3-day hands-on technical Workshop in HITB SecConf 2024 Bangkok

Practical Linux Attack Paths and Hunting for Red and Blue Team




Delivery Method



beginner / intermediate

Seats Available


ATTEND IN-PERSON: Onsite in Bangkok, Thailand

DATE: 26-28 August 2024

TIME: 09:00 to 17:00 ICT/GMT+7

Date Day Time Duration
26 Aug Monday 0900-17:00 ICT/GMT+7 8 Hours
27 Aug Tuesday 0900-17:00 ICT/GMT+7 8 Hours
28 Aug Wednesday 0900-17:00 ICT/GMT+7 8 Hours

Full access to the PurpleLabs environment for 30 days post-training and lifetime material access (180+ labs) with updates included!

Dive into the world of Linux attack paths, local and remote exploitation, process injection, process hiding, tunneling, network pivoting, and syscall hooking techniques. See hands-on how Linux malware, userspace, and kernel space rootkits work in well-prepared Detection PurpleLabs Cyber Range, analyze and modify the source codes, find interesting behavior patterns in binaries and logs, learn what telemetry is needed to catch modern Linux threat actors, and find how to proactively validate and improve detection coverage with step-by-step Linux adversary emulations. On top of that, run your VMs RAM acquisition ‘on click’ and analyze memory images with Volatility Framework 2/3 at any stage of the course.

This training is a walkthrough of the Open Source Linux offensive and defensive techniques and tooling in 2023/2024 that allows for chaining these TTPs together and understanding better the threat ecosystems in Linux. I trust this training compilation and hands-on experience will change the way you look at hardening and low-level monitoring of your critical Linux-based ecosystems.

This course takes on An “Attack vs. Detection” approach in a condensed format. This class is intended for students who have a basic understanding of Linux and have to deal with advanced threats. Furthermore, the course is also interesting for experienced DFIR/SOC/CERT Players who aim to dig deeper into understanding Linux internals and corresponding network attack analysis techniques, detection, and response.


Learn Linux Internals with PurpleLabs

“Practical Linux Attack Paths and Hunting for Red and Blue Team” training has been created with a focus on realistic hands-on experience in analyzing user space and kernel space Linux rootkits, including recent Linux APT campaigns, C2 frameworks for Linux with a focus on Sliver/Metasploit overview/behavior vs hunting/DFIR tooling in Linux ecosystem. This training helps create and understand low-level Linux attack paths, improve your Linux detection coverage, see in action many Open Source DFIR/defensive projects, and understand the need for Linux telemetry, especially including Docker/Kubernetes clusters where Runtime Security solutions are a must these days. The techniques and attack paths covered in this training include many different implementations of loading LKM remotely, eBPF, XDP, FTRACE, KPROBE, UPROBE, NETFILTER, SYSTEMTAP, PAM, SSHD, HTTPD/NGINX, LD_PRELOAD-based code samples and PoCs. Detection and forensics layers include LKRG, BPFTOOL, VELOCIRAPTOR IR, OSQUERY, Elastic Security, cli-based /proc/ and /sys/ analysis, memory forensics with VOLATILITY FRAMEWORK with the semi-automated RAM acquisition, SYSMON4Linux, FALCO, TRACEE, SYSDIG, TETRAGON, SANDFLY SECURITY, ZEEK, SURICATA, MOLOCH/ARKIME, YARA and more.

During the training, we are going to make a custom combo of both red and blue parts and we will achieve that by utilizing an Attack Flow Builder, Defender, Workbench, and Navigator for a structured format of training suitable for production uses immediately after the course.

We will actively discuss and play with a set of real Linux offensive use cases vs detection/forensics view. The hands-on content has been divided into user-space and kernel-space sub-sections. When you are done, dig deeper and create your own custom attack paths, then improve your detection coverage. Purple teaming for life!

If you want to enhance your understanding of Linux x86/x64 internals and stay prepared for Linux threats, this training is a must-attend! #LinuxSecurity #LiveForensics #CybersecurityTraining



Agenda / Topics Covered / Lab Index


1. Current Linux threat landscape
2. Linux Appliances Exploitation Cases
3. Purple teaming approach
4. Threat Hunting vs Incident Response
6. Linux EDR/Security  Products
7. Basic Linux Investigation tools
8. General root kits behavior
9. Hands-on Blue/DFIR  components:


    • Host/Syslog
    • Host/Auditd
    • Host/Falco Runtime Security
    • Host/Tracee Syscall Tracing
    • Host/Sysdig Syscall tracing
    • Host/Sysmon4Linux
    • Host/Velociraptor
    • Host/OSQuery FleetDM + osquery-defence-kit
    • Host/Sandfly Security
    • Host/Wazuh
    • Host/CatScale
    • Host/UAC
    • Host/pspy
    • Host/varc
    • Host/rkhunter
    • Host/Yara FS/memory Scanning
    • Host/LKRG
    • Host/SELinux
    • Host/Clamav
    • Host/Entropyscan



