Schedule/Training Details

Practical Linux Attack Paths and DFIR/Hunting v2.0

In today's Linux threat landscape, enterprises face increasingly sophisticated, targeted attacks. To effectively combat these threats, we must enhance our ability to detect malicious activity, inform threat-hunting processes, and understand attacker behavior. Dive into the world of modular Linux attack paths, local and remote exploitation, process injection, process hiding, network tunnelling/pivoting, data exfiltration, and syscall hooking techniques.

Get hands-on experience on how Linux malware and US/KS rootkits work in the well-prepared PurpleLabs Cyber Range. Analyze and modify source codes, find interesting behavior patterns in binaries and logs, determine which telemetry is needed to catch modern Linux threat actors, and find how to proactively validate and improve EDR/SOAR/SIEM detection coverage with step-by-step Linux adversary emulations. On top of that, run your VMs RAM acquisition ‘on click’ and analyze memory images with Volatility Framework 3 at any stage of the training. 100% Purple Teaming structure and only hands-on delivery style.

● This training helps create and understand low-level Linux attack paths, improve your Linux detection coverage, see in action many Open Source DFIR/defensive projects, and understand the need for Linux telemetry, including bare-metal, VMs, and Kubernetes clusters, where EDR/Runtime Security solutions are a must these days.

● This course takes on an “Attack-Detection-Inspection-Response” approach in a condensed, modular format. This class is dedicated to students with a basic understanding of Linux who must deal with advanced threats. Furthermore, the course is also interesting for experienced DFIR/SOC/CERT Players who aim to deepen their understanding of Linux internals and the corresponding network attack analysis, detection, and response techniques.

● As several questions arise about the evolving threat landscape, the provided training content and approach serve as your dynamic, centralized knowledge base for navigating the offensive Linux threat ecosystem with confidence, versus possible detection opportunities and DFIR.

● Full access to the PurpleLabs VPN environment for 30 days post-training and lifetime material access with updates included!

● This intensive, fully hands-on session is built entirely on the fresh content from my just-released Linux Attack, Detection and Live Forensics v2.0 - Hands-on Purple Teaming Playbook

Why Take This Course

  • Get to know the newest Linux attack paths and offensive techniques seen in the real intrusions vs active detection, hunting, and live forensics
  • Learn current trends, techniques, and offensive approaches for Persistence, Evasion, Exfiltration, C2, Discovery, Lateral Movement, Execution, and Credential Access against Linux machines ← Linux Matrix ATT&CK Framework in hands-on format (400+ techniques included)
  • Learn ways to improve detection and sharpen your event correlation skills across many different Linux/network data sources
  • Get to know visibility/detection methods and capabilities of well-recognized Hunting and Detection tools, including Velociraptor, Elastic Security Agent, Splunk, OSquery Fleet, Wazuh, and Sandfly Security
  • Understand real-time telemetry, find the malicious Linux activities, and identify threat details on the network by actively playing with Falco, Kunai, Tetragon, Jibril, and Tracee Runtime Security Engines
  • Prepare your SOC team for fast filtering out Linux network noise and allow for better incident response handling
  • Find out how Detection / DFIR Open Source Software can support your SOC infrastructure
  • Understand the values of proactive Linux forensics scans vs manual and automated approaches to simulate attackers and generate anomalies
  • Identify Linux blind spots in your network security posture
  • Understand the value of the purple teaming approach, where you hunt for yourself and your teammates Benefits For Red/Blue/SecOps Teams:
  • Understand the advantages and values of the purple teaming approach in the Linux red/blue ecosystem
  • Learn about the full scope of Linux offensive techniques, tools, and the newest community research 2024/2025/2026
  • Learn how to hide effectively in the Linux OS and how to exfiltrate data in stealthy ways
  • Learn how to deploy and use C2, low-level rootkits, and see this reflected in the detection/DFIR tooling
  • Get code and command snippets ready to use during your red team and adversary operations/emulations
  • Discover recommended Open Source Security solutions and see the effectiveness of the Detection tooling vs attack emulations
  • Learn about the full scope of Linux Detection/Forensics techniques, tools, and the newest community research
  • Get experience with Sigma Rules/Protections Artifacts for staying stealthier and improving your defense evasion skills at scale
  • Recognize security-related enhancements in the modern Linux kernel
  • Understand current kernel components and programming interfaces used to compromise a system
  • This knowledge will change the way you look at hardening and monitoring your Linux ecosystems

Who Should Attend

Red teamers, blue teamers and purple teamers

Key Learning Objectives / Agenda

Day 1

1. Current Linux threat landscape.

2. Purple teaming approach and Active Defense.

3. Linux MITRE ATT&CK Framework.

4. Understanding Linux EDR/Runtime Security Architecture:

○ Core functionalities and key features

○ Visibility events/indexes/data sources

○ Detection logic/rulesets

○ Analytics / Query language

○ Triage and Forensics collections

○ Deployment and Integrations

5. Hands-on Blue / DFIR components:

○ HOST:

i. Syslog, Auditd, Falco, Kunai, Jibril, Tetragon, Tracee, Sysmon4Linux, Velociraptor, OSQuery/Sunlight, Sandfly Security, Linux IR Scripts, UAC, Yara, LKRG, SELinux, and more.

○ NETWORK:

i. Zeek, Suricata, Arkime/Moloch FPC, Modsecurity

○ SIEM:

i. Elastic Security, Splunk, Wazuh

○ MEMORY:

i. Volatility3 Framework, process dumping, gdb

6. Linux Baseline Profiling vs Offensive point of view.

Day 2

7. Local / Remote Exploitation vs Detection and DFIR Artifacts

8. C2 Frameworks / C2 shells / implants / SOCKS / Tunnelling.

9. Fileless / in-memory / BOF executions.

10. Process Injection techniques.

11. Persistence and Defense Evasion techniques.

12. User space rootkits.

13. Kernel space rootkits.

14. eBPF rootkits.

15. Creating Custom Attack Paths with ATT&CK Flow Builder and EDRmetry Linux Playbook.

Prerequisites

  • Fundamentals of how Linux Architecture works are required
  • An intermediate level of Linux command-line syntax experience
  • Basic knowledge of TCP/IP network protocols
  • Offensive Security/Penetration testing experience will be beneficial, but is not required
  • Basic programming skills are a plus and are essential

Requirements

Laptop → This training is based on dedicated PurpleLABS virtual infrastructure, so there are no special student desktop requirements. No more initial setup issues, just a pure training experience.

Every student will gain full access to the PurpleLabs Cyber Range environment for 30 days post-training.

Session Details

Date & Time
April 27, 2026 9:00 AM
Duration
16 hours
Format
in-person
Level
intermediate
Price
...

Course Trainers

Leszek Mis

Leszek Mis

CEO

Defensive-Security.com

Security Researcher/CEO at Defensive-Security.com, providing Open Source cybersecurity services including Red Team adversary emulations, Blue Team det...