Practical Linux Attack Paths and Hunting for Red and Blue Team (16–18 Sept 2024)
Dive into the world of Linux attack paths, local and remote exploitation, process injection, process hiding, tunneling, network pivoting, and syscall hooking
techniques. See hands-on how Linux malware, userspace, and kernel space rootkits work in well-prepared Detection PurpleLabs Cyber Range, analyze and modify the source codes, find interesting behavior patterns in binaries and logs, learn what telemetry is needed to catch modern Linux threat actors, and find how to proactively validate and improve detection coverage with step-by-step Linux adversary emulations. On top of that, run your VMs RAM acquisition ‘on click’ and analyze memory images with Volatility Framework 2/3 at any stage of the course.
This training is a walkthrough of the Open Source Linux offensive and defensive techniques and tooling in 2023/2024 that allows for chaining these TTPs together and understanding better the threat ecosystems in Linux. I trust this training compilation and hands-on experience will change the way you look at hardening and low-level monitoring of your critical Linux-based ecosystems.
This course takes on An “Attack vs. Detection” approach in a condensed format. This class is intended for students who have a basic understanding of Linux and have to deal with advanced threats. Furthermore, the course is also interesting for experienced DFIR/SOC/CERT Players who aim to dig deeper into understanding Linux internals and corresponding network attack analysis techniques, detection, and response.If you want to enhance your understanding of Linux x86/x64 internals and stay prepared for Linux threats, this training is a must-attend!
The course will be cancelled if minimum numbers are not reached so book early to avoid disappointment.
Presented by: Leszek Miś
“Practical Linux Attack Paths and Hunting for Red and Blue Team” training has been created with a focus on realistic hands-on experience in analyzing user space and kernel space Linux rootkits, including recent Linux APT campaigns, C2 frameworks for Linux with a focus on Sliver/Metasploit overview/behavior vs hunting/DFIR tooling in Linux ecosystem. This training helps create and understand low-level Linux attack paths, improve your Linux detection coverage, see in action many Open Source DFIR/defensive projects, and understand the need for Linux telemetry, especially including Docker/Kubernetes clusters where Runtime Security solutions are a must these days. The techniques and attack paths covered in this training include many different implementations of loading LKM remotely, eBPF, XDP, FTRACE, KPROBE, UPROBE, NETFILTER, SYSTEMTAP, PAM, SSHD, HTTPD/NGINX, LD_PRELOAD-based code samples and PoCs. Detection and forensics layers include LKRG, BPFTOOL, VELOCIRAPTOR IR, OSQUERY, Elastic Security, cli-based /proc/ and /sys/ analysis, memory forensics with VOLATILITY FRAMEWORK with the semi-automated RAM acquisition, SYSMON4Linux, FALCO, TRACEE, SYSDIG, TETRAGON, SANDFLY SECURITY, ZEEK, SURICATA, MOLOCH/ARKIME, YARA and more.
During the training, we are going to make a custom combo of both red and blue parts and we will achieve that by utilizing an Attack Flow Builder, Defender, Workbench, and Navigator for a structured format of training suitable for production uses immediately after the course.
We will actively discuss and play with a set of real Linux offensive use cases vs detection/forensics view. The hands-on content has been divided into user-space and kernel-space sub-sections. When you are done, dig deeper and create your own custom attack paths, then improve your detection coverage. Purple teaming for life!
