Practical Linux Rootkits for Red and Blue Team with PurpleLabs



3 days

Delivery Method




Seats Available



3 days

Delivery Method




ATTEND IN-PERSON: Onsite in Phuket

DATE: 21-23 August 2023

TIME: 09:00 to 17:00 ICT/GMT+7

Date Day Time Duration
21 Aug Monday 0900-17:00 ICT/GMT+7 8 Hours
22 Aug Tuesday 0900-17:00 ICT/GMT+7 8 Hours
23 Aug Wednesday 0900-17:00 ICT/GMT+7 8 Hours

Full access to the PurpleLabs environment for 30 days post-training and lifetime material access with updates included!


This training is a walkthrough of the Open Source Linux offensive and defensive techniques and tooling in 2023 that allows for chaining these TTPs together and understanding better the threat ecosystems in Linux. I trust this project’s compilation and hands-on experience will change the way you look at hardening and low-level monitoring of your critical Linux-based ecosystems.

Practical Linux Rootkits for Red and Blue Team with PurpleLabs.

This training has been created with a focus on realistic hands-on experience in analyzing user space andkernel space Linux rootkits, including recent Linux APT campaigns, C2 frameworksfor Linux with a focus on Sliver overview/behavior, and offensive vs DFIR tooling in Linux ecosystem.
This training helps create and understand low-level Linux attack paths, improve your Linux detection coverage, see in action many Open Source DFIR/defensive projects, and understand the need for Linux telemetry, especially including Kubernetes clusters where Runtime Security solutions are a must these days. The techniques and attack paths covered in this training include many different implementations of eBPF, XDP, FTRACE, KPROBE, UPROBE, NETFILTER, SYSTEMTAP, PAM, SSHD, HTTPD/NGINX, LD_PRELOAD-based code samples and PoCs. Detection and forensics layers include LKRG, BPFTOOL, VELOCIRAPTOR, OSQUERY, cli-based /proc/ and /sys/ analysis, memory forensics with VOLATILITY FRAMEWORK with the semi-automated RAM acquisition, SYSMON, FALCO, TRACEE, SYSDIG, TETRAGON, SANDFLY SECURITY, ZEEK, SURICATA, MOLOCH/ARKIME, YARA and more.
During the training, we are going to make a custom combo of both red and blue parts and we will achieve that by utilizing an Attack Flow Builder, Defender, Workbench,and Navigator for a structured format of training suitable for production uses immediately after the course.
We will actively discuss and play with a set of real Linux offensive use cases vs detection/forensics view. The hands-on content has been divided into user-space and kernel-space sub-sections. When you are done, dig deeper and create your own custom attack paths, then improve your detection coverage. Purple teaming for life!
If you want to enhance your understanding of Linux x86/x64 internals and stay prepared for Linux threats, this training is a must-attend! #LinuxSecurity #LiveForensics #CybersecurityTraining.
Topics Covered

  • Current Linux threat landscape and APT analysis (2022/2023)
  • General Linux rootkit types and behaviors
  • PurpleLabs Hunting/Detection/DFIR components Fast Track:
Sandfly Security
Volatility Framework + semi+automated memory acquisition
Yara rules

User Space Rootkits Attack/Detection Hands-On:
Shared Library Injection
Socket Command Injection
ELF injection with ptrace()
ELF injection without ptrace()
In-memory exec with DDExec
In-memory execution with memrun
Dynamic Linker Preloading
Zombie Ant Pypreloader
Linux ELF Loader/Crypter
MSF Shellcode from bash
SSHD injection
PAM-based Rootkits #1
PAM-based Rootkits #2
PAM-based Rootkits #3
Yum/RPM Persistence
Malicious RPM/DEB
HTTPD Rootkits #1
HTTPD Rootkits #2
Webshells: SOCKS from JSP
Kernel Space rootkits Attack/Detection Hands-On:

Fileless LKM loading
Reptile Analysis
Suterusu Analysis
Reveng_rtkit Analysis
iptables evil bit
systemtap creds() upgrade
Netfilter hooking #1
xt_conntrack.ko Infection
Ftrace Hooking #1
eBPF bad-bpf trip
XDP UDP Magic Packet
eBPF hooking / TripleCross Analysis
eBPF SSL/TLS capturing
eBPF Raw Tracepoint Interception
eBPF PAM creds stealing
eBPF bpfdoor Analysis
eBPF Boopkit Analysis
ebpfkit Analysis
Randomized Faulter
The training content focuses on Linux Rootkits vs Detection/DFIR and is a special ‘Rootkit Oriented-only’ training session based on the full material of the ‘Linux Attack and Live Forensics At Scale’ course:


