2-Day Training | 21-22 Nov

In & Out – Linux Attack, Detection & Hunting with PurpleLabs [HITB+ CYBERWEEK 2021]

Duration 2 days
Seats Available 15
Difficulty intermediate


Register Now


ATTEND IN-PERSON: Onsite in Abu Dhabi

ATTEND ONLINE: Virtual via Zoom and Discord

DATE: 21-22 November 2021

TIME: 09:00 to 17:00 GST/GMT+4

Date Day Time Duration
21 Nov Sunday 0900-17:00 GST/GMT+4 8 Hours
22 Nov Monday 0900-17:00 GST/GMT+4 8 Hours


Full access to the PurpleLabs environment for 30 days post-training!

Make sure you’re choosing the right course. This is the Linux version. The Windows version is HERE. Or do both as a COMBO 4-day HERE!

The primary goal of this training is to show and teach you how to generate offensive attack events/symptoms against Linux boxes that you will detect in parallel by using PurpleLABS SOC stack powered by Sigma Rules – the open standard event description ruleset – and the rest of the dedicated, Open Source security solutions in use.

Participants will thoroughly familiarize themselves with the content of the available Sigma detection rules and their structure, better understand the essence of offensive actions in Linux subsystems, learn the low-level relationships between data sources, and thus achieve knowledge in creating their own detection rules (and eventually bypassing them).

This course takes on an “Adversary Simulations vs Hunting” approach in a condensed format. This will allow a gradual escalation of the level of knowledge in the scope of red / blue / purple teaming to both experienced specialists and beginners while maintaining the attractiveness and pleasure of performing tasks. Linux detection and hunting does not have to be boring and tedious!

● Realistic 100% pure lab-oriented Linux offensive and defensive security use cases.
● Minimum theory, maximum hands-on with high level of expertise.
● A lot of accumulated knowledge in one place with a focus on high priority elements.
● Focused on Open Source Security


Go HERE to join the Windows course version instead. Or,
Go HERE to join the Combo course for both Linux and Windows

Why should you take this course?

The “In & Out – Linux Attack, Detection & Hunting with PurpleLabs” is an intermediate hands-on PurpleLABS training focuses on Linux / Network Security and created to present:

  • The value of the Assume Breach approach and simulation of threats after getting early access to the Linux target. (Discovery, C2, Lateral Movement, Persistence, Evasion, Exfiltration, Execution, Credential Access)
  • The importance of Blue and Red team cooperation and how to effectively run hunting activities and write security notes.
  • “Feel the network and systems” approach to get and understand the low-level baseline behavior of Linux devices and networks.
  • Different ways for playing with many important data sources including Syslog, auditd, Falco, Tracee, Sysdig, Yara, eBPF, Zeek IDS, Suricata IDS, OSQuery, Velociraptor IR, Memory dumps and Full Packet Captures.
  • How to run adversary simulations effectively including a development of Attack Paths and Chain Attack scenarios by combining the attacker’s techniques, tactics and procedures within Linux subsystems
  • Visibility, detection methods and capabilities of well recognized Hunting and Detection tools including HELK, Splunk, Elastiflow, Moloch, Kolide Fleet, Wazuh, Graylog, theHive and MISP.
  • The potential of Sigma rules (+ElastAlert) and their values for SIEM engines and DFIR
  • Engineering and analytical skills required to work in the Security Operation Center environment.
  • Verification methods and techniques for Cyber Security product and service providers
    → in terms of internal testing and supporting PoC / PoV programs.

Key Learning Objectives

  • Learn current trends, techniques, and offensive tools for Discovery, C2, Lateral Movement, Persistence, Evasion, Exfiltration, Execution, Credential Access against Linux boxes.
  • Learn ways to improve low-level Linux detection and sharpen your event correlation skills across many different data sources.
  • Find the malicious activities and identify threat details on the network.
  • Prepare your SOC team for fast filtering out network noise and allow for better incident response handling.
  • Find out how Detection / DFIR Open Source Software can support your SOC infrastructure.
  • Understand values of manual and automated approach to simulate attackers and generate Linux subsystem anomalies.
  • Identify blind spots in your Linux network security posture.

