Practical Linux Attack Paths and Hunting for Red and Blue Team

This training is a walkthrough of the Open Source Linux offensive and defensive techniques and tooling in 2023/2024 that allows for chaining these TTPs together and understanding better the threat ecosystems in Linux. I trust this training compilation and hands-on experience will change the way you look at hardening and low-level monitoring of your critical Linux-based ecosystems.

This course takes on An “Attack vs. Detection” approach in a condensed format. This class is intended for students who have a basic understanding of Linux and have to deal with advanced threats. Furthermore, the course is also interesting for experienced DFIR/SOC/CERT Players who aim to dig deeper into understanding Linux internals and corresponding network attack analysis techniques, detection, and response.

Learn Linux Internals with PurpleLabs

“Practical Linux Attack Paths and Hunting for Red and Blue Team” training has been created with a focus on realistic hands-on experience in analyzing user space and kernel space Linux rootkits, including recent Linux APT campaigns, C2 frameworks for Linux with a focus on Sliver/Metasploit overview/behavior vs hunting/DFIR tooling in Linux ecosystem. This training helps create and understand low-level Linux attack paths, improve your Linux detection coverage, see in action many Open Source DFIR/defensive projects, and understand the need for Linux telemetry, especially including Docker/Kubernetes clusters where Runtime Security solutions are a must these days. The techniques and attack paths covered in this training include many different implementations of loading LKM remotely, eBPF, XDP, FTRACE, KPROBE, UPROBE, NETFILTER, SYSTEMTAP, PAM, SSHD, HTTPD/NGINX, LD_PRELOAD-based code samples and PoCs. Detection and forensics layers include LKRG, BPFTOOL, VELOCIRAPTOR IR, OSQUERY, Elastic Security, cli-based /proc/ and /sys/ analysis, memory forensics with VOLATILITY FRAMEWORK with the semi-automated RAM acquisition, SYSMON4Linux, FALCO, TRACEE, SYSDIG, TETRAGON, SANDFLY SECURITY, ZEEK, SURICATA, MOLOCH/ARKIME, YARA and more.

During the training, we are going to make a custom combo of both red and blue parts and we will achieve that by utilizing an Attack Flow Builder, Defender, Workbench, and Navigator for a structured format of training suitable for production uses immediately after the course.

We will actively discuss and play with a set of real Linux offensive use cases vs detection/forensics view. The hands-on content has been divided into user-space and kernel-space sub-sections. When you are done, dig deeper and create your own custom attack paths, then improve your detection coverage. Purple teaming for life!

If you want to enhance your understanding of Linux x86/x64 internals and stay prepared for Linux threats, this training is a must-attend! #LinuxSecurity #LiveForensics #CybersecurityTraining

Agenda / Topics Covered / Lab Index

1. Current Linux threat landscape

2. Linux Appliances Exploitation Cases

3. Purple teaming approach

4. Threat Hunting vs Incident Response

5. Linux MITRE ATT&CK

6. Linux EDR/Security  Products

7. Basic Linux Investigation tools

8. General root kits behavior

9. Hands-on Blue/DFIR  components:

A. HOST:

• • Host/Syslog
  • Host/Auditd
  • Host/Falco Runtime Security
  • Host/Tracee Syscall Tracing
  • Host/Sysdig Syscall tracing
  • Host/Sysmon4Linux
  • Host/Velociraptor
  • Host/OSQuery FleetDM + osquery-defence-kit
  • Host/Sandfly Security
  • Host/Wazuh
  • Host/CatScale
  • Host/UAC
  • Host/pspy
  • Host/varc
  • Host/rkhunter
  • Host/Yara FS/memory Scanning
  • Host/LKRG
  • Host/SELinux
  • Host/Clamav
  • Host/Entropyscan

B. NETWORK:

• • Network/Zeek
  • Network/Suricata
  • Network/Arkime Full Packet Capture
  • Network/Forward Proxy Squid SSL Decryption
  • Network/WAF Modsecurity

C. SIEM:

• • SIEM/Elastic Security introduction
  • SIEM/Elastic Security Data sources
  • SIEM/Splunk introduction
  • SIEM/Splunk Data sources
  • SIEM/Graylog intro
  • SIEM/Graylog Data sources
  • SIEM/Wazuh Introduction
  • SIEM/Wazuh Data Sources

