Defensive Go back to all


You need to know more than just a little about Linux #1 - Red Team perspective

- By Leszek Miś

"You need to know more than just a little about Linux" is a series of 3 short posts talking about the need for Linux security skills in the form of questions from the perspective of three main specializations: Red Team, Blue Team, and SecOps. All of them together represent a full picture of the hands-on skills and experiences you can gain with PurpleLabs.

Every red teamer/pentester needs to know more than just a little about Linux, so if you always wanted to know, ex:

  • why and how to use offensively /dev/shm or memfd()? 
  • how to hook libc functions?
  • what is the kernel symbol table?
  • how to offensively use Ftrace, Kprobes, and other modern kernel tracing features?
  • how to inject a shared object into the running process? 
  • what is a syscall table and how to hook it?
  • how to run an ssh keylogger?
  • how to create and install hidden LKM?
  • how to install persistence stealthy?
  • how to hide or modify data?
  • why jumping over virtual machines in target ex. bash->python->lua->implant could allow for defense evasion and bypassing EDR?
  • how to call userspace exec from kernel space on magic packet allowed on the firewall with eBPF?
  • how to use Sliver/MSF Linux implants, mTLS, Wireguard, and DNS tunneling?
  • how to emulate security events that trigger Linux Sigma Rules, Detection Rules, or Protection Artifacts (and how to emulate to not trigger)?

then it means you've come to the right place. Grow up your skills with PurpleLabs!

Join PurpleLabs Linux Attack and Live Forensic course and get some real purple teaming experience which will greatly expand your general Linux knowledge and cyber security hands-on skills.