ATT&CK Framework mapping
By default, all lab scenarios have been categorized by Tactic:
- Initial Access (TA001)
- Execution (TA002)
- Persistence (TA003)
- Privilege Escalation (TA004)
- Defense Evasion (TA005)
- Credential Access (TA006)
- Discovery (TA007)
- Lateral Movement (TA008)
- Collection (TA009)
- Command and Control (TA0011)
- Exfiltration (TA0010)
- Impact (TA0040)
- Breach and Attack Simulations
- Forensics
Linux Red vs Blue Hands-On Labs Index
v4.6.2024
The always-updated LABS index is available here: https://edu.defensive-security.com/linux-attack-live-forensics-at-scale
- LOLbins / one-liners for bind & reverse shells, download/upload, file compression tricks
- [US] Rootkits: Shared Library Injection
- [US] Rootkits: Oh my Father!
- [US] Rootkits: Sneaky Bedevil
- [US] Rootkits: Socket Command Injection
- [US] ELF injection with ptrace()
- [US] ELF injection without ptrace()
- [US] Proxy execution with DDexec
- [US] In-memory execution with memrun
- [US] memfd_vs_no_exec
- [US] Fileless Scripting Execution
- [US] Rootkits: Dynamic Linker Preloading
- [US] Rootkits: Zombie Ant Farm Pypreloader #1
- [US] MSF Shellcode from bash
- [US] Rootkits: sshd injection
- [US] Rootkits: sshd dummy cipher suite
- [US] PAM-based Rootkits #1
- [US] PAM-based Rootkits #2
- [US] PAM-based Rootkits #3
- [US] Yum/RPM Persistence
- [US] Rootkits: Apache mod_authg
- [US] Rootkits: HTTPD mod_backdoor
- [US] Webshells: SOCKS from JSP
- [US] Webshells: meterphp
- [US] Linux Process Snooping
- [KS] Rootkits: Usermode Helper on ICMP
- [KS] Rootkits: In-Memory LKM Loading
- [KS] Rootkits: Diamorphine
- [KS] Rootkits: Reptile Analysis
- [KS] Rootkits: Suterusu Analysis
- [KS] Rootkits: Reveng_rtkit Analysis
- [KS] Rootkits: Registering Char Device
- [KS] Rootkits: iptables evil bit
- [KS] Rootkits: systemtap creds() upgrade
- [KS] Rootkits: Netfilter hooking #1
- [KS] Rootkits: xt_conntrack.ko Infection
- [KS] Rootkits: Ftrace Hooking #1
- [KS] Rootkits: bad-bpf trip
- [KS] Rootkits: eBPF hooking / TripleCross
- [KS] Rootkits: eBPF SSL/TLS text capturing
- [KS] Rootkits: eBPF Raw Tracepoint Interception
- [KS] Rootkits: eBPF PAM creds stealing
- [KS] Rootkits: eBPF KoviD Analysis
- [KS] Rootkits: eBPF Boopkit Analysis
- [KS] Rootkits: eBPF Hiding with nysm
- [KS] Rootkits: eBPF bpfdoor
- [KS] Rootkits: ebpfkit Analysis
- [KS/US] Backdooring Initramfs
- [ELF] Kiteshield Anti Forensics
- [KS] Randomized Faulter
- [KS] Rootkits: XDP-UDP-Backdoor
- Host/Syslog
- Host/Auditd
- Host/Falco Runtime Security
- Host/Tracee Syscall Tracing
- Host/Sysdig Syscall tracing
- Host/Sysmon4Linux
- Host/Velociraptor
- Host/Kolide OSQuery
- Host/FleetDM OSquery
- Host/Sandfly
- Host/Wazuh
- Host/Sunlight
- Host/Sunlight IR_Executor
- Host/CatScale
- Host/UAC
- Host/varc
- Host/rkhunter & chkrootkit
- Host/Yara Scanning
- Host/Capa
- Host/LKRG
- Host/SELinux
- Host/Clamav
- Host/Entropyscan vs ELFCrypt
- Host/BPFMon
- Host/Kunai
- Network/Zeek
- Network/Suricata
- Network/Arkime Full Packet Capture
- Network/Forward Proxy Squid SSL Decryption
- Network/WAF Modsecurity
- Network/RITA
- Network/Elastiflow
- SIEM/Elastic Security
- SIEM/Splunk
- SIEM/Graylog
- SIEM/Wazuh