10. Baseline vs offensive:

• Process names
• Process arguments
• Parent-child process relationship
• /proc/ and /sys/ exploration
• sysctl
• Linker / LD_PRELOAD
• Linux Kernel Modules/LKM Off
• Dmesg
• DNS Settings
• Network profiling
• Open / hidden Ports
• iptables
• At / cron / systemd timers
• Users
• Shell Configuration
• Initialization/systemd scripts
• Special File Attributes
• File Hashing/checksums
• OS/application logging behavior
• SSH keys vs backdoors
• Linux namespaces

11. Local/ Remote Explotation

• Reverse Shell / Backdoor payloads
• File transfers
• Apache Tomcat
• Apache HTTP CVE-2021-41773
• NFS no_root_squash
• Dirty Pipe CVE-2022-0847
• pkexec CVE-2021-4034
• CVE-2022-2588
• Spring Cloud Function CVE-2022-22963
• Solr Log4j CVE-2021-44228
• Kafka CVE 2023-25194
• ActiveMQ CVE-2023-46604
• Kubernetes KubeGoat
• Samba / CIFS
• Weblogic SSRF
• SSH Brute force
• Docker escape
• Docker Leaky Vessels
• Exiftool CVE-2021-22204

12. C2 Frameworks / C2 shells/ implants:

• Sliver C2 Setup
• Sliver Transports and Pivoting
• Sliver in details
• Meterpreter Setup
• Sliver to Meterpreter Sideload
• Meterpreter shell_to_meterpreter
• TLS/sniCAT
• MerlinSetup
• Merlin Transports
• Merlin libprocesshider
• DNS/AXFR Payload Delivery
• DNS/Weasel
• DNS/dnscat2
• ICMP-based C2 and Exfiltration
• Port knocking
• Hidden NTP Exfiltration

14. User space rootkits:

• General Linux Rootkits behavior
• Linux System calls
• [US] Rootkits: Shared Library Injection
• [US] Rootkits: Oh my Father!
• [US] Rootkits: Socket Command Injection
• [US] Rootkits: Sneaky Bedevil
• [US] ELF injection with ptrace()
• [US] ELF injection without ptrace()
• [US] Proxy execution with DDexec
• [US] In-memory execution with memrun
• [US] memfd_vs_no_exec
• [US] Fileless Scripting Execution
• [US] Rootkits: Dynamic Linker Preloading
• [US] Rootkits: Zombie Ant Farm Pypreloader #1
• [US] MSF Shellcode from bash
• [US] Rootkits: sshd injection
• [US] Rootkits: sshd dummy cipher suite
• [US] PAM-based Rootkits #1
• [US] PAM-based Rootkits #2
• [US] PAM-based Rootkits #3
• [US] Yum/RPM Persistence
• [US] Rootkits: Apache mod_authg
• [US] Rootkits: HTTPD mod_backdoor
• [US] Webshells: SOCKS fromJSP
• [US] Webshells: meterphp
• [US] Webshells: slopshell
• [US] Linux Process Snooping

15. Kernel space rootkits:

• [KS] Rootkits: User mode Helper on ICMP
• [KS] Rootkits: In-Memory LKM Loading
• [KS] Rootkits: Diamorphine Analysis
• [KS] Rootkits: Reptile Analysis
• [KS] Rootkits: Suterusu Analysis
• [KS] Rootkits: Reveng_rtkit Analysis
• [KS] Rootkits: iptables evil bit
• [KS] Rootkits: systemtap creds() upgrade
• [KS] Rootkits: Netfilter hooking #1
• [KS] Rootkits: xt_conntrack.ko Infection
• [KS] Rootkits: Ftrace Hooking #1
• [KS] Rootkits: bad-bpf trip
• [KS] Rootkits: XDP-UDP-Backdoor
• [KS] Rootkits: eBPF hooking / TripleCross
• [KS] Rootkits: eBPF SSL/TLS text capturing
• [KS] Rootkits: eBPF Raw Tracepoint Interception
• [KS] Rootkits: eBPF PAM creds stealing
• [KS] Rootkits: eBPF KoviD Analysis
• [KS] Rootkits: eBPF bpfdoor
• [KS] Rootkits: eBPF Hiding with nysm
• [KS] Rootkits: ebpfkit Analysis
• [KS/US] Rootkits: Backdooring Initramfs
• [ELF] Kiteshield Anti Forensics

16. Linux Memory Forensics:

17. Linux Incident Response Playbook

18. Create your own custom Linux attack path and hunting/IR procedure.

The training content focuses on the complete material of the “Linux Attack and Live Forensics At Scale” course:

● https://edu.defensive-security.com/linux-attack-live-forensics-at-scale