- Current Linux threat landscape
- Linux Appliances Exploitation Cases
- Purple teaming approach
- Threat Hunting vs Incident Response
- Linux MITRE ATT&CK
- Linux EDR/Security Products
- Basic Linux Investigation tools
- General rootkits behavior
- Hands-on Blue / DFIR components:
- HOST:
- Host/Syslog
- Host/Auditd
- Host/Falco Runtime Security
- Host/Tracee Syscall Tracing
- Host/Sysdig Syscall tracing
- Host/Sysmon4Linux
- Host/Velociraptor
- Host/OSQuery FleetDM + osquery-defence-kit
- Host/Sandfly Security
- Host/Wazuh
- Host/CatScale
- Host/UAC
- Host/pspy
- Host/varc
- Host/rkhunter
- Host/Yara FS/memory Scanning
- Host/LKRG
- Host/SELinux
- Host/Clamav
- Host/Entropyscan
- NETWORK:
- Network/Zeek
- Network/Suricata
- Network/Arkime Full Packet Capture
- Network/Forward Proxy Squid SSL Decryption
- Network/WAF Modsecurity
- SIEM:
- SIEM/Elastic Security introduction
- SIEM/Elastic Security Data sources
- SIEM/Splunk introduction
- SIEM/Splunk Data sources
- SIEM/Graylog intro
- SIEM/Graylog Data sources
- SIEM/Wazuh Introduction
- SIEM/Wazuh Data Sources
- HOST:
- Baseline vs offensive
- Process names
- Process arguments
- Parent-child process relationship
- /proc/ and /sys/ exploration
- sysctl
- Linker / LD_PRELOAD
- Linux Kernel Modules / LKM Off
- Dmesg
- DNS Settings
- Network profiling
- Open / hidden Ports
- iptables
- At / cron / systemd timers
- Users
- Shell Configuration
- Initialization / systemd scripts
- Special File Attributes
- File Hashing/checksums
- OS/application logging behavior
- SSH keys vs backdoors
- Linux namespaces
- Local / Remote Exploitation
- C2 Frameworks / C2 shells/ implants
- Sliver C2 Setup
- Sliver Transports and Pivoting
- Sliver in details
- Meterpreter Setup
- Sliver to Meterpreter Sideload
- Meterpreter shell_to_meterpreter
- TLS/sniCAT
- Merlin Setup
- Merlin Transports
- Merlin libprocesshider
- DNS/AXFR Payload Delivery
- DNS/Weasel
- DNS/dnscat2
- ICMP-based C2 and Exfiltration
- Port knocking
- Hidden NTP Exfiltration
- User space rootkits:
- [US] Rootkits: Shared Library Injection
- [US] Rootkits: Oh my Father!
- [US] Rootkits: Socket Command Injection
- [US] ELF injection with ptrace()
- [US] ELF injection without ptrace()
- [US] Proxy execution with DDexec
- [US] In-memory execution with memrun
- [US] memfd_vs_no_exec
- [US] Fileless Scripting Execution
- [US] Rootkits: Dynamic Linker Preloading
- [US] Rootkits: Zombie Ant Farm Pypreloader #1
- [US] MSF Shellcode from bash
- [US] Rootkits: sshd injection
- [US] Rootkits: sshd dummy cipher suite
- [US] PAM-based Rootkits #1
- [US] PAM-based Rootkits #2
- [US] PAM-based Rootkits #3
- [US] Yum/RPM Persistence
- [US] Rootkits: Apache mod_authg
- [US] Rootkits: HTTPD mod_backdoor
- [US] Webshells: SOCKS from JSP
- [US] Webshells: meterphp
- [US] Webshells slopshell
- [US] Linux Process Snooping
- Kernel space rootkits:
- [KS] Rootkits: User mode Helper on ICMP
- [KS] Rootkits: In-Memory LKM Loading
- [KS] Rootkits: Diamorphine
- [KS] Rootkits: Reptile Analysis
- [KS] Rootkits: Suterusu Analysis
- [KS] Rootkits: Reveng_rtkit Analysis
- [KS] Rootkits: iptables evil bit
- [KS] Rootkits: systemtap creds() upgrade
- [KS] Rootkits: Netfilter hooking #1
- [KS] Rootkits: xt_conntrack.ko Infection
- [KS] Rootkits: Ftrace Hooking #1
- [KS] Rootkits: bad-bpf trip
- [KS] Rootkits: XDP-UDP-Backdoor
- [KS] Rootkits: eBPF hooking / TripleCross
- [KS] Rootkits: eBPF SSL/TLS text capturing
- [KS] Rootkits: eBPF Raw Tracepoint Interception
- [KS] Rootkits: eBPF PAM creds stealing
- [KS] Rootkits: eBPF KoviD Analysis
- [KS] Rootkits: eBPF bpfdoor
- [KS] Rootkits: ebpfkit Analysis
- [KS/US] Backdooring Initramfs
- Linux Memory Forensics:
- Linux Report Sections
- Building Volatility 2 Linux Profiles
- Building Volatility 3 ISF JSON
- Memory Acquisition
- Forensics with Volatility2
- Forensics with Volatility 3
- Fileless plugin
- Linux Incident Response Playbooks
- Create your own custom Linux attack path and hunting/IR procedure
The training content focuses on the complete material of the “Linux Attack and Live
Forensics At Scale” course: https://edu.defensive-security.com/linux-attack-live-forensics-at-scale
- Get to know the newest Linux attack paths and hiding techniques vs proactive detection
- Learn current trends, techniques, and offensive tools for Persistence, Evasion, Exfiltration, C2, Discovery, Lateral Movement, Execution, and Credential Access against Linux machines ← Linux Matrix ATT&CK Framework
- Learn ways to improve detection and sharpen your event correlation skills across many different Linux/network data sources
- Get to know visibility/detection methods and capabilities of well-recognized Hunting and Detection tools including Velociraptor, Elastic Agent+Linux Sigma, Splunk, Moloch/Arkime, OSquery Fleet, Wazuh, Graylog, Sandfly Security
- Find the malicious Linux activities and identify threat details on the network
- Prepare your SOC team for fast filtering out Linux network noise and allow for better incident response handling