Benefits for Red Teams
  • Understand the advantages and values of the purple teaming approach in the Linux red/blue ecosystem
  • Learn about the full scope of Linux offensive techniques, tools, and the newest community research 2023
  • Learn about different detection/response tools and techniques vs attacks
  • Learn how to hide effectively in the Linux OS and how to exfiltrate data in stealthy ways
  • Learn how to deploy and use C2, low-level rootkits and see this reflected in the detection/DFIR tooling
  • Get code and command snippets ready to use during your red team and adversary operations/emulations
  • Get experience with Sigma Rules/Protections Artifacts for staying stealthier and improving your defense evasion skills at scale


Benefits for Blue Teams/DFIR
  • Understand the advantages and values of the purple teaming approach in the Linux ecosystem
  • Learn about the full scope of Linux Detection/Forensics techniques, tools, and the newest community research
  • Understand the structures of advanced Linux attack paths, how they really work, and how to protect
  • Learn about different offensive tools that you can use against hackers
  • See the effectiveness of Detection tooling vs attacks emulations
  • Get experience with Sigma Rules for a better understanding of the logic behind attacks and needed telemetry


Benefits for DevOps/SecOps/Admins
  • This knowledge will change the way you look at hardening and monitoring your Linux ecosystems
  • Recognize security-related enhancements in the modern Linux kernel
  • Understand current kernel components and programming interfaces used to compromise a system
  • Discover recommended Open Source Security solutions against actual hands-on attacks
  • Learn about the full scope of Linux Detection/DFIR techniques, tools, and the newest community research
  • Understand the advantages and values of the purple teaming approach in the Linux red/blue scope
  • Gain experience in managing many different detection and visibility layers


What students say about this training:

“The content of in and out was great. Lots of gained knowledge and hands on!”

“Great course! A truly huge number of topics and tools covered”

“Leszek was a really good trainer, he covered a lot of material, and had a very good personality.”

“Leszek Miś is very knowledgeable in the topics covered in the course. He also shares real life scenarios which were useful for participants to better understand application of material presented. The content was very good, it covers many leading open source projects which I find useful. I would recommend this course to my colleagues”


PurpleLabs Values:

This training is based on the PurpleLabs Cyber Range Playground. It’s a dedicated, virtual infrastructure for detecting and analyzing the behavior of attackers in terms of the techniques, tactics, procedures, and used offensive tools. The environment is to serve the continuous improvement of competences in the field of threat hunting and learning about current trends from offensive scope (red-teaming) vs direct detection perspective (blue-teaming) and DFIR. By providing high-quality training materials with the lab environment in a scalable online format, we want to enable businesses to improve the detection capacity of their SOC teams and achieve better visibility and resistance to attacks. Having hands dirty with PurpleLabs will allow you to:

  • Develop the team’s analytical skills required to work in the Security Operation Center environment
  • Increase awareness of the complexity and dependencies between the elements of the APT campaigns, malware and the areas of detection
  • Deliver a periodic knowledge transfer and systematic expansion of team competences in the field of Red + Blue = Purple teaming
  • Acquire Attack Paths / Attack Lifecycles and Security Event Chains skills by combining attacker’s single techniques, tactics and procedures (Chain Attack Scenarios)
  • Understand the value of the Assume Breach approach and simulation of threats after early access (C2, post-exploitation, Lateral Movement, Persistence, Evasion)
  • Understand what threat hunting is and why it is important
  • Understand proactive DFIR and why it is important
  • Acquire skills related to generating suspicious events on the layer of network and Windows and Linux operating systems and methods of their detection
  • Understand the potential of Sigma rules and their values for SIEM solutions.
  • Run a validation of the current security status of the organization’s network and the risks involved
  • Obtain knowledge on supplying/creating a complete SOC environment using Open Source software.


About Defensive Security

Defensive Security delivers high-quality cyber security services including Linux / Windows digital forensics, incident response, latest threat analysis, and hunting, penetration testing, and infrastructure hardening. We successfully deliver a combination of Threat/Adversary Emulations vs network/endpoint investigations and log analysis at scale which is known as Purple Teaming.

Defensive Security offers advanced, hands-on cyber security training programs backed by PurpleLabs – a fully customized Cyber Range Environment enriched by step-by-step offensive/defensive lab instructions. Want to sharpen your Purple team skills? Try PurpleLabs where you will be playing with chained attack paths, emulating attacker’s TTPs, and running detection/response at the same time by using Sysmon and EVTX, Auditd, Wazuh, Graylog, HELK, ElastAlert, Falco, OSQuery, Velociraptor, Zeek, Suricata, Moloch FPC, Volatility Framework, theHive, MISP, and Sigma Rules.

