Skip to content

This page is a result of the ongoing hands-on research around advanced Linux attacks, detection and forensics techniques and tools.

License

Notifications You must be signed in to change notification settings

cr0nx/awesome-linux-attack-forensics-purplelabs

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
 
 
 
 

Repository files navigation

awesome-linux-attack-forensics-purplelabs

This page is a result of the ongoing hands-on research around advanced Linux attacks, detection and forensics techniques and tools.

Due to the fact that I have been practicing the red vs blue approach for years, the material below will allow you to see the scale of the number of projects, techniques and tactics in the scope of Linux/Kubernetes offensive/detection/DFIR.

All these offensive techniques and tools have been tested by myself (including source code analysis), detected by different layers (host/network) and mapped to small hands-on lab scenarios to finally become a part of the PurpleLabs Playground (https://edu.defensive-security.com/)

If you are looking for a complete workshop/training program, the links below are the core of the unique "Linux Attack and Live Forensics At Scale" (https://edu.defensive-security.com/linux-attack-live-forensics-at-scale) training program. This is the first step to create a dynamic workshop program as a framework, where you can play as Linux attacker, detection engineer and Forensicator at once using full set of custom TTPS! The approach will also allow for the creation of custom attack paths, detection engineering and incident response steps including live forensics.

Purple teaming for life!

