Practical Linux Rootkits for Red and Blue Team with PurpleLabs

3-day hands-on technical training in Phuket

Practical Linux Rootkits for Red and Blue Team with PurpleLabs

Dive into the world of Linux syscall hooking techniques, see hands-on how rootkits work in well-prepared Detection PurpleLabs Cyber Range, analyze and modify the source codes, find interesting behavior patterns in binaries and logs, learn what telemetry is needed to catch modern Linux threat actors, and find how to proactively validate and improve detection coverage with step-by-step Linux adversary emulations.

On top of that, run your VMs RAM acquisition ‘on click’ and analyze memory images with Volatility Framework at any stage of the course.

Categories 3-Day Training, HITB2023HKT, In-person

Attend Virtually$3,299.00

Duration

3-day

Delivery Method

In-Person

Level

intermediate

Seats Available

20

ATTEND IN-PERSON: Onsite in Phuket

DATE: 21-23 August 2023

TIME: 09:00 to 17:00 ICT/GMT+7

Date	Day	Time	Duration
21 Aug	Monday	0900-17:00 ICT/GMT+7	8 Hours
22 Aug	Tuesday	0900-17:00 ICT/GMT+7	8 Hours
23 Aug	Wednesday	0900-17:00 ICT/GMT+7	8 Hours

Full access to the PurpleLabs environment for 30 days post-training and lifetime material access with updates included!

This training is a walkthrough of the Open Source Linux offensive and defensive techniques and tooling in 2023 that allows for chaining these TTPs together and understanding better the threat ecosystems in Linux. I trust this project’s compilation and hands-on experience will change the way you look at hardening and low-level monitoring of your critical Linux-based ecosystems.

Practical Linux Rootkits for Red and Blue Team with PurpleLabs.

This training has been created with a focus on realistic hands-on experience in analyzing user space andkernel space Linux rootkits, including recent Linux APT campaigns, C2 frameworksfor Linux with a focus on Sliver overview/behavior, and offensive vs DFIR tooling in Linux ecosystem.

This training helps create and understand low-level Linux attack paths, improve your Linux detection coverage, see in action many Open Source DFIR/defensive projects, and understand the need for Linux telemetry, especially including Kubernetes clusters where Runtime Security solutions are a must these days. The techniques and attack paths covered in this training include many different implementations of eBPF, XDP, FTRACE, KPROBE, UPROBE, NETFILTER, SYSTEMTAP, PAM, SSHD, HTTPD/NGINX, LD_PRELOAD-based code samples and PoCs. Detection and forensics layers include LKRG, BPFTOOL, VELOCIRAPTOR, OSQUERY, cli-based /proc/ and /sys/ analysis, memory forensics with VOLATILITY FRAMEWORK with the semi-automated RAM acquisition, SYSMON, FALCO, TRACEE, SYSDIG, TETRAGON, SANDFLY SECURITY, ZEEK, SURICATA, MOLOCH/ARKIME, YARA and more.

During the training, we are going to make a custom combo of both red and blue parts and we will achieve that by utilizing an Attack Flow Builder, Defender, Workbench,and Navigator for a structured format of training suitable for production uses immediately after the course.

We will actively discuss and play with a set of real Linux offensive use cases vs detection/forensics view. The hands-on content has been divided into user-space and kernel-space sub-sections. When you are done, dig deeper and create your own custom attack paths, then improve your detection coverage. Purple teaming for life!

If you want to enhance your understanding of Linux x86/x64 internals and stay prepared for Linux threats, this training is a must-attend! #LinuxSecurity #LiveForensics #CybersecurityTraining.

