practical linux attack paths and dfir

Training Details

3-DAY TRAINING, 1-3 SEPTEMBER @ MEERVAART AMSTERDAM
TICKET PRICE: €1800 EX BTW

“Practical Linux Attack Paths and DFIR/Hunting for Red and Blue Team" training has been created with a focus on realistic hands-on experience in analyzing user space, kernel space and eBPF Linux rootkits, covering recent Linux APT campaigns, C2 frameworks for Linux with a focus on Sliver/Metasploit/Mythic overview/behavior vs hunting/DFIR tooling in Linux ecosystem. Dive into the world of Linux attack paths, local and remote exploitation, process injection, process hiding, tunneling, network pivoting, and syscall hooking techniques. See hands-on how Linux malware, US/KS rootkits work in well-prepared PurpleLabs Cyber Range. Analyze and modify source codes, find interesting behavior patterns in binaries and logs, learn what telemetry is needed to catch modern Linux threat actors, and find how to proactively validate and improve detection coverage with step-by-step Linux adversary emulations. On top of that, run your VMs RAM acquisition ‘on click’ and analyze memory images with Volatility Framework 2/3 at any stage of the training. Purple teaming for life!

This training helps create and understand low-level Linux attack paths, improve your Linux detection coverage, see in action many Open Source DFIR/defensive projects, and understand the need for Linux telemetry, especially including bare-metal, VMs and Kubernetes clusters where EDR/Runtime Security solutions are a must these days.

This course takes on An “Attack vs. Detection” approach in a condensed format. This class is intended for students who have a basic understanding of Linux and have to deal with advanced threats. Furthermore, the course is also interesting for experienced DFIR/SOC/CERT Players who aim to dig deeper into understanding Linux internals and corresponding network attack analysis techniques, detection, and response.

Full access to the PurpleLabs environment for 30 days post-training and lifetime material access (240+ labs) with updates included!

Training Outline

• Current Linux threat landscape.
• Linux Appliances Exploitation Cases.
• Purple teaming approach.
• Threat Hunting vs Incident Response.
• Linux MITRE ATT&CK Framework.
• Linux EDR/Runtime Security products overview.
• Basic Linux Investigation tools.
• Hands-on Blue / DFIR components:
  • HOST:
    • i. Syslog, Auditd, Falco, Tracee, Sysdig, Sysmon4Linux, Velociraptor, OSQuery/Sunlight, Sandfly Security, CatScale, UAC, pspy, varc, rkhunter, Yara, LKRG, SELinux, Clamav, Jibril
  • NETWORK:
    • Zeek, Suricata, Arkime/Moloch FPC, Modsecurity
  • SIEM:
    • Elastic Security, Splunk, Graylog, Wazuh
• Linux Baseline Profiling vs offensive look
• Local / Remote Exploitation
• C2 Frameworks / C2 shells / implants
• Fileless / in memory / BOF executions.
• Process Injection techniques.
• General rootkits behavior.
• User space rootkits.
• Kernel space rootkits.
• eBPF rootkits.
• Linux Memory Forensics with Volatility Framework.
• Linux Incident Response Playbooks.
• Create your own custom Linux attack path and hunting/IR procedure.

Key Learning Objectives

• Get to know the newest Linux attack paths and hiding techniques vs proactive detection
• Learn current trends, techniques, and offensive tools for Persistence, Evasion, Exfiltration, C2, Discovery, Lateral Movement, Execution, and Credential Access against Linux machines ← Linux Matrix ATT&CK Framework
• Learn ways to improve detection and sharpen your event correlation skills across many different Linux/network data sources
• Get to know visibility/detection methods and capabilities of well-recognized Hunting and Detection tools including Velociraptor, Elastic Agent+Linux Sigma, Splunk, Moloch/Arkime, OSquery Fleet, Wazuh, Graylog, Sandfly Security
• Find the malicious Linux activities and identify threat details on the network
• Prepare your SOC team for fast filtering out Linux network noise and allow for better incident response handling
• Find out how Detection / DFIR Open Source Software can support your SOC infrastructure
• Understand the values of proactive Linux forensics scans vs manual and automated approaches to simulate attackers and generate anomalies
• Identify Linux blind spots in your network security posture
• Understand the value of the purple teaming approach where you hunt for yourself and your teammates

Benefits For Red/Blue/SecOps Teams

• Understand the advantages and values of the purple teaming approach in the Linux red/blue ecosystem
• Learn about the full scope of Linux offensive techniques, tools, and the newest community research 2024/2025
• Learn about different detection/response tools and techniques vs attacks
• Learn how to hide effectively in the Linux OS and how to exfiltrate data in stealthy ways
• Learn how to deploy and use C2, low-level rootkits and see this reflected in the detection/DFIR tooling
• Get code and command snippets ready to use during your red team and adversary operations/emulations
• Get experience with Sigma Rules/Protections Artifacts for staying stealthier and improving your defense evasion skills at scale
• See the effectiveness of Detection tooling vs attack emulations
• Learn about the full scope of Linux Detection/Forensics techniques, tools, and the newest community research
• This knowledge will change the way you look at hardening and monitoring your Linux ecosystems
• Recognize security-related enhancements in the modern Linux kernel
• Understand current kernel components and programming interfaces used to compromise a system
• Discover recommended Open Source Security solutions against actual hands-on attacks

Prerequisites

Students should have knowledge of the following things:

• Fundamentals of how Linux Architecture works is required
• An intermediate level of Linux command-line syntax experience
• Basic knowledge of TCP/IP network protocols
• Offensive Security/Penetration testing experience will be definitely beneficial, but not required
• Basic programming skills are a plus and are essential

Hardware & Software requirements

• This training is based on dedicated PurpleLABS virtual infrastructure so there are no special student desktop requirements. No more initial setup issues, just a pure training experience. Every student will gain full access to the PurpleLabs environment for 30 days post-training.
• VPN client installed according to VPN Setup instructions or just a browser
• Discord account as an invite to a dedicated training channel will be delivered