniffer: eBPF SSL/TLS text capturing
[KS] Rootkits: eBPF Raw Tracepoint Interception
[KS] Sniffer: eBPF PAM creds stealing
[KS] Rootkits: eBPF KoviD Analysis
[KS] Rootkits: eBPF Boopkit Analysis
[KS] Rootkits: eBPF Hiding with nysm
[KS] Rootkits: eBPF bpfdoor
[KS] Rootkits: ebpfkit Analysis
[KS/US] Backdooring Initramfs
[ELF] Kiteshield Anti Forensics
[KS] Randomized Faulter [RETIRED]
[KS] Rootkits: XDP-UDP-Backdoor [RETIRED]
13. Active Security Research
Active Research
Rootkits: Syscall hooking
Linux Incident Response
In-memory Execution
Evasion / Bypassing techniques
OS Security Stacks
Exploitation
Memory Forensics
Linux Internals
LSM/Sandboxes
eBPF
Anti-Forensics
Tunneling/Proxying
Malware
Fun
Products
Course
Section
Lesson
[US] Beacon Object File (BOF) Stager
[US] Beacon Object File (BOF) Stager
Linux Attack, Detection and Live Forensics + 90 Days PurpleLabs Access
Buy now
Learn more
Course Mindmap.png
Linux Detection and Forensics Cheatsheet v0.4.pdf
00. PurpleFlows Rapid Track
PurpleFlow#1
01. PurpleLabs Cyber Range Navigation
Welcome to PurpleLABS!
PurpleLabs Detection and Hunting Dashboard
PurpleLabs Components - Helicopter View
Data sources and SIEM/DFIR components
Your Virtual Machines
PurpleLabs Network Architecture
PurpleLabs VM Robot Tool
Troubleshooting
Rules and policies
Technical Support Service
Open Source Community
Changelog
Threat Detection and Hunting with PurpleLabs #1
Threat Detection and Hunting with PurpleLabs #2
02. Introduction to the course
About the course
Best strategy for taking the course
Why Linux as a target?
Current Linux threat landscape (2022/2023/2024/2025)
Linux Appliances Exploitation Cases
Active Defense
Purple teaming approach
Threat Hunting vs Incident Response
Linux MITRE ATT&CK
Linux EDR/Security Products
Recommended books
03. Blue/DFIR Components: SIEM
SIEM/Elastic Security
SIEM/Splunk
SIEM/Graylog
SIEM/Wazuh
Sigma Rules Hands-on Introduction
Protections Artifacts from Elastic
SIEM/HELK introduction [RETIRED]
04. Blue/DFIR Components: HOST
Host/Syslog
Host/Journal
Host/Auditd
Host/Falco Runtime Security
Host/Tracee Syscall Tracing
Host/Argus Runtime Security
Host/Kunai Runtime Security
Host/Sysdig Syscall tracing
Host/Sysmon4Linux
Host/Velociraptor
Host/Kolide OSQuery
Host/FleetDM OSquery
Host/Sandfly
Host/Wazuh
Host/Sunlight
Host/Sunlight IR_Executor
Host/CatScale
Host/UAC
Host/varc
Host/rkhunter & chkrootkit
Host/Yara Scanning
Host/Capa
Host/LKRG
Host/SELinux
Host/Clamav
Host/Entropyscan vs ELFCrypt
Host/BPFMon
Host/bpftrace
05. Blue/DFIR Components: NETWORK
Network/Zeek
Network/Zeek JA4
Network/Suricata
Network/Arkime Full Packet Capture
Network/Forward Proxy Squid SSL Decryption
Network/WAF Modsecurity
Network/RITA
Network/Elastiflow [RETIRED]
06. Establishing baseline vs Attack Vectors
Basic Linux Investigation tools
Process names
Process arguments
Parent-child process relationship
/proc exploration
/sys exploration
sysctl
Linker / LD_PRELOAD
Linux Kernel Modules
LKM Off
Dmesg
eBPF programs
DNS Settings
Network profiling
Open Ports
iptables
At / cron / systemd timers
Users
Shell Configuration
Initialization scripts / systemd
Special File Attributes
File Hashing / checksums
OS / application logging behavior
SSH keys
Linux namespaces
Linux Capabilities
07. Linux Memory Forensics
Linux Report Sections
Building Volatility 2 Linux Profiles
Building Volatility 3 ISF JSON
Memory Acquisition
Forensics with Volatility2
Forensics with Volatility 3
Fileless plugin
BPF plugins
08. Linux Shells / C2 Implants
Python TLS/SSL Reverse Shell
Sliver C2 Setup
Sliver Transports and Pivoting
Sliver in details
Meterpreter Setup
Sliver to Meterpreter Sideload
Meterpreter shell_to_meterpreter
TLS/sniCAT
Merlin Setup
Merlin Transports
