介绍
本页面是围绕高级 Linux 攻击、检测和取证技术和工具正在进行的实践研究的结果。
由于我多年来一直在实践红蓝方法,下面的材料将让您了解 Linux/Kubernetes 进攻/检测/DFIR 范围内的项目、技术和策略的数量规模。
所有这些攻击性技术和工具都经过我自己的测试(包括源代码分析),通过不同层(主机/网络)检测并映射到小型实践实验室场景,最终成为 PurpleLabs Playground 的一部分(https: // edu.defective-security.com/)
如果您正在寻找完整的研讨会/培训计划,下面的链接是独特的“大规模 Linux 攻击和实时取证”的核心 ( https://edu.defective-security.com/linux-attack-live-forensics -at-scale)培训计划。这是创建动态研讨会程序作为框架的第一步,您可以使用全套自定义 TTPS 立即扮演 Linux 攻击者、检测工程师和取证者!该方法还允许创建自定义攻击路径、检测工程和事件响应步骤,包括实时取证。
开源 SOC/IR
https://github.com/Cyb3rWard0g/HELK
https://github.com/Graylog2/graylog2-server
https://github.com/Velocidex/velociraptor
https://docs.velociraptor.app/exchange/
https://github.com/wazuh/wazuh
https://github.com/robcowart/elastiflow
https://github.com/arkime/arkime
https://github.com/osquery/osquery
https://github.com/TheHive-Project/TheHive
https://github.com/TheHive-Project/Cortex
https://github.com/Shuffle/Shuffle
https://github.com/dfir-iris/iris-web
https://github.com/OISF/suricata
https://github.com/SecurityRiskAdvisors/VECTR
https://github.com/archanchoudhury/SOC-OpenSource
Linux 和 Kubernetes 检测/取证
https://github.com/sandflysecurity
https://github.com/lkrg-org/lkrg
https://github.com/Sysinternals/SysmonForLinux
https://github.com/volatilityfoundation/volatility
https://github.com/volatilityfoundation/community3
https://github.com/k1nd0ne/VolWeb
https://github.com/pathtofile/bpf-hookdetect
https://github.com/Exein-io/pulsar
https://github.com/ntop/libebpfflow
https://github.com/ehids/ehids-agent
https://github.com/falcosecurity/falco
https://github.com/aquasecurity/tracee
https://github.com/draios/sysdig
https://github.com/cilium/tetragon
https://github.com/gamemann/XDP-Firewall
https://github.com/linuxthor/rkbreaker
https://github.com/therealdreg/lsrootkit
https://github.com/linuxthor/rkspotter
https://github.com/kkamagui/shadow-box-for-x86
https://github.com/octarinesec/kube-scan
Linux 内核空间 Rootkit
https://github.com/lukasbalazik123/1337kit
https://github.com/f0rb1dd3n/Reptile
https://github.com/carloslack/KoviD
https://github.com/vkobel/linux-syscall-hook-rootkit
https://github.com/h3xduck/TripleCross
https://github.com/amir9339/ebpf_maps_hooking
https://github.com/milabs/kopycat
https://github.com/stdhu/kernel-inline-hook
https://github.com/ilammy/ftrace-hook
https://github.com/WeiJiLab/kernel-hook-framework
https://github.com/C24IO/Netfilter-Hooks-Simple.git
https://github.com/shubham0d/Immutable-file-linux
https://github.com/therealdreg/enyelkm
https://github.com/elfmaster/kprobe_rootkit
https://github.com/En14c/LilyOfTheValley
https://github.com/QuokkaLight/rkduck
https://github.com/a7vinx/liinux
https://github.com/mgrube/DragonKing
https://github.com/aidielse/Rootkits-Playground
https://github.com/cccssw/JynKbeast
https://github.com/hanj4096/wukong
https://github.com/mponcet/subversive
https://github.com/h3xduck/Umbra
https://github.com/ruckuus/kernel-abuse/tree/master/kbeast
https://github.com/CDuPlooy/Rootkit
https://github.com/jussihi/SMM-Rootkit
https://github.com/nnedkov/swiss_army_rootkit
https://github.com/spiderpig1297/kprochide
https://github.com/pathtofile/bad-bpf
https://github.com/cloudflare/ebpf_exporter
https://github.com/DavadDi/bpf_study
https://github.com/Esonhugh/sshd_backdoor
https://github.com/vrasneur/randkit
https://github.com/ricardomaraschini/ebpf-signals
https://github.com/bones-codes/the_colonel
https://github.com/PinkP4nther/Sutekh
