This training is a walkthrough of the Open Source Linux offensive and defensive techniques and tooling in 2023/2024 that allows for chaining these TTPs together and understanding better the threat ecosystems in Linux. I trust this training compilation and hands-on experience will change the way you look at hardening and low-level monitoring of your critical Linux-based ecosystems.
This course takes on An “Attack vs. Detection” approach in a condensed format. This class is intended for students who have a basic understanding of Linux and have to deal with advanced threats. Furthermore, the course is also interesting for experienced DFIR/SOC/CERT Players who aim to dig deeper into understanding Linux internals and corresponding network attack analysis techniques, detection, and response.
“Practical Linux Attack Paths and Hunting for Red and Blue Team” training has been created with a focus on realistic hands-on experience in analyzing user space and kernel space Linux rootkits, including recent Linux APT campaigns, C2 frameworks for Linux with a focus on Sliver/Metasploit overview/behavior vs hunting/DFIR tooling in Linux ecosystem. This training helps create and understand low-level Linux attack paths, improve your Linux detection coverage, see in action many Open Source DFIR/defensive projects, and understand the need for Linux telemetry, especially including Docker/Kubernetes clusters where Runtime Security solutions are a must these days. The techniques and attack paths covered in this training include many different implementations of loading LKM remotely, eBPF, XDP, FTRACE, KPROBE, UPROBE, NETFILTER, SYSTEMTAP, PAM, SSHD, HTTPD/NGINX, LD_PRELOAD-based code samples and PoCs. Detection and forensics layers include LKRG, BPFTOOL, VELOCIRAPTOR IR, OSQUERY, Elastic Security, cli-based /proc/ and /sys/ analysis, memory forensics with VOLATILITY FRAMEWORK with the semi-automated RAM acquisition, SYSMON4Linux, FALCO, TRACEE, SYSDIG, TETRAGON, SANDFLY SECURITY, ZEEK, SURICATA, MOLOCH/ARKIME, YARA and more.
During the training, we are going to make a custom combo of both red and blue parts and we will achieve that by utilizing an Attack Flow Builder, Defender, Workbench, and Navigator for a structured format of training suitable for production uses immediately after the course.
We will actively discuss and play with a set of real Linux offensive use cases vs detection/forensics view. The hands-on content has been divided into user-space and kernel-space sub-sections. When you are done, dig deeper and create your own custom attack paths, then improve your detection coverage. Purple teaming for life!
If you want to enhance your understanding of Linux x86/x64 internals and stay prepared for Linux threats, this training is a must-attend! #LinuxSecurity #LiveForensics #CybersecurityTraining
The training content focuses on the complete material of the “Linux Attack and Live Forensics At Scale” course:
Leszek Miś is a highly experienced Security Researcher with over 20 years of experience in the industry. He is the Founder of Defensive Security (https://www.defensive-security.com/), a company that provides Open Source Security Services including Red Team adversary emulations, Blue Team detection coverage testing, DFIR/Live Forensics, and high-quality knowledge transfer and training.
He has worked in various positions within the infosec field, including as a Linux Administrator, System Developer, DevOps Engineer, Penetration Tester, Security Consultant and VP Of Cyber Security as well.
He has extensive knowledge of Linux internals and got deep experience in Linux malware hands-on analysis from the perspective of red and blue team. Leszek is a recognized speaker and trainer, having spoken at various industry events such as Black Hat USA, Hack In The Box, and OWASP Appsec US.
Leszek holds many certifications, including OSCP, RHCA, RHCSS, and Splunk Certified Architect. His areas of interest include development of multi-stage attack paths with mappings to MITRE ATT&CK Framework, multi-layer defensive paths with mappings to MITRE D3FEND Framework, Linux/network ML feature extraction, Linux OS internals including eBPF, detection engineering, log behavior analysis, memory forensics, andexploration of new Linux offensive ttps vs DFIR/detection/protection techniques.