awesome-linux-attack-forensics-purplelabs
This page is a result of the ongoing hands-on research around advanced Linux attacks, detection and forensics techniques and tools.
Due to the fact that I have been practicing the red vs blue approach for years, the material below will allow you to see the scale of the number of projects, techniques and tactics in the scope of Linux/Kubernetes offensive/detection/DFIR.
All these offensive techniques and tools have been tested by myself (including source code analysis), detected by different layers (host/network) and mapped to small hands-on lab scenarios to finally become a part of the PurpleLabs Playground (https://edu.defensive-security.com/)
If you are looking for a complete workshop/training program, the links below are the core of the unique "Linux Attack and Live Forensics At Scale" (https://edu.defensive-security.com/linux-attack-live-forensics-at-scale) training program. This is the first step to create a dynamic workshop program as a framework, where you can play as Linux attacker, detection engineer and Forensicator at once using full set of custom TTPS! The approach will also allow for the creation of custom attack paths, detection engineering and incident response steps including live forensics.
Purple teaming for life!
Open Source SOC / IR
https://github.com/Cyb3rWard0g/HELK
https://github.com/Graylog2/graylog2-server
https://github.com/Velocidex/velociraptor
https://docs.velociraptor.app/exchange/
https://github.com/wazuh/wazuh
https://github.com/robcowart/elastiflow
https://github.com/arkime/arkime
https://github.com/osquery/osquery
https://github.com/TheHive-Project/TheHive
https://github.com/TheHive-Project/Cortex
https://github.com/Shuffle/Shuffle
https://github.com/dfir-iris/iris-web
https://github.com/OISF/suricata
https://github.com/SecurityRiskAdvisors/VECTR
https://github.com/archanchoudhury/SOC-OpenSource
Linux & Kubernetes Detection / Forensics
https://github.com/sandflysecurity
https://github.com/lkrg-org/lkrg
https://github.com/Sysinternals/SysmonForLinux
https://github.com/volatilityfoundation/volatility
https://github.com/volatilityfoundation/community3
https://github.com/k1nd0ne/VolWeb
https://github.com/pathtofile/bpf-hookdetect
https://github.com/Exein-io/pulsar
https://github.com/ntop/libebpfflow
https://github.com/ehids/ehids-agent
https://github.com/falcosecurity/falco
https://github.com/aquasecurity/tracee
https://github.com/draios/sysdig
https://github.com/cilium/tetragon
https://github.com/gamemann/XDP-Firewall
https://github.com/linuxthor/rkbreaker
https://github.com/therealdreg/lsrootkit
https://github.com/linuxthor/rkspotter
https://github.com/kkamagui/shadow-box-for-x86
https://github.com/octarinesec/kube-scan
Linux Kernel Space rootkits
https://github.com/lukasbalazik123/1337kit
https://github.com/f0rb1dd3n/Reptile
https://github.com/carloslack/KoviD
https://github.com/vkobel/linux-syscall-hook-rootkit
https://github.com/h3xduck/TripleCross
https://github.com/amir9339/ebpf_maps_hooking
https://github.com/milabs/kopycat
https://github.com/m0nad/Diamorphine
https://github.com/stdhu/kernel-inline-hook
https://github.com/ilammy/ftrace-hook
https://github.com/WeiJiLab/kernel-hook-framework
https://github.com/C24IO/Netfilter-Hooks-Simple.git
https://github.com/shubham0d/Immutable-file-linux
https://github.com/therealdreg/enyelkm
https://github.com/m0nad/Diamorphine
https://github.com/elfmaster/kprobe_rootkit
https://github.com/En14c/LilyOfTheValley
https://github.com/QuokkaLight/rkduck
https://github.com/a7vinx/liinux
https://github.com/mgrube/DragonKing
https://github.com/aidielse/Rootkits-Playground
https://github.com/cccssw/JynKbeast
https://github.com/hanj4096/wukong
https://github.com/mponcet/subversive
https://github.com/h3xduck/Umbra
https://github.com/ruckuus/kernel-abuse/tree/master/kbeast
https://github.com/CDuPlooy/Rootkit
https://github.com/jussihi/SMM-Rootkit
https://github.com/nnedkov/swiss_army_rootkit