Topics Covered

Intro:

Current Linux threat landscape and APT analysis (2022/2023)
General Linux rootkit types and behaviors
PurpleLabs Hunting/Detection/DFIR components Fast Track:

○ Falco
○ Tracee
○ Sysdig
○ Sysmon4Linux
○ syslog
○ LKRG
○ SELinux
○ bpftool
○ Velociraptor
○ OSquery
○ Sandfly Security
○ Volatility Framework + semi+automated memory acquisition
○ uac
○ auditd
○ Yara rules
○ Wazuh
○ Zeek
○ Suricata
○ Moloch/Arkime

User Space Rootkits Attack/Detection Hands-On:

○ Shared Library Injection
○ Socket Command Injection
○ ELF injection with ptrace()
○ ELF injection without ptrace()
○ In-memory exec with DDExec
○ In-memory execution with memrun
○ memfd_vs_no_exec
○ Dynamic Linker Preloading
○ Zombie Ant Pypreloader
○ Linux ELF Loader/Crypter
○ MSF Shellcode from bash
○ SSHD injection
○ PAM-based Rootkits #1
○ PAM-based Rootkits #2
○ PAM-based Rootkits #3
○ Yum/RPM Persistence
○ Malicious RPM/DEB
○ HTTPD Rootkits #1
○ HTTPD Rootkits #2
○ Webshells: SOCKS from JSP

Kernel Space rootkits Attack/Detection Hands-On:

○ Fileless LKM loading
○ call_usermodehelper()
○ Reptile Analysis
○ Suterusu Analysis
○ Reveng_rtkit Analysis
○ iptables evil bit
○ systemtap creds() upgrade
○ Netfilter hooking #1
○ xt_conntrack.ko Infection
○ Ftrace Hooking #1
○ eBPF bad-bpf trip
○ XDP UDP Magic Packet
○ eBPF hooking / TripleCross Analysis
○ eBPF SSL/TLS capturing
○ eBPF Raw Tracepoint Interception
○ eBPF PAM creds stealing
○ eBPF bpfdoor Analysis
○ eBPF Boopkit Analysis
○ ebpfkit Analysis
○ Randomized Faulter

The training content focuses on Linux Rootkits vs Detection/DFIR and is a special ‘Rootkit Oriented-only’ training session based on the full material of the ‘Linux Attack and Live Forensics At Scale’ course:

https://edu.defensive-security.com/linux-attack-live-forensics-at-scale

Benefits for Red Teams

Understand the advantages and values of the purple teaming approach in the Linux red/blue ecosystem
Learn about the full scope of Linux offensive techniques, tools, and the newest community research 2023
Learn about different detection/response tools and techniques vs attacks
Learn how to hide effectively in the Linux OS and how to exfiltrate data in stealthy ways
Learn how to deploy and use C2, low-level rootkits and see this reflected in the detection/DFIR tooling
Get code and command snippets ready to use during your red team and adversary operations/emulations
Get experience with Sigma Rules/Protections Artifacts for staying stealthier and improving your defense evasion skills at scale

Benefits for Blue Teams/DFIR

Understand the advantages and values of the purple teaming approach in the Linux ecosystem
Learn about the full scope of Linux Detection/Forensics techniques, tools, and the newest community research
Understand the structures of advanced Linux attack paths, how they really work, and how to protect
Learn about different offensive tools that you can use against hackers
See the effectiveness of Detection tooling vs attacks emulations
Get experience with Sigma Rules for a better understanding of the logic behind attacks and needed telemetry

Benefits for DevOps/SecOps/Admins

This knowledge will change the way you look at hardening and monitoring your Linux ecosystems
Recognize security-related enhancements in the modern Linux kernel
Understand current kernel components and programming interfaces used to compromise a system
Discover recommended Open Source Security solutions against actual hands-on attacks
Learn about the full scope of Linux Detection/DFIR techniques, tools, and the newest community research
Understand the advantages and values of the purple teaming approach in the Linux red/blue scope
Gain experience in managing many different detection and visibility layers

What students say about this training:

“The content of in and out was great. Lots of gained knowledge and hands on!”

“Great course! A truly huge number of topics and tools covered”

“Leszek was a really good trainer, he covered a lot of material, and had a very good personality.”