    • Network/Zeek
    • Network/Suricata
    • Network/Arkime Full Packet Capture
    • Network/Forward Proxy Squid SSL Decryption
    • Network/WAF Modsecurity



    • SIEM/Elastic Security introduction
    • SIEM/Elastic Security Data sources
    • SIEM/Splunk introduction
    • SIEM/Splunk Data sources
    • SIEM/Graylog intro
    • SIEM/Graylog Data sources
    • SIEM/Wazuh Introduction
    • SIEM/Wazuh Data Sources


10. Baseline vs offensive:
  • Process names
  • Process arguments
  • Parent-child process relationship
  • /proc/ and /sys/ exploration
  • sysctl
  • Linker / LD_PRELOAD
  • Linux Kernel Modules/LKM Off
  • Dmesg
  • DNS Settings
  • Network profiling
  • Open / hidden Ports
  • iptables
  • At / cron / systemd timers
  • Users
  • Shell Configuration
  • Initialization/systemd scripts
  • Special File Attributes
  • File Hashing/checksums
  • OS/application logging behavior
  • SSH keys vs backdoors
  • Linux namespaces


11. Local/ Remote Explotation
  • Reverse Shell / Backdoor payloads
  • File transfers
  • Apache Tomcat
  • Apache HTTP CVE-2021-41773
  • NFS no_root_squash
  • Dirty Pipe CVE-2022-0847
  • pkexec CVE-2021-4034
  • CVE-2022-2588
  • Spring Cloud Function CVE-2022-22963
  • Solr Log4j CVE-2021-44228
  • Kafka CVE 2023-25194
  • ActiveMQ CVE-2023-46604
  • Kubernetes KubeGoat
  • Samba / CIFS
  • Weblogic SSRF
  • SSH Brute force
  • Docker escape
  • Docker Leaky Vessels
  • Exiftool CVE-2021-22204


12. C2 Frameworks / C2 shells/ implants:
  • Sliver C2 Setup
  • Sliver Transports and Pivoting
  • Sliver in details
  • Meterpreter Setup
  • Sliver to Meterpreter Sideload
  • Meterpreter shell_to_meterpreter
  • TLS/sniCAT
  • MerlinSetup
  • Merlin Transports
  • Merlin libprocesshider
  • DNS/AXFR Payload Delivery
  • DNS/Weasel
  • DNS/dnscat2
  • ICMP-based C2 and Exfiltration
  • Port knocking
  • Hidden NTP Exfiltration


13. Tunnels / pivots / redirectors:
  • SSH Socks Proxy
  • SSH Tunneling
  • Reverse SSH
  • Shootback Protocol Tunneling
  • SSHimpanzee
  • FRP Fast Reverse Proxy
  • socat
  • Chisel
  • ngrok


14. User space rootkits:
  • General Linux Rootkits behavior
  • Linux System calls
  • [US] Rootkits: Shared Library Injection
  • [US] Rootkits: Oh my Father!
  • [US] Rootkits: Socket Command Injection
  • [US] Rootkits: Sneaky Bedevil
  • [US] ELF injection with ptrace()
  • [US] ELF injection without ptrace()
  • [US] Proxy execution with DDexec
  • [US] In-memory execution with memrun
  • [US] memfd_vs_no_exec
  • [US] Fileless Scripting Execution
  • [US] Rootkits: Dynamic Linker Preloading
  • [US] Rootkits: Zombie Ant Farm Pypreloader #1
  • [US] MSF Shellcode from bash
  • [US] Rootkits: sshd injection
  • [US] Rootkits: sshd dummy cipher suite
  • [US] PAM-based Rootkits #1
  • [US] PAM-based Rootkits #2
  • [US] PAM-based Rootkits #3
  • [US] Yum/RPM Persistence
  • [US] Rootkits: Apache mod_authg
  • [US] Rootkits: HTTPD mod_backdoor
  • [US] Webshells: SOCKS fromJSP
  • [US] Webshells: meterphp
  • [US] Webshells: slopshell
  • [US] Linux Process Snooping


15. Kernel space rootkits:
  • [KS] Rootkits: User mode Helper on ICMP
  • [KS] Rootkits: In-Memory LKM Loading
  • [KS] Rootkits: Diamorphine Analysis
  • [KS] Rootkits: Reptile Analysis
  • [KS] Rootkits: Suterusu Analysis
  • [KS] Rootkits: Reveng_rtkit Analysis
  • [KS] Rootkits: iptables evil bit
  • [KS] Rootkits: systemtap creds() upgrade
  • [KS] Rootkits: Netfilter hooking #1
  • [KS] Rootkits: xt_conntrack.ko Infection
  • [KS] Rootkits: Ftrace Hooking #1
  • [KS] Rootkits: bad-bpf trip
  • [KS] Rootkits: XDP-UDP-Backdoor
  • [KS] Rootkits: eBPF hooking / TripleCross
  • [KS] Rootkits: eBPF SSL/TLS text capturing
  • [KS] Rootkits: eBPF Raw Tracepoint Interception
  • [KS] Rootkits: eBPF PAM creds stealing
  • [KS] Rootkits: eBPF KoviD Analysis
  • [KS] Rootkits: eBPF bpfdoor
  • [KS] Rootkits: eBPF Hiding with nysm
  • [KS] Rootkits: ebpfkit Analysis
  • [KS/US] Rootkits: Backdooring Initramfs
  • [ELF] Kiteshield Anti Forensics