https://github.com/spiderpig1297/kprochide
https://github.com/pathtofile/bad-bpf
https://github.com/cloudflare/ebpf_exporter
https://github.com/DavadDi/bpf_study
https://github.com/Esonhugh/sshd_backdoor
https://github.com/vrasneur/randkit
https://github.com/ricardomaraschini/ebpf-signals
https://github.com/bones-codes/the_colonel
https://github.com/PinkP4nther/Sutekh
https://github.com/spiderpig1297/kfile-over-icmp
https://github.com/dave4422/linux_rootkit
https://github.com/nurupo/rootkit
https://github.com/Nadharm/CoVirt
https://github.com/3intermute/loonix_syscall_hook
https://github.com/alfonmga/hiding-cryptominers-linux-rootkit
https://github.com/loneicewolf/linux-rootkits
https://github.com/yasindce1998/KubeDagger
https://github.com/loneicewolf/EXEC_LKM
https://github.com/deurzen/linux-rootkit
https://github.com/roggenbrot42/rkptum2013
https://github.com/DanielAvinoam/TheSubZeroProject
https://github.com/jermeyyy/rooty
https://github.com/NoviceLive/research-rootkit
https://github.com/aesophor/satan
https://github.com/Pratik32/linux_rkit
https://github.com/AlirezaChegini/kernel-based-keylogger-for-Linux
https://github.com/jordan9001/superhide
https://github.com/nccgroup/ebpf/tree/master/conjob
https://github.com/FlamingSpork/iptable_evil
https://github.com/ilee38/root-of-all-evil
https://github.com/milabs/lkrg-bypass
Linux User Space rootkits / injectors
https://github.com/ldpreload/Medusa
https://github.com/arget13/DDexec
https://github.com/mav8557/Father
https://github.com/yasukata/zpoline
https://github.com/dsnezhkov/zombieant
https://github.com/ulexec/SHELF-Loading
https://github.com/chokepoint/Jynx2
https://github.com/unix-thrust/beurk
https://github.com/cloudsec/brootkit
https://github.com/trimpsyw/adore-ng
https://github.com/rvillordo/libpreload
https://github.com/r00tkillah/HORSEPILL
https://github.com/elfmaster/skeksi_virus
https://github.com/elfmaster/linker_preloading_virus
https://github.com/nopn0p/rkorova
https://github.com/amir9339/Tcpdump-evasion
https://github.com/Paradoxis/PHP-Backdoor
https://github.com/ixty/mandibule
https://github.com/DavidBuchanan314/dlinject
https://github.com/guitmz/memrun
Linux C2 / Attack Emulation
https://github.com/BishopFox/sliver
https://github.com/facebookincubator/WEASEL
https://github.com/cyberark/kubesploit
https://github.com/controlplaneio/simulator
https://github.com/iagox86/dnscat2
https://github.com/rapid7/metasploit-framework
Books / PDFS / DOCS
https://dl.acm.org/doi/fullHtml/10.1145/3545948.3545980 - Katana: Robust, Automated, Binary-Only Forensic Analysis of Linux Memory Snapshots
https://www.crysys.hu/publications/files/setit/thesis_bme_Nemeth20bsc.pdf - Detection of persistent rootkit components on embedded IoT devices
https://raw.githubusercontent.com/h3xduck/TripleCross/master/docs/ebpf_offensive_rootkit_tfg.pdf - An analysis of offensive capabilities of eBPF and implementation of a rootkit
https://github.com/NinnOgTonic/Out-of-Sight-Out-of-Mind-Rootkit/blob/master/osom.pdf - Out-of-Sight-Out-of-Mind-Rootkit
https://pentera.io/blog/the-good-bad-and-compromisable-aspects-of-linux-ebpf/
https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf
https://vblocalhost.com/uploads/VB2021-Mechtinger-Kennedy.pdf
https://www.vanbastelaer.com/publication/sabpf/sabpf.pdf
https://cormander.com/wp-content/uploads/2017/04/Distribution-Kernel-Security-Hardening.pdf
https://isovalent.com/data/isovalent_security_observability.pdf
https://cs.brown.edu/~vpk/papers/ret2dir.sec14.pdf
https://www.iij.ad.jp/en/dev/iir/pdf/iir_vol45_focus_EN.pdf
https://www.brendangregg.com/Slides/BSidesSF2017_BPF_security_monitoring.pdf
https://apps.dtic.mil/sti/pdfs/AD1004190.pdf
http://jultika.oulu.fi/files/nbnfioulu-202004201485.pdf
https://xgao-work.github.io/paper/dsn2021.pdf
http://www.people.vcu.edu/~iahmed3/publications/lncs-wisa-2017.pdf
https://www.crysys.hu/publications/files/setit/thesis_bme_Nagy21msc.pdf
https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2016/june/container_whitepaper.pdf