“Leszek Miś is very knowledgeable in the topics covered in the course. He also shares real life scenarios which were useful for participants to better understand application of material presented. The content was very good, it covers many leading open source projects which I find useful. I would recommend this course to my colleagues”

PurpleLabs Values:

This training is based on the PurpleLabs Cyber Range Playground. It’s a dedicated, virtual infrastructure for detecting and analyzing the behavior of attackers in terms of the techniques, tactics, procedures, and used offensive tools. The environment is to serve the continuous improvement of competences in the field of threat hunting and learning about current trends from offensive scope (red-teaming) vs direct detection perspective (blue-teaming) and DFIR. By providing high-quality training materials with the lab environment in a scalable online format, we want to enable businesses to improve the detection capacity of their SOC teams and achieve better visibility and resistance to attacks. Having hands dirty with PurpleLabs will allow you to:

Develop the team’s analytical skills required to work in the Security Operation Center environment
Increase awareness of the complexity and dependencies between the elements of the APT campaigns, malware and the areas of detection
Deliver a periodic knowledge transfer and systematic expansion of team competences in the field of Red + Blue = Purple teaming
Acquire Attack Paths / Attack Lifecycles and Security Event Chains skills by combining attacker’s single techniques, tactics and procedures (Chain Attack Scenarios)
Understand the value of the Assume Breach approach and simulation of threats after early access (C2, post-exploitation, Lateral Movement, Persistence, Evasion)
Understand what threat hunting is and why it is important
Understand proactive DFIR and why it is important
Acquire skills related to generating suspicious events on the layer of network and Windows and Linux operating systems and methods of their detection
Understand the potential of Sigma rules and their values for SIEM solutions.
Run a validation of the current security status of the organization’s network and the risks involved
Obtain knowledge on supplying/creating a complete SOC environment using Open Source software.

About Defensive Security

Defensive Security delivers high-quality cyber security services including Linux / Windows digital forensics, incident response, latest threat analysis, and hunting, penetration testing, and infrastructure hardening. We successfully deliver a combination of Threat/Adversary Emulations vs network/endpoint investigations and log analysis at scale which is known as Purple Teaming.

Defensive Security offers advanced, hands-on cyber security training programs backed by PurpleLabs – a fully customized Cyber Range Environment enriched by step-by-step offensive/defensive lab instructions. Want to sharpen your Purple team skills? Try PurpleLabs where you will be playing with chained attack paths, emulating attacker’s TTPs, and running detection/response at the same time by using Sysmon and EVTX, Auditd, Wazuh, Graylog, HELK, ElastAlert, Falco, OSQuery, Velociraptor, Zeek, Suricata, Moloch FPC, Volatility Framework, theHive, MISP, and Sigma Rules.

Our mission is to help organizations have more secure infrastructures, better utilize Open Source software in Security Operations, and enable businesses to improve the detection capacity and skills of their SOC/IR teams.

We are trusted by the biggest customers from the private, oil and gas, insurance, and financial sector. It was an honor for us to conduct training workshops during the biggest conferences including Hack In The Box, BruCON, 44CON, OWASP AppSec US, and Black Hat US.

Our almost 20 years of hands-on experience with Open Source Security Solutions go directly into the full spectrum of technology solutions to support customers achieving better visibility and detections, improving offensive and defensive Red / Blue and Purple team skills, validating defensive technology stacks, and helping understand the value of the Assume Breach approach and emulation of threats after getting initial access (C2, post-exploitation, Lateral Movement, Persistence, Evasion).

Why You Should Take This Course

Dive into the world of Linux syscall hooking techniques, see hands-on how rootkits work in well-prepared Detection PurpleLabs Cyber Range, analyze and modify the source codes, find interesting behavior patterns in binaries and logs, learn what telemetry is needed to catch modern Linux threat actors, and find how to proactively validate and improve detection coverage with step-by-step Linux adversary emulations.

On top of that, run your VMs RAM acquisition ‘on click’ and analyze memory images with Volatility Framework at any stage of the course.

