T1: practical linux attack paths and dfir/hunting v2.0

Training Details

3-DAY TRAINING, 1-3 JUNE @ MEERVAART AMSTERDAM
TICKET PRICE: €1900 EX BTW

This course is about the full scope of Linux offensive techniques in the format of search-copy-paste-run blocks of code vs active detection, hunting, and DFIR tooling in the Linux ecosystem. 100% Linux Purple Teaming for life!

“Practical Linux Attack Paths and DFIR/Hunting for Red and Blue Team v2.0" training often called as "Modern Linux Purple Teaming Exercises" has been created with a focus on realistic hands-on experience in analyzing user space, kernel space and eBPF Linux rootkits, covering recent persistence, defense evasion techniques and C2 behaviors vs active detection, hunting and DFIR tooling in Linux ecosystem. The entire material is based on a custom EDRmetry Linux Matrix (400+ offensive techniques), which is a central hands-on Linux knowledge base in the friendly search-copy-paste-run format. The hunting, detection, and forensics layers are modular and stackable, allowing you to build your own detection paths required in detection engineering and incident handling procedures.

In today's Linux threat landscape, enterprises face increasingly sophisticated, targeted attacks. To effectively combat these threats, we must enhance our ability to detect malicious activity, inform threat-hunting processes, and understand attacker behavior.

Dive into the world of modular Linux attack paths, local and remote exploitation, process injection, process hiding, network tunnelling/pivoting, data exfiltration, and syscall hooking techniques. Get hands-on experience on how Linux malware and US/KS rootkits work in the well-prepared PurpleLabs Cyber Range. Analyze and modify source codes, find interesting behavior patterns in binaries and logs, determine which telemetry is needed to catch modern Linux threat actors, and find how to proactively validate and improve EDR/SOAR/SIEM detection coverage with step-by-step Linux adversary emulations. On top of that, run your VMs RAM acquisition ‘on click’ and analyze memory images with Volatility Framework 3 at any stage of the training. 100% Purple Teaming structure and only hands-on delivery style.

This training helps create and understand low-level Linux attack paths, improve your Linux detection coverage, see in action many Open Source DFIR/defensive projects, and understand the need for Linux telemetry, including bare-metal, VMs, and Kubernetes clusters, where EDR/Runtime Security solutions are a must these days.

This course takes on an “Attack-Detection-Inspection-Response” approach in a condensed, modular format. This class is dedicated to students with a basic understanding of Linux who must deal with advanced threats. Furthermore, the course is also interesting for experienced DFIR/SOC/CERT Players who aim to deepen their understanding of Linux internals and the corresponding network attack analysis, detection, and response techniques.

As several questions arise about the evolving threat landscape, the provided training content and approach serve as your dynamic, centralized knowledge base for navigating the offensive Linux threat ecosystem with confidence, versus possible detection opportunities and DFIR.

Full access to the PurpleLabs environment for 30 days post-training and lifetime material access with updates included!

Training Outline

• 1. Current Linux threat landscape.
• 2. Purple teaming approach and Active Defense.
• 3. Linux MITRE ATT&CK Framework.
• 4. Understanding Linux EDR/Runtime Security Architecture:
  • Core functionalities and key features
  • Visibility events/indexes/data sources
  • Detection logic/rulesets
  • Analytics / Query language
  • Triage and Forensics collections
  • Deployment and Integrations
• 5. Basic Linux Investigation tools.
• 6. Hands-on Blue / DFIR components:
  • HOST: Syslog, Auditd, Falco, Kunai, Jibril, Tetragon, Tracee, Sysmon4Linux, Velociraptor, OSQuery/Sunlight, Sandfly Security, Linux IR Scripts, UAC, Yara, LKRG, SELinux, and more.
  • NETWORK: Zeek, Suricata, Arkime/Moloch FPC, Modsecurity
  • SIEM: Elastic Security, Splunk, Wazuh
  • MEMORY: Volatility3 Framework, process dumping, gdb
• 7. Linux Baseline Profiling vs Offensive point of view.
• 8. Local / Remote Exploitation.
• 9. C2 Frameworks / C2 shells / implants / SOCKS / Tunnelling.
• 10. Fileless / in-memory / BOF executions.
• 11. Process Injection techniques.
• 12. Persistence and Defense Evasion techniques.
• 13. Linux rootkits' features and general behavior.
• 14. User space rootkits.
• 15. Kernel space rootkits.
• 16. eBPF rootkits.
• 17. Creating Custom Attack Paths with ATT&CK Flow Builder and EDRmetry Linux Playbook.

By the end of this training, you'll know how to make informed decisions about Linux Security coverage and methodology for evaluating your own cybersecurity readiness. This practical approach will equip you with the skills to enhance your organization's defense against Linux advanced persistent threats. Ultimately, this course will include techniques and ideas for bypassing individual Runtime/EDR engines or specific components, news, research notes, tons of external links, and important updates.

Prerequisites

Students should have knowledge of the following things:

• Fundamentals of how Linux Architecture works is required
• An intermediate level of Linux command-line syntax experience
• Basic knowledge of TCP/IP network protocols
• Offensive Security/Penetration testing experience will be beneficial, but is not required
• Basic programming skills are a plus and are essential

Hardware & Software requirements

• This training is based on dedicated PurpleLABS virtual infrastructure so there are no special student desktop requirements. No more initial setup issues, just a pure training experience. Every student will gain full access to the PurpleLabs environment for 30 days post-training.
• VPN client installed according to VPN Setup instructions or just a browser.
• Discord account as an invite to a dedicated training channel will be delivered.