Scroll Top

Linux Forensics Inspection and Incident Response at scale

Course Description

Attackers constantly find new ways to attack and infect Linux boxes using more and more sophisticated techniques and tools. As defenders, we need to stay up to date with
adversaries, understand their TTPs and be able to respond quickly. The combination of low-level network and endpoint visibility is crucial to achieving that goal. For DFIR needs
we could go even further with proactive forensics inspections. This training will guide you through different attack-detection-inspection-response use-cases and teach critical
aspects of how to handle Linux incidents properly.

Through the hands-on labs, you will gain a perfect understanding of important DFIR Linux/Network internals and investigation steps needed to get the full picture of post-exploitation activities and artifacts left behind. At scale. 

Key Learning Objectives:

  • Get to know the newest Linux attack paths and hiding techniques vs proactive detection
  • Learn current trends, techniques, and offensive tools for Discovery, C2, Lateral Movement, Persistence, Evasion, Exfiltration, Execution, Credential Access against Linux machines ← Linux Matrix ATT&Ck Framework
  • Learn ways to improve detection and sharpen your event correlation skills across many different Linux/network data sources
  • Get to know visibility/detection methods and capabilities of well-recognized Hunting and Detection tools including Velociraptor, HELK+Linux Sigma, Splunk, Elastiflow, Moloch/Arkime, Kolide Fleet, Wazuh, Graylog, theHive, Sandfly
  • Find the malicious Linux activities and identify threat details on the network
  • Prepare your SOC team for fast filtering out Linux network noise and allow for better incident response handling
  • Find out how Detection / DFIR Open Source Software can support your SOC infrastructure
  • Understand values of proactive Linux forensics scans vs manual and automated approaches to simulate attackers and generate anomalies
  • Identify Linux blind spots in your network security posture

Course contents

  • Introduction to PurpleLabs Hunting and Detection tools including Velociraptor, Wazuh, HELK+Sigma, Splunk, Elastiflow, Moloch/Arkime, Kolide Fleet, Graylog,
    theHive, Sandfly, and more
  • Linux profile baselining
  • How to run DFIR tasks at scale across many Linux endpoints
  • Recent Linux APT analysis
  • RE&CT Enterprise Matrix
  • The importance of timeline analysis and NTP synchronization
  • Triage / collecting artifacts
  • Privileged user and group enumeration
  • Identification of logged accounts
  • Searching for files at scale
  • Establishing a baseline for different OS components (cron, at, rc.local, ACLs, sts, resolv.conf, SELinux, filesystem hashing, packages and checksums)
  • Process call chains / pstree / process arguments
  • Collecting and analyzing important process data (/proc)
  • Finding hidden processes, network connections, and kernel modules
  • Detecting capabilities in ELF, shellcode files
  • Detecting loaded shared libraries per process
  • Dropping web shells vs File Integrity Monitoring
  • Hunting for packers, extracting binary versions and exports
  • Searching for exploitation attempts in logs
  • Hunting for Linux rootkits (user space / kernel space)
  • Hunting for artifacts of process injection techniques
  • Sysmon Events + Linux Sigma detection rules
  • Runtime Security Analysis (Falco, Tracee) for host and docker containers
  • Syscall filtering
  • Open source ways for memory acquisition and memory forensics
  • Creating Volatility profiles
  • Filesystem and Linux process memory Yara scans
  • Linux Endpoint data correlation and hunting for suspicious network events
  • Network visibility with/without signature rules
  • Searching for different persistence methods in use
  • Data correlation and hunting for suspicious network events + RITA
  • Direct interaction with the endpoint: command execution on demand, system dification, and active quarantine examples
  • Hunts enrichment
  • Using theHive for IR management

Why SHould you take this course?

This course takes on an “attack vs detection” approach in a condensed format. This will allow a gradual escalation of the level of knowledge in the scope of Linux internals and red/blue/purple teaming to both experienced specialists and beginners while maintaining the attractiveness and pleasure of performing tasks:

  • Realistic 100% pure lab-oriented offensive and defensive security use cases.
  • Minimum theory, maximum hands-on with a high level of expertise
  • A lot of accumulated knowledge in one place with a focus on high priority elements
  • Direct use of the acquired knowledge in real environments

This class is intended for students who have a basic understanding of Linux and have to deal with advanced threats. Furthermore, the course is also interesting for experienced
DFIR/SOC/CERT players who aim to dig deeper into the understanding of Linux internals and corresponding network attack analysis techniques, detection and response.

What students say about this training

“The content of in and out was great. Lots of gained knowledge and hands-on!

“Great course! A truly huge number of topics and tools covered”

“Leszek was a really good trainer, he covered a lot of material, and had a very good personality.”

“Leszek Miś is very knowledgeable in the topics covered in the course. He also shares real-life scenarios which were useful for participants to better understand the application of the material presented. The Content was very good, it covers many leading open-source projects which I find useful. I would recommend this course to my colleagues.”

Prerequisite Knowledge

  • An intermediate level of command-line syntax experience using Linux
  • Fundament knowledge of TCP/IP network protocols
  • Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required
  • Basic programming skills are a plus, but not essential

Hardware / Software Requirements

This training is based on dedicated PurpleLABS virtual infrastructure (, so there are no special student desktop requirements. No more initial setup issues, just a pure training experience. Every student will gain full access to the PurpleLabs environment for 30 days after the training.

  • VPN client installed according to VPN Setup instructions or just a browser
  • Slack account as an invite to a dedicated training channel will be sent
  • Stable internet connection

Trainer Biography

Leszek Miś is the Founder of Defensive Security (​​), Principal Trainer and Security Researcher with over 16 years of experience in Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from OSS researcher, Linux administrator, and system developer and DevOps, through penetration tester and security consultant delivering hardening services and training for the biggest players in the European and global market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values from delivering structured, automated adversary simulation platform.

Recognized speaker and trainer: BruCON 2017/2018, Black Hat USA 2019, OWASP Appsec US 2018, FloCon USA 2018, Hack In The Box Dubai / Amsterdam / Singapore / Abu Dhabi 2018/2019/2020, 44CON UK 2019, Confidence PL, PLNOG, Open Source Day PL, Secure PL, Advanced Threat Summit PL

Member of OWASP Poland Chapter.

Author of many IT Security trainings:

  • Open Source Defensive Security → The Trinity of Tactics for Defenders
  • In & Out → Network Exfiltration and Post-Exploitation Techniques [RED EDITION]
  • In & Out → Detection of Network Exfiltration and Post-Exploitation Techniques [BLUE EDITION]
  • System Internals – Network, OS and Memory Forensics
  • SELinux → Development & Administration of Mandatory Access Control Policy
  • Advanced RHEL/CentOS Defensive Security & Hardening
  • ModSecurity → Development and Management of Web Application Firewall rules
  • FreeIPA → Identity Management for Linux Domain Environments & Trusts

Holds many certifications: OSCP, RHCA, RHCSS, Splunk Certified Architect.

His areas of interest include network “features” extraction, OS internals and forensics. Constantly tries to figure out what the AI/ML Network Security vendors try to sell. In free time he likes to break into “IoT world” just for fun. Still learning hard every single day.

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.