16. Linux Memory Forensics:
  • Linux Report  Sections
  • Building Volatility 2  Linux Profiles
  • Building Volatility 3 ISF JSON
  • Memory Acquisition
  • Forensics with Volatility2
  • Forensics with Volatility 3
  • Fileless plugin


17. Linux Incident Response Playbook
18. Create your own custom Linux attack path and hunting/IR procedure.


The training content focuses on the complete material of the “Linux Attack and Live Forensics At Scale” course:




Benefits for Red Teams
  • Understand the advantages and values of the purple teaming approach in the Linux red/blue ecosystem
  • Learn about the full scope of Linux offensive techniques, tools, and the newest community research 2023/2024
  • Learn about different detection/response tools and techniques vs attacks
  • Learn how to hide effectively in the Linux OS and how to exfiltrate data in
    stealthy ways
  • Learn how to deploy and use C2, low-level rootkits and see this reflected in the
    detection/DFIR tooling
  • Get code and command snippets ready to use during your red team and
    adversary operations/emulations
  • Get experience with Sigma Rules/Protections Artifacts for staying stealthier
    and improving your defense evasion skills at scale


Benefits for Blue Teams/DFIR
  • Understand the advantages and values of the purple teaming approach in the Linux ecosystem
  • Learn about the full scope of Linux Detection/Forensics techniques, tools, and the newest community research
  • Understand the structures of advanced Linux attack paths, how they really work, and how to protect
  • Learn about different offensive tools that you can use against hackers
  • See the effectiveness of Detection tooling vs attack emulations
  • Get experience with Yara/Sigma Rules for a better understanding of the logic
    behind attacks and needed telemetry


Benefits for DevOps/SecOps/Admins
  • This knowledge will change the way you look at hardening and monitoring your Linux ecosystems
  • Recognize security-related enhancements in the modern Linux kernel
  • Understand current kernel components and programming interfaces used to
    compromise a system
  • Discover recommended Open Source Security solutions against actual
    hands-on attacks
  • Learn about the full scope of Linux Detection/DFIR techniques, tools, and the
    newest community research
  • Understand the advantages and values of the purple teaming approach in the
    Linux red/blue scope
  • Gain experience in managing many different detection and visibility layers


Founder / Security Researcher

Defensive Security

Leszek Miś is a highly experienced Security Researcher with over 20 years of experience in the industry. He is the Founder of Defensive Security (https://www.defensive-security.com/), a company that provides Open Source Security Services including Red Team adversary emulations, Blue Team detection coverage testing, DFIR/Live Forensics, and high-quality knowledge transfer and training.

He has worked in various positions within the infosec field, including as a Linux Administrator, System Developer, DevOps Engineer, Penetration Tester, Security Consultant and VP Of Cyber Security as well.

He has extensive knowledge of Linux internals and got deep experience in Linux malware hands-on analysis from the perspective of red and blue team. Leszek is a recognized speaker and trainer, having spoken at various industry events such as Black Hat USA, Hack In The Box, and OWASP Appsec US.

Leszek holds many certifications, including OSCP, RHCA, RHCSS, and Splunk Certified Architect. His areas of interest include development of multi-stage attack paths with mappings to MITRE ATT&CK Framework, multi-layer defensive paths with mappings to MITRE D3FEND Framework, Linux/network ML feature extraction, Linux OS internals including eBPF, detection engineering, log behavior analysis, memory forensics, andexploration of new Linux offensive ttps vs DFIR/detection/protection techniques.

Why You Should Take This Course


Who Should Attend


Prerequisite Knowledge

  • Fundamentals of how Linux Architecture works is required
  • An intermediate level of Linux command-line syntax experience
  • Basic knowledge of TCP/IP network protocols
  • Offensive Security/Penetration testing experience will be definitely beneficial, but not required
  • Basic programming skills are a plus and are essential

Hardware / Software Requirements

  • This training is based on dedicated PurpleLABS virtual infrastructure so there are no special student desktop requirements. No more initial setup issues, just a pure training experience. Every student will gain full access to the PurpleLabs environment for 30 days post-training.
  • VPN client installed according to VPN Setup instructions or just a browser
  • Discord account as an invite to a dedicated training channel will be delivered
  • Stable internet connection