Who Should Attend

CSIRT / Incident Response Specialists
Red and Blue team members
Penetration testers
Threat Hunters
Security / Data Analytics
IT Security Professionals, Experts & Consultants
SOC Analysts and SIEM Engineers
AI / Machine Learning Developers
Open Source Security Enthusiasts

Prerequisite Knowledge

Fundamentals of how Linux Architecture works is required
An intermediate level of Linux command-line syntax experience
Basic knowledge of TCP/IP network protocols
Offensive Security/Penetration testing experience will be definitely beneficial, but not required
Basic programming skills are a plus and are essential

Hardware / Software Requirements

This training is based on dedicated PurpleLABS virtual infrastructure so there are no special student’s desktop requirements. No more initial setup issues, just a pure training experience. Every student will gain full access to the PurpleLabs environment for 30 days post-training.
VPN client installed according to VPN Setup instructions or just a browser
Discord account as an invite to dedicated training channel will be delivered
Stable internet connection

TRAINER

Leszek Miś

Founder

Defensive Security

Leszek Miś is the Founder of Defensive Security (www.defensive-security.com), Principal Trainer and Security Researcher with over 16 years of experience in Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from OSS researcher, Linux administrator, and system developer and DevOps, through penetration tester and security consultant delivering hardening services and training for the biggest players in the European and global market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values from delivering structured, automated adversary simulation platform.

Recognized speaker and trainer: BruCON 2017/2018, Black Hat USA 2019, OWASP Appsec US 2018, FloCon USA 2018, Hack In The Box Dubai / Amsterdam / Singapore / Abu Dhabi 2018/2019/2020, 44CON UK 2019, Confidence PL, PLNOG, Open Source Day PL, Secure PL, Advanced Threat Summit PL

Member of OWASP Poland Chapter.

Author of many IT Security trainings:

Open Source Defensive Security → The Trinity of Tactics for Defenders
In & Out → Network Exfiltration and Post-Exploitation Techniques [RED EDITION]
In & Out → Detection of Network Exfiltration and Post-Exploitation Techniques [BLUE EDITION]
System Internals – Network, OS and Memory Forensics
SELinux → Development & Administration of Mandatory Access Control Policy
Advanced RHEL/CentOS Defensive Security & Hardening
ModSecurity → Development and Management of Web Application Firewall rules
FreeIPA → Identity Management for Linux Domain Environments & Trusts
Holds many certifications: OSCP, RHCA, RHCSS, Splunk Certified Architect.

His areas of interest include network “features” extraction, OS internals and forensics. Constantly tries to figure out what the AI/ML Network Security vendors try to sell. In free time he likes to break into “IoT world” just for fun. Still learning hard every single day.

What students say about this training:

“The content of in and out was great. Lots of gained knowledge and hands on!” “Great course! A truly huge number of topics and tools covered”

“Leszek was a really good trainer, he covered a lot of material, and had a very good personality.”

PurpleLabs Values:

Develop the team’s analytical skills required to work in the Security Operation Center environment
Increase awareness of the complexity and dependencies between the elements of the APT campaigns, malware and the areas of detection
Deliver a periodic knowledge transfer and systematic expansion of team competences in the field of Red + Blue = Purple teaming
Acquire Attack Paths / Attack Lifecycles and Security Event Chains skills by combining attacker’s single techniques, tactics and procedures (Chain Attack Scenarios)
Understand the value of the Assume Breach approach and simulation of threats after early access (C2, post-exploitation, Lateral Movement, Persistence, Evasion)
Understand what threat hunting is and why it is important
Understand proactive DFIR and why it is important
Acquire skills related to generating suspicious events on the layer of network and Windows and Linux operating systems and methods of their detection
Understand the potential of Sigma rules and their values for SIEM solutions.
Run a validation of the current security status of the organization’s network and the risks involved
Obtain knowledge on supplying/creating a complete SOC environment using Open Source software.

About Defensive Security
Defensive Security delivers high-quality cyber security services including Linux / Windows digital forensics, incident response, latest threat analysis, and hunting, penetration testing, and infrastructure hardening. We successfully deliver a combination of Threat/Adversary Emulations vs network/endpoint investigations and log analysis at scale which is known as Purple Teaming.