https://github.com/spiderpig1297/kfile-over-icmp
https://github.com/dave4422/linux_rootkit
https://github.com/nurupo/rootkit
https://github.com/Nadharm/CoVirt
https://github.com/3intermute/loonix_syscall_hook
https://github.com/alfonmga/hiding-cryptominers-linux-rootkit
https://github.com/loneicewolf/linux-rootkits
https://github.com/yasindce1998/KubeDagger
https://github.com/loneicewolf/EXEC_LKM
https://github.com/deurzen/linux-rootkit
https://github.com/roggenbrot42/rkptum2013
https://github.com/DanielAvinoam/TheSubZeroProject
https://github.com/jermeyyy/rooty
https://github.com/NoviceLive/research-rootkit
https://github.com/aesophor/satan
https://github.com/Pratik32/linux_rkit
https://github.com/AlirezaChegini/kernel-based-keylogger-for-Linux
https://github.com/jordan9001/superhide
https://github.com/nccgroup/ebpf/tree/master/conjob
https://github.com/FlamingSpork/iptable_evil
https://github.com/ilee38/root-of-all-evil
https://github.com/milabs/lkrg-bypass
Linux 用户空间 Rootkit/注入器
https://github.com/ldpreload/Medusa
https://github.com/arget13/DDexec
https://github.com/yasukata/zpoline
https://github.com/dsnezhkov/zombieant
https://github.com/ulexec/SHELF-Loading
https://github.com/chokepoint/Jynx2
https://github.com/unix-thrust/beurk
https://github.com/cloudsec/brootkit
https://github.com/trimpsyw/adore-ng
https://github.com/rvillordo/libpreload
https://github.com/r00tkillah/HORSEPILL
https://github.com/elfmaster/skeksi_virus
https://github.com/elfmaster/linker_preloading_virus
https://github.com/nopn0p/rkorova
https://github.com/amir9339/Tcpdump-evasion
https://github.com/Paradoxis/PHP-Backdoor
https://github.com/ixty/mandibule
https://github.com/DavidBuchanan314/dlinject
https://github.com/guitmz/memrun
Linux C2 / 攻击模拟
https://github.com/BishopFox/sliver
https://github.com/facebookincubator/WEASEL
https://github.com/cyberark/kubesploit
https://github.com/controlplaneio/simulator
https://github.com/iagox86/dnscat2
https://github.com/rapid7/metasploit-framework
书籍/PDF/DOCS
https://dl.acm.org/doi/fullHtml/10.1145/3545948.3545980 – Katana:Linux 内存快照的稳健、自动化、仅二进制取证分析
https://www.crysys.hu/publications/files/setit/thesis_bme_Nemeth20bsc.pdf – 嵌入式物联网设备上持久性 Rootkit 组件的检测
https://raw.githubusercontent.com/h3xduck/TripleCross/master/docs/ebpf_offense_rootkit_tfg.pdf – eBPF 的攻击能力分析和 rootkit 的实现
https://github.com/NinnOgTonic/Out-of-Sight-Out-of-Mind-Rootkit/blob/master/osom.pdf – Out-of-Sight-Out-of-Mind-Rootkit
https://pentera.io/blog/the-good-bad-and-compromisable-aspects-of-linux-ebpf/
https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf
https://vblocalhost.com/uploads/VB2021-Mechtinger-Kennedy.pdf
https://www.vanbastelaer.com/publication/sabpf/sabpf.pdf
https://cormander.com/wp-content/uploads/2017/04/Distribution-Kernel-Security-Hardening.pdf
https://isovalent.com/data/isovalent_security_observability.pdf
https://cs.brown.edu/~vpk/papers/ret2dir.sec14.pdf
https://www.iij.ad.jp/en/dev/iir/pdf/iir_vol45_focus_EN.pdf
https://www.brendangregg.com/Slides/BSidesSF2017_BPF_security_monitoring.pdf
https://apps.dtic.mil/sti/pdfs/AD1004190.pdf
http://jultika.oulu.fi/files/nbnfioulu-202004201485.pdf
https://xgao-work.github.io/paper/dsn2021.pdf
http://www.people.vcu.edu/~iahmed3/publications/lncs-wisa-2017.pdf
https://www.crysys.hu/publications/files/setit/thesis_bme_Nagy21msc.pdf
https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2016/june/container_whitepaper.pdf