ATT&CK Framework mapping

By default, all lab scenarios have been categorized by Tactic:

  • Initial Access (TA001)
  • Execution (TA002)
  • Persistence (TA003)
  • Privilege Escalation (TA004)
  • Defense Evasion (TA005)
  • Credential Access (TA006)
  • Discovery (TA007)
  • Lateral Movement (TA008)
  • Collection (TA009)
  • Command and Control (TA0011)
  • Exfiltration (TA0010)
  • Impact (TA0040)
  • Breach and Attack Simulations
  • Forensics

Linux Red vs Blue Hands-On Labs Index
v4.6.2024

The always-updated LABS index is available here: https://edu.defensive-security.com/linux-attack-live-forensics-at-scale

  • LOLbins / one-liners for bind & reverse shells, download/upload, file compression tricks
  • [US] Rootkits: Shared Library Injection
  • [US] Rootkits: Oh my Father!
  • [US] Rootkits: Sneaky Bedevil
  • [US] Rootkits: Socket Command Injection
  • [US] ELF injection with ptrace()
  • [US] ELF injection without ptrace()
  • [US] Proxy execution with DDexec
  • [US] In-memory execution with memrun
  • [US] memfd_vs_no_exec
  • [US] Fileless Scripting Execution
  • [US] Rootkits: Dynamic Linker Preloading
  • [US] Rootkits: Zombie Ant Farm Pypreloader #1
  • [US] MSF Shellcode from bash
  • [US] Rootkits: sshd injection
  • [US] Rootkits: sshd dummy cipher suite
  • [US] PAM-based Rootkits #1
  • [US] PAM-based Rootkits #2
  • [US] PAM-based Rootkits #3
  • [US] Yum/RPM Persistence
  • [US] Rootkits: Apache mod_authg
  • [US] Rootkits: HTTPD mod_backdoor
  • [US] Webshells: SOCKS from JSP
  • [US] Webshells: meterphp
  • [US] Linux Process Snooping
  • [KS] Rootkits: Usermode Helper on ICMP
  • [KS] Rootkits: In-Memory LKM Loading
  • [KS] Rootkits: Diamorphine
  • [KS] Rootkits: Reptile Analysis
  • [KS] Rootkits: Suterusu Analysis
  • [KS] Rootkits: Reveng_rtkit Analysis
  • [KS] Rootkits: Registering Char Device
  • [KS] Rootkits: iptables evil bit
  • [KS] Rootkits: systemtap creds() upgrade
  • [KS] Rootkits: Netfilter hooking #1
  • [KS] Rootkits: xt_conntrack.ko Infection
  • [KS] Rootkits: Ftrace Hooking #1
  • [KS] Rootkits: bad-bpf trip
  • [KS] Rootkits: eBPF hooking / TripleCross
  • [KS] Rootkits: eBPF SSL/TLS text capturing
  • [KS] Rootkits: eBPF Raw Tracepoint Interception
  • [KS] Rootkits: eBPF PAM creds stealing
  • [KS] Rootkits: eBPF KoviD Analysis
  • [KS] Rootkits: eBPF Boopkit Analysis
  • [KS] Rootkits: eBPF Hiding with nysm
  • [KS] Rootkits: eBPF bpfdoor
  • [KS] Rootkits: ebpfkit Analysis
  • [KS/US] Backdooring Initramfs
  • [ELF] Kiteshield Anti Forensics
  • [KS] Randomized Faulter
  • [KS] Rootkits: XDP-UDP-Backdoor
  • Host/Syslog
  • Host/Auditd
  • Host/Falco Runtime Security
  • Host/Tracee Syscall Tracing
  • Host/Sysdig Syscall tracing
  • Host/Sysmon4Linux
  • Host/Velociraptor
  • Host/Kolide OSQuery
  • Host/FleetDM OSquery
  • Host/Sandfly
  • Host/Wazuh
  • Host/Sunlight
  • Host/Sunlight IR_Executor
  • Host/CatScale
  • Host/UAC
  • Host/varc
  • Host/rkhunter & chkrootkit
  • Host/Yara Scanning
  • Host/Capa
  • Host/LKRG
  • Host/SELinux
  • Host/Clamav
  • Host/Entropyscan vs ELFCrypt
  • Host/BPFMon
  • Host/Kunai
  • Network/Zeek
  • Network/Suricata
  • Network/Arkime Full Packet Capture
  • Network/Forward Proxy Squid SSL Decryption
  • Network/WAF Modsecurity
  • Network/RITA
  • Network/Elastiflow
  • SIEM/Elastic Security
  • SIEM/Splunk
  • SIEM/Graylog
  • SIEM/Wazuh

This website uses cookies. To find out more, read our Cookies policy. By continuing to use the site, you consent to our use of cookies.