- Find out how Detection / DFIR Open Source Software can support your SOC infrastructure
- Understand the values of proactive Linux forensics scans vs manual and automated approaches to simulate attackers and generate anomalies
- Identify Linux blind spots in your network security posture
- Understand the value of the purple teaming approach where you hunt for yourself and your teammates
- Understand the advantages and values of the purple teaming approach in the Linux red/blue ecosystem
- Learn about the full scope of Linux offensive techniques, tools, and the newest community research 2023/2024
- Learn about different detection/response tools and techniques vs attacks
- Learn how to hide effectively in the Linux OS and how to exfiltrate data in stealthy ways
- Learn how to deploy and use C2, low-level rootkits and see this reflected in the detection/DFIR tooling
- Get code and command snippets ready to use during your red team and adversary operations/emulations
- Get experience with Sigma Rules/Protections Artifacts for staying stealthier and improving your defense evasion skills at scale
- Understand the advantages and values of the purple teaming approach in the Linux ecosystem
- Learn about the full scope of Linux Detection/Forensics techniques, tools, and the newest community research
- Understand the structures of advanced Linux attack paths, how they really work, and how to protect
- Learn about different offensive tools that you can use against hackers
- See the effectiveness of Detection tooling vs attack emulations
- Get experience with Yara/Sigma Rules for a better understanding of the logic behind attacks and needed telemetry
- This knowledge will change the way you look at hardening and monitoring your Linux ecosystems
- Recognize security-related enhancements in the modern Linux kernel
- Understand current kernel components and programming interfaces used to compromise a system
- Discover recommended Open Source Security solutions against actual hands-on attacks
- Learn about the full scope of Linux Detection/DFIR techniques, tools, and the newest community research
- Understand the advantages and values of the purple teaming approach in the Linux red/blue scope
- Gain experience in managing many different detection and visibility layers
- Fundamentals of how Linux Architecture works is required
- An intermediate level of Linux command-line syntax experience
- Basic knowledge of TCP/IP network protocols
- Offensive Security/Penetration testing experience will be definitely beneficial,
but not required - Basic programming skills are a plus and are essential
- This training is based on dedicated PurpleLABS virtual infrastructure so there are no special student desktop requirements. No more initial setup issues, just a pure training experience. Every student will gain full access to the PurpleLabs environment for 30 days post-training.
- VPN client installed according to VPN Setup instructions or just a browser
- Discord account as an invite to a dedicated training channel will be delivered
- Stable internet connection
Leszek Miś is a highly experienced Security Researcher with over 20 years of experience in the industry. He is the Founder of Defensive Security, a company that provides Open Source Security Services including Red Team adversary emulations, Blue Team detection coverage testing, DFIR/Live Forensics, and high-quality knowledge transfer and training.
He has worked in various positions within the infosec field, including as a Linux Administrator, System Developer, DevOps Engineer, Penetration Tester, Security Consultant, and VP Of Cyber Security. He has extensive knowledge of Linux internals and has deep experience in Linux malware hands-on analysis from the perspective of the red and blue team.
Leszek is a recognized speaker and trainer, having spoken at various industry events such as Black Hat USA, Hack In The Box, and OWASP Appsec US.
Leszek holds many certifications, including OSCP, RHCA, RHCSS, and Splunk Certified Architect. His areas of interest include the development of multi-stage attack paths with mappings to MITRE ATT&CK Framework, multi-layer defensive paths with mappings to MITRE D3FEND Framework, Linux/network ML feature extraction, Linux OS internals including eBPF, detection engineering, log behavior analysis, memory forensics, and exploration of new Linux offensive ttps vs DFIR/detection/protection techniques.
The three-day course will take place on 16 to 18 September 2024 at the Novotel London West.
The price is £3,000 (inc VAT/£2,500 ex VAT).
Conference and training tickets are non-refundable as per our Terms of Service.
This ticket is NOT transferable (i.e. you cannot use it one day and pass it to someone the other — you can however change the name on it if circumstances change and you can’t attend).
The course has been cancelled.
If you purchase a training course you get discounted rates for future training courses for one year and for the following 44CON conference.