This course helps create and understand low-level Linux attack paths, improve your Linux detection coverage, see in action many Open Source DFIR/defensive projects, and understand the need for Linux telemetry, especially including Kubernetes clusters where Runtime Security solutions are a must these days. The techniques and attack paths covered in this training include many different implementations of eBPF, XDP, Ftrace, Kprobe, Uprobe, Netfilter, Systemtap, PAM, SSHD, HTTPD/Nginx, LD_PRELOAD-based code samples, and PoCs. Detection and forensics layers include LKRG, bpftool, Velociraptor IR, OSQuery, CLI-based /proc/ and /sys/ analysis, memory forensics with Volatility 2/3 Framework with the semi-automated RAM acquisition, Sysmon4Linux, Falco, Tracee, Sysdig, Tetragon, Sandfly Security, Zeek IDS, Suricata IDS, Moloch/Arkime FPC, Yara rules and more.
Syllabus
- PurpleFlows Rapid Track
- PurpleLabs Cyber Range Navigation
- Introduction to the course
- Blue/DFIR Components: SIEM
- Blue/DFIR Components: HOST
- Blue/DFIR Components: NETWORK
- Establishing baseline vs Attack Vectors
- Linux Memory Forensics
- Linux Shells / C2 Implants
- Tunnels / pivots / redirectors
- Incident Response
- Default Targets Exploitation & Detection
- Linux Rootkits for Red and Blue Teams
- Active Security Research