Merlin libprocesshider
DNS/AXFR Payload Delivery
DNS/dnscat2
ICMP-based C2 and Exfiltration
Port knocking
Hidden NTP Exfiltration
FreeIPA LDAP as Hidden Storage
DNS/Weasel AAAA [RETIRED]
09. Tunnels / pivots / redirectors
SSH Socks Proxy
SSH Tunneling
Reverse SSH
Shootback Protocol Tunneling
SSHimpanzee
FRP Fast Reverse Proxy
Global Socket
socat
Chisel
ngrok
10. Incident Response
DFIR basics
DFIR Preparation
Linux IR Investigation
IR Playbooks
IRIS Introduction
11. Default Targets Exploitation & Detection
Reverse Shell / Backdoor payloads
File transfers
Apache Tomcat
Apache HTTP CVE-2021-41773
NFS no_root_squash
Dirty Pipe CVE-2022-0847
pkexec CVE-2021-4034
CVE-2022-2588
GameOver(lay) CVE-2023-2640/CVE-2023-32629
Spring Cloud Function CVE-2022-22963
Solr Log4j CVE-2021-44228
Kafka CVE 2023-25194
ActiveMQ CVE-2023-46604
XZ / liblzma backdoor CVE-2024-3094
Samba / CIFS + SSH Honey Key
Weblogic SSRF
Wordpress RCE
OWASP Juice Shop
SSH Brute force
Docker escape
Exiftool CVE-2021-22204
Remote Heap Exploitation
Attack Emulation: Atomic Operator
Attack Emulation: Panix
12. Linux Rootkits for Red and Blue Teams
Evaluation of Linux Rootkits and Detection INTRO SLIDES - Practical Linux Rootkits for Red and Blue .pdf
eBPF SLIDES - Practical Linux Rootkits for Red and Blue .pdf
Linux System calls
General Linux rootkits behavior
[US] Rootkits: Shared Library Injection
[US] Rootkits: Hide SSH key with ld.so.preload
[US] Rootkits: Oh my Father!
[US] Rootkits: Sneaky Bedevil
[US] Rootkits: Socket Command Injection
[US] ELF injection with ptrace()
[US] ELF injection without ptrace()
[US] Proxy execution with DDexec
[US] In-memory execution with memrun
[US] memfd_vs_no_exec
[US] memexec + XOR Loader
[US] Fileless Scripting Execution
[US] Rootkits: Dynamic Linker Preloading
[US] Rootkits: Zombie Ant Farm Pypreloader
[US] MSF Shellcode from bash
[US] Rootkits: sshd injection
[US] Rootkits: sshd dummy cipher suite
[US] PAM-based Rootkits #1
[US] PAM-based Rootkits #2
[US] PAM-based Rootkits #3
[US] Python .pth Extension
[US] Yum/RPM Persistence
[US] Udev persistence
[US] Rootkits: Apache mod_authg
[US] Rootkits: HTTPD mod_backdoor
[US] Webshells: SOCKS from JSP
[US] Webshells: meterphp
[US] Linux Process Snooping
[US] Capturing SSH with strace
[US] Hiding process with bind mounts
[US] Beacon Object File (BOF) Stager
[KS] Rootkits: Usermode Helper on ICMP
[KS] Rootkits: In-Memory LKM Loading
[KS] Rootkits: Diamorphine
[KS] Rootkits: Reptile Analysis
[KS] Rootkits: Suterusu Analysis
[KS] Rootkits: Reveng_rtkit Analysis
[KS] Rootkits: Registering Char Device
[KS] Rootkits: iptables evil bit
[KS] Rootkits: systemtap creds() upgrade
[KS] Rootkits: Netfilter hooking #1
[KS] Rootkits: xt_conntrack.ko Infection
[KS] Rootkits: Ftrace Hooking #1
[KS] Rootkits: Ftrace Hooking #2
[KS] Rootkits: BDS Ftrace Hooking #3
[KS] Rootkits: Bad-bpf trip
[KS] Rootkits: Offensive bpftrace
[KS] Rootkits: eBPF hooking / TripleCross
[KS] Sniffer: eBPF SSL/TLS text capturing
[KS] Rootkits: eBPF Raw Tracepoint Interception
[KS] Sniffer: eBPF PAM creds stealing
[KS] Rootkits: eBPF KoviD Analysis
[KS] Rootkits: eBPF Boopkit Analysis
[KS] Rootkits: eBPF Hiding with nysm
[KS] Rootkits: eBPF bpfdoor
[KS] Rootkits: ebpfkit Analysis
[KS/US] Backdooring Initramfs
[ELF] Kiteshield Anti Forensics
[KS] Randomized Faulter [RETIRED]
[KS] Rootkits: XDP-UDP-Backdoor [RETIRED]
13. Active Security Research
Active Research
Rootkits: Syscall hooking
Linux Incident Response
In-memory Execution
Evasion / Bypassing techniques
OS Security Stacks
Exploitation
Memory Forensics
Linux Internals
LSM/Sandboxes
eBPF
Anti-Forensics
Tunneling/Proxying
Malware
Fun
Lesson unavailable
Please
login to your account
or
buy the course
.