Open Source SOC / IR

https://github.com/Cyb3rWard0g/HELK

https://github.com/Graylog2/graylog2-server

https://github.com/Velocidex/velociraptor

https://docs.velociraptor.app/exchange/

https://github.com/wazuh/wazuh

https://github.com/robcowart/elastiflow

https://github.com/arkime/arkime

https://github.com/osquery/osquery

https://github.com/TheHive-Project/TheHive

https://github.com/TheHive-Project/Cortex

https://github.com/Shuffle/Shuffle

https://github.com/dfir-iris/iris-web

https://github.com/MISP/MISP

https://jupyter.org/

https://github.com/OISF/suricata

https://github.com/zeek/zeek

https://github.com/SecurityRiskAdvisors/VECTR

https://github.com/archanchoudhury/SOC-OpenSource

Linux & Kubernetes Detection / Forensics

https://github.com/sandflysecurity

https://github.com/lkrg-org/lkrg

https://github.com/Sysinternals/SysmonForLinux

https://github.com/volatilityfoundation/volatility

https://github.com/volatilityfoundation/community3

https://github.com/k1nd0ne/VolWeb

https://github.com/pathtofile/bpf-hookdetect

https://github.com/Exein-io/pulsar

https://github.com/ntop/libebpfflow

https://github.com/ehids/ehids-agent

https://github.com/falcosecurity/falco

https://github.com/aquasecurity/tracee

https://github.com/draios/sysdig

https://github.com/cilium/tetragon

https://github.com/gamemann/XDP-Firewall

https://github.com/linuxthor/rkbreaker

https://github.com/therealdreg/lsrootkit

https://github.com/linuxthor/rkspotter

https://github.com/kkamagui/shadow-box-for-x86

http://www.chkrootkit.org/

https://github.com/octarinesec/kube-scan

Linux Kernel Space rootkits

https://github.com/lukasbalazik123/1337kit

https://github.com/f0rb1dd3n/Reptile

https://github.com/carloslack/KoviD

https://github.com/vkobel/linux-syscall-hook-rootkit

https://github.com/h3xduck/TripleCross

https://github.com/amir9339/ebpf_maps_hooking

https://github.com/milabs/kopycat

https://github.com/m0nad/Diamorphine

https://github.com/stdhu/kernel-inline-hook

https://github.com/ilammy/ftrace-hook

https://github.com/WeiJiLab/kernel-hook-framework

https://github.com/C24IO/Netfilter-Hooks-Simple.git

https://github.com/shubham0d/Immutable-file-linux

https://github.com/therealdreg/enyelkm

https://github.com/m0nad/Diamorphine

https://github.com/elfmaster/kprobe_rootkit

https://github.com/En14c/LilyOfTheValley

https://github.com/QuokkaLight/rkduck

https://github.com/a7vinx/liinux

https://github.com/mgrube/DragonKing

https://github.com/aidielse/Rootkits-Playground

https://github.com/cccssw/JynKbeast

https://github.com/hanj4096/wukong

https://github.com/mponcet/subversive

https://github.com/h3xduck/Umbra

https://github.com/ruckuus/kernel-abuse/tree/master/kbeast

https://github.com/CDuPlooy/Rootkit

https://github.com/jussihi/SMM-Rootkit

https://github.com/nnedkov/swiss_army_rootkit

https://github.com/spiderpig1297/kprochide

https://github.com/pathtofile/bad-bpf

https://github.com/cloudflare/ebpf_exporter

https://github.com/DavadDi/bpf_study

https://github.com/Esonhugh/sshd_backdoor

https://github.com/vrasneur/randkit

https://github.com/ricardomaraschini/ebpf-signals

https://github.com/bones-codes/the_colonel

https://github.com/PinkP4nther/Sutekh

https://github.com/spiderpig1297/kfile-over-icmp

https://github.com/dave4422/linux_rootkit

https://github.com/nurupo/rootkit

https://github.com/Nadharm/CoVirt

https://github.com/3intermute/loonix_syscall_hook

https://github.com/alfonmga/hiding-cryptominers-linux-rootkit

https://github.com/loneicewolf/linux-rootkits

https://github.com/yasindce1998/KubeDagger

https://github.com/loneicewolf/EXEC_LKM

https://github.com/deurzen/linux-rootkit

https://github.com/roggenbrot42/rkptum2013

https://github.com/DanielAvinoam/TheSubZeroProject

https://github.com/jermeyyy/rooty

https://github.com/NoviceLive/research-rootkit

https://github.com/aesophor/satan

https://github.com/Pratik32/linux_rkit

https://github.com/AlirezaChegini/kernel-based-keylogger-for-Linux

https://github.com/jordan9001/superhide

https://github.com/nccgroup/ebpf/tree/master/conjob

https://github.com/FlamingSpork/iptable_evil

https://github.com/ilee38/root-of-all-evil

https://github.com/milabs/lkrg-bypass

Linux User Space rootkits / injectors

https://github.com/ldpreload/Medusa

https://github.com/arget13/DDexec

https://github.com/mav8557/Father

https://github.com/yasukata/zpoline

https://github.com/dsnezhkov/zombieant

https://github.com/ulexec/SHELF-Loading

https://github.com/chokepoint/Jynx2

https://github.com/unix-thrust/beurk

https://github.com/cloudsec/brootkit

https://github.com/trimpsyw/adore-ng

https://github.com/rvillordo/libpreload

https://github.com/r00tkillah/HORSEPILL

https://github.com/elfmaster/skeksi_virus

https://github.com/elfmaster/linker_preloading_virus

https://github.com/nopn0p/rkorova

https://github.com/amir9339/Tcpdump-evasion

https://github.com/Paradoxis/PHP-Backdoor

https://github.com/ixty/mandibule

https://github.com/DavidBuchanan314/dlinject

https://github.com/guitmz/memrun

Linux C2 / Attack Emulation

https://github.com/BishopFox/sliver

https://github.com/facebookincubator/WEASEL

https://github.com/cyberark/kubesploit

https://github.com/controlplaneio/simulator

https://github.com/iagox86/dnscat2

https://github.com/rapid7/metasploit-framework

Books / PDFS / DOCS

https://dl.acm.org/doi/fullHtml/10.1145/3545948.3545980 - Katana: Robust, Automated, Binary-Only Forensic Analysis of Linux Memory Snapshots

https://www.crysys.hu/publications/files/setit/thesis_bme_Nemeth20bsc.pdf - Detection of persistent rootkit components on embedded IoT devices

https://raw.githubusercontent.com/h3xduck/TripleCross/master/docs/ebpf_offensive_rootkit_tfg.pdf - An analysis of offensive capabilities of eBPF and implementation of a rootkit

https://github.com/NinnOgTonic/Out-of-Sight-Out-of-Mind-Rootkit/blob/master/osom.pdf - Out-of-Sight-Out-of-Mind-Rootkit

https://pentera.io/blog/the-good-bad-and-compromisable-aspects-of-linux-ebpf/

https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf

https://vblocalhost.com/uploads/VB2021-Mechtinger-Kennedy.pdf

https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Fixing-A-Memory-Forensics-Blind-Spot-Linux-Kernel-Tracing-wp.pdf

https://i.blackhat.com/USA-20/Wednesday/us-20-Livelli-Decade-Of-The-RATs-Custom-Chinese-Linux-Rootkits-For-Everyone.pdf

https://www.vanbastelaer.com/publication/sabpf/sabpf.pdf

https://cormander.com/wp-content/uploads/2017/04/Distribution-Kernel-Security-Hardening.pdf

https://bibis.ir/science-books/information-technology/security/2022/Security-Observability-with-eBPF-by-Jed-Salazar_bibis.ir.pdf

https://isovalent.com/data/isovalent_security_observability.pdf

https://cs.brown.edu/~vpk/papers/ret2dir.sec14.pdf

https://www.iij.ad.jp/en/dev/iir/pdf/iir_vol45_focus_EN.pdf

https://www.brendangregg.com/Slides/BSidesSF2017_BPF_security_monitoring.pdf

https://apps.dtic.mil/sti/pdfs/AD1004190.pdf

http://jultika.oulu.fi/files/nbnfioulu-202004201485.pdf

https://i.blackhat.com/USA-22/Wednesday/US-22-Case-New-Memory-Forensics-Techniques-to-Defeat-Device-Monitoring-Malware-wp.pdf

https://i.blackhat.com/USA-22/Wednesday/US-22-Case-New-Memory-Forensics-Techniques-to-Defeat-Device-Monitoring-Malware.pdf

https://xgao-work.github.io/paper/dsn2021.pdf

http://www.people.vcu.edu/~iahmed3/publications/lncs-wisa-2017.pdf

https://www.crysys.hu/publications/files/setit/thesis_bme_Nagy21msc.pdf

https://www.osdfcon.org/presentations/2019/Ali-Hadi_Performing-Linux-Forensic-Analysis-and-Why-You-Should-Care.pdf

https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2016/june/container_whitepaper.pdf

https://i.blackhat.com/USA-19/Thursday/us-19-Snezhkov-Zombie-Ant-Farming-Practical-Tips-For-Playing-Hide-And-Seek-With-Linux-EDRs.pdf

About

This page is a result of the ongoing hands-on research around advanced Linux attacks, detection and forensics techniques and tools.

Topics

Resources

License

Stars

Watchers

Forks