Our mission is to help organizations have more secure infrastructures, better utilize Open Source software in Security Operations, and enable businesses to improve the detection capacity and skills of their SOC/IR teams.

We are trusted by the biggest customers from the private, oil and gas, insurance, and financial sector. It was an honor for us to conduct training workshops during the biggest conferences including Hack In The Box, BruCON, 44CON, OWASP AppSec US, and Black Hat US.

Our almost 20 years of hands-on experience with Open Source Security Solutions go directly into the full spectrum of technology solutions to support customers achieving better visibility and detections, improving offensive and defensive Red / Blue and Purple team skills, validating defensive technology stacks, and helping understand the value of the Assume Breach approach and emulation of threats after getting initial access (C2, post-exploitation, Lateral Movement, Persistence, Evasion).

Why You Should Take This Course

Dive into the world of Linux syscall hooking techniques, see hands-on how rootkits work in well-prepared Detection PurpleLabs Cyber Range, analyze and modify the source codes, find interesting behavior patterns in binaries and logs, learn what telemetry is needed to catch modern Linux threat actors, and find how to proactively validate and improve detection coverage with step-by-step Linux adversary emulations.

On top of that, run your VMs RAM acquisition ‘on click’ and analyze memory images with Volatility Framework at any stage of the course.

Who Should Attend

  • CSIRT / Incident Response Specialists
  • Red and Blue team members
  • Penetration testers
  • Threat Hunters
  • Security / Data Analytics
  • IT Security Professionals, Experts & Consultants
  • SOC Analysts and SIEM Engineers
  • AI / Machine Learning Developers
  • Open Source Security Enthusiasts

Key Learning Objectives

  • Get to know the newest Linux attack paths and hiding techniques vs proactive detection

  • Learn current trends, techniques, and offensive tools for Persistence, Evasion, Exfiltration, C2, Discovery, Lateral Movement, Execution, Credential Access against Linux machines ← Linux Matrix ATT&CK Framework

  • Learn ways to improve detection and sharpen your event correlation skills across many different Linux/network data sources

  • Get to know visibility/detection methods and capabilities of well-recognized Hunting and Detection tools including Velociraptor, HELK+Linux Sigma, Splunk, Elastiflow, Moloch/Arkime, Kolide Fleet, Wazuh, Graylog, theHive, Sandfly

  • Find the malicious Linux activities and identify threat details on the network

  • Prepare your SOC team for fast filtering out Linux network noise and allow for better incident response handling

  • Find out how Detection / DFIR Open Source Software can support your SOC infrastructure

  • Understand values of proactive Linux forensics scans vs manual and automated approaches to simulate attackers and generate anomalies

  • Identify Linux blind spots in your network security posture

  • Understand the value of the purple teaming approach where you hunt for yourself and teammates
  • Prerequisite Knowledge

    • Fundamentals of how Linux Architecture works is required
    • An intermediate level of Linux command-line syntax experience
    • Basic knowledge of TCP/IP network protocols
    • Offensive Security/Penetration testing experience will be definitely beneficial, but not required
    • Basic programming skills are a plus and are essential

    Hardware / Software Requirements

    • This training is based on dedicated PurpleLABS virtual infrastructure so there are no special student’s desktop requirements. No more initial setup issues, just a pure training experience. Every student will gain full access to the PurpleLabs environment for 30 days post-training.
    • VPN client installed according to VPN Setup instructions or just a browser
    • Discord account as an invite to dedicated training channel will be delivered
    • Stable internet connection

    Your Instructor

    Leszek Miś is a highly experienced Security Researcher with over 20 years of experience in the industry. He is the Founder of Defensive Security (, a company that provides Open Source Security Services including Red Team adversary emulations, Blue Team detection coverage testing, DFIR/Live Forensics, and high-quality knowledge transfer and training.

    He has worked in various positions within the infosec field, including as a Linux Administrator, System Developer, DevOps Engineer, Penetration Tester, Security Consultant and VP Of Cyber Security as well.

    He has extensive knowledge of Linux internals and got deep experience in Linux malware hands-on analysis from the perspective of red and blue team. Leszek is a recognized speaker and trainer, having spoken at various industry events such as Black Hat USA, Hack In The Box, and OWASP Appsec US.

    Leszek holds many certifications, including OSCP, RHCA, RHCSS, and Splunk Certified Architect. His areas of interest include development of multi-stage attack paths with mappings to MITRE ATT&CK Framework, multi-layer defensive paths with mappings to MITRE D3FEND Framework, Linux/network ML feature extraction, Linux OS internals including eBPF, detection engineering, log behavior analysis, memory forensics, andexploration of new Linux offensive ttps vs DFIR/detection/protection techniques.