top of page
BruCON-2022-102 (1).png

Linux Persistence, Simulation and Detection

2-day in-person

This intensive two-day training is designed for security professionals looking to deepen their expertise in Linux persistence techniques, adversary simulation, and detection strategies. The training will cover setting up a secure and controlled environment to simulate and analyze Linux persistence mechanisms, using tools like PANIX for attack simulation, and leveraging the Elastic Stack for event collection and detection. Attendees will explore multiple MITRE ATT&CK techniques used by adversaries and gain hands-on experience in detecting and mitigating persistence threats.


Participants will engage in practical exercises analyzing Linux persistence methods and applying detection engineering methodologies. The training integrates basic forensic methodologies throughout to ensure participants gain a well-rounded understanding of detection and mitigation.

Course Overview


Day 1: Linux Persistence Techniques and Simulations

Morning:


  • Introduction to the course and objectives – A brief overview of the training structure, expectations, and goals, setting the stage for hands-on learning. 

  • Virtual Machine & Elastic Stack Setup – Participants will configure their Linux and Elastic environments. 

  • User Management and Backdoors – Exploring Linux user creation methods, manipulating /etc/passwd and /etc/shadow, and adding stealthy backdoor accounts. 

  • Scheduled Task Persistence (At, Cron & Systemd) – Analyzing adversarial abuse of task schedulers, configuring cron jobs, systemd timers, and at jobs. 

  • Init.d & rc.local Persistence – Understanding older persistence methods, modifying initialization scripts, and executing scripts at startup. 

  • SSH Key Persistence – Examining public key authentication, injecting SSH keys, and leveraging authorized keys. 

  • Shell Profiles and Auto-execution Mechanisms – Investigating persistence through shell configuration files and the XDG autostart mechanism.


Afternoon:


  • Introduction to PANIX with Live Demonstration – A hands-on walkthrough of PANIX, an adversary simulation tool for persistence techniques.

  • Working with PANIX – Creating users, configuring sudoers, and running cron jobs for persistence, and introducing OSQuery for endpoint visibility. 

  • Message of the Day (MOTD) Backdoors – Exploiting dynamic login scripts to execute commands upon user login. 

  • Systemd Generators & System User Persistence – Deploying Systemd generators for persistence and backdooring hidden system users. 

  • Malicious Containers, Capabilities & SUID – Leveraging container technologies for persistence, abusing capabilities, and exploiting SUID binaries. 

  • Malicious Package Deployment – Modifying package managers to introduce persistence and creating rogue DEB/RPM packages. 

  • Git Persistence – Hiding payloads in Git hooks/pagers and utilizing repositories as an unexpected persistence vector. 

  • Web Shell Exploitation & Bind/Reverse Shells – Exploiting web-facing applications to maintain access, setting up bind and reverse shells. 



Day 2: Advanced Linux Persistence Techniques and Simulations

Morning:


  • Dynamic Linker Hijacking through LD_PRELOAD (userspace rootkits) – Manipulating shared library loading mechanisms for persistence, and simulating attack behavior and detection strategies. 

  • Loadable Kernel Modules (LKMs) (kernel space rootkits) – Understanding the fundamentals of kernel-level persistence and its forensic implications, and simulating attack behavior and detection strategies.


Afternoon:


  • PAM Module Backdoors – Injecting custom PAM modules for authentication-based persistence. 

  • GRUB Bootloader Manipulation – Modifying boot parameters to introduce persistence.

  • InitramFS Persistence – Deploying persistence within early bootloader stages using Dracut and manual configurations. 

  • D-Bus Persistence – Leveraging interprocess communication mechanisms for persistence. 

  • Polkit Persistence – Manipulating Polkit policies to maintain root user access.

  • NetworkManager Dispatcher Scripts – Gaining persistence through dispatcher configurations and abusing network settings. 

  • Final Q&A and Takeaways – Reviewing key topics, discussing detection best practices, providing additional learning resources, and finishing off with Q&A.


What Makes This Training Unique? 

This isn't just another Linux security course—it’s a hands-on deep dive into real-world Linux persistence, taught by security researchers who don’t just study threats but actively build tools to detect and understand them. 

  • Led by Experts in the Field – This training is conducted by two Linux security research engineers, both with published work on Linux persistence and real-world experience in adversary simulation and detection engineering. 

  • Built on Real-World Research – One of the instructors is the author of PANIX, a dedicated Linux persistence framework used to study and simulate advanced persistence techniques. 

  • Comprehensive Skill Development – You’ll gain expertise in persistence analysis, forensic investigation, and SIEM-based detection, equipping you with both offensive and defensive perspectives. 

  • Hands-On Adversary Simulation & Threat Hunting – Learn practical detection engineering using Elastic Stack, ensuring you can apply these techniques in real-world security operations. 



Target Audience

 

This course is essential for security analysts, researchers, SOC teams, and incident responders aiming to enhance their ability to detect, analyze, and mitigate advanced Linux threats.

Pre-requisites


Laptop Requirements:


  • Must support running two (2) virtual machines simultaneously.

  • Each VM should be allocated 2 CPU cores and 2GB of RAM.

  • Minimum of 75GB free storage available.

  • Administrative privileges required for virtualization setup.


Virtualization Software:


  • Windows: VMware Workstation

  • MacOS (Intel & ARM): VMware Fusion


Knowledge Requirements:

  • Linux command line basics

  • Linux OS fundamentals (useful, but not strictly necessary)

Trainer Bio


Remco Sprooten is a Principal Security Researcher at Elastic's Security Labs, specializing in reversing and analyzing malware, particularly in the Linux domain. With a rich background as a forensic investigator for the Dutch Police, he brings a unique blend of law enforcement and cybersecurity expertise. At Elastic, Remco focuses on dissecting malware families, contributing to the development of innovative security strategies. His work is integral in understanding and mitigating emerging cyber threats, leveraging his extensive experience in digital forensics and threat analysis. Twitter (X) : @rsprooten LinkedIn : linkedin.com/in/remco-sprooten/

Ruben Groenewoud is a Senior Security Research Engineer at Elastic Security Labs, specializing in Linux threat detection, SIEM, malware analysis, and YARA rule development. With a background in SOC operations, penetration testing, and machine learning for cybersecurity, he has published research across malware analysis, detection engineering, and Linux security. He is also the creator of PANIX, a framework dedicated to simulating and understanding Linux persistence techniques. Twitter (X) @RFGroenewoud

LinkedIn : linkedin.com/in/ruben-groenewoud/

Blog: rgrosec.com

bottom of page