Who Should Attend

● Linux Engineers / Linux administrators
● Red and Blue team members
● CSIRT / Incident Response Specialists
● Cloud Operators / DevOps
● Security / Data Analytics
● IT Security Professionals, Experts & Consultants
● Network Security Engineers
● SOC members and SIEM Engineers
● AI / Machine Learning Developers
● Open Source Security Enthusiasts

What Students Say About This Training

  • “The content of in and out was great. Lots of gained knowledge and hands on!”
  • “Great course! A truly huge number of topics and tools covered”
  • “Leszek was a really good trainer, he covered a lot of material, and had a very good personality.”
  • “Leszek Miś is very knowledgeable in the topics covered in the course. He also shares real life scenarios which were useful for participants to better understand application of material presented. Contents were very good, it covers many leading open source projects which I find useful. I would recommend this course to my colleagues.”
  • It’s never too late to discover the third color in IT security. With Leszek Miś, this can be done without marketing slides and with a huge dose of positive energy. Leszek’s knowledge and ability to pass it on are unique! Just like the whole platform created by him, which simply works and causes that even the most experienced can learn something new. I encourage you to take advantage of the #PurpleLabs! -Marcin Juszko , SOC Manager, CISM, CCSO, CySA+, CCNA Cyber-OPS – via LinkedIn

Prerequisite Knowledge

  • An intermediate level of command-line syntax experience using Linux
  • Fundamental knowledge of TCP/IP network protocols
  • Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required
  • Basic programming skills are a plus, but not essential

Hardware / Software Requirements

This training is based on dedicated PurpleLABS virtual infrastructure (https://www.defensive-security.com/purplelabs/), so there are no special student’s desktop requirements. No more initial setup issues, just a pure training experience. Every student will gain full access to the PurpleLabs environment for 30 days after the training.

  • VPN client installed according to VPN Setup instructions
  • Slack account as an invite to dedicated training channel will be sent
  • Stable internet connection


  • Zoom client installed
  • HD Camera to have 1:1 access to an instructor and the rest of the participants.


Expand All

Linux Red vs Blue Hands-On Labs - TACTIC SCENARIOS:

• Initial Access (TA001)
• Execution (TA002)
• Persistence (TA003)
• Privilege Escalation (TA004) • Defense Evasion (TA005)
• Credential Access (TA006) • Discovery (TA007)
• Lateral Movement (TA008) • Collection (TA009)
• Command and Control (TA0011) • Exfiltration (TA0010)
• Impact (TA0040)
• Breach and Attack Simulations
• Forensics

Linux Red vs Blue Hands-On Labs INDEX:

● Introduction to PurpleLabs
● Current state of Linux malware / APT campaigns
● Analysis of Linux C2 implants and interesting post-exploitation modules
● Linux LOLbins / one-liners for bind & reverse shells, download/upload, file compression
● Linux Network / Service / User / Local Enumeration
● /proc exploration
● Linux ELF in-memory code execution vs live process analysis
● Linux syscall faulting for C2 agent execution
● Injecting an ELF file into a remote Linux process
● Linux GDB Shared Library Injection
● Linux sshd Injection + password extraction
● Linux Apache rootkit + command execution over HTTP
● Linux kernel space rootkits and backdoors vs LKRG
● Building Linux custom payloads
● Linux Runtime Security / syscall filtering / kernel instrumentation using falco, tracee and
● Linux persistence and hunting methods
● Linux process hiding and in-memory code injection techniques
● Linux buffer overflow / privilege escalation artifacts
● Linux hardening best practices / OpenSCAP
● Chroot / nsjail / SELinux / caps / seccomp vs exploitation
● Socket command execution
● Auditd vs Falco vs Tracee vs local adversary simulations
● Invoking Linux Reverse shell from kernel space in response to ICMP
● Linux shells over hidden ICMP channel
● Data exfiltration over DNS vs detection
● Pwn remote docker host over DNS rebinding
● Escaping Docker containers
● In-memory DNS AAAA implant for Linux
● DNS AXFR Payload Delivery
● SSH tunneling, lateral movement and pivoting vs HASSH
● HTTP2 Exfiltration and DNS over HTTPS C2
● Playing with LDAP as payload delivery channel / hidden storage
● Tunneling traffic into internal networks
● Port Knocking vs Full Packet Capture Analysis
● Mutual TLS / SSL C2 communication vs JA3 / JARM
● SNI-based TLS data exfiltration
● The world of web shells vs Yara / OSquery / Velociraptor detection at scale
● Threat Hunting and Detection with Web Proxy Logs
● Linux Memory Forensics using Volatility Framework
● The importance of Linux Process trees
● HTTP exfiltration and covert channels based on UA, cookies / encrypted cookies,
WebDAV, WebSockets
● Youtube-based command delivery and execution
● Google Translator as a C2 Proxy
● Overview of Linux Security Benchmarks / Linux Hardening guides vs PurpleLabs
offensive content
● Introduction to Fapolicyd framework
● Introduction to FreeIPA – a “domain controller” for Linux clusters
● Linux Tips and Tricks for Rapid Triage
● and more

You may also like…

Sign Up For an Account

to track your favorites

Sign Up

Want a Training Not Seen Here?

Write to Us

Contact Us