Awesome-linux-攻击-取证-purplelabs

介绍

本页面是围绕高级 Linux 攻击、检测和取证技术和工具正在进行的实践研究的结果。

由于我多年来一直在实践红蓝方法,下面的材料将让您了解 Linux/Kubernetes 进攻/检测/DFIR 范围内的项目、技术和策略的数量规模。

所有这些攻击性技术和工具都经过我自己的测试(包括源代码分析),通过不同层(主机/网络)检测并映射到小型实践实验室场景,最终成为 PurpleLabs Playground 的一部分(https: // edu.defective-security.com/

如果您正在寻找完整的研讨会/培训计划,下面的链接是独特的“大规模 Linux 攻击和实时取证”的核心 ( https://edu.defective-security.com/linux-attack-live-forensics -at-scale)培训计划。这是创建动态研讨会程序作为框架的第一步,您可以使用全套自定义 TTPS 立即扮演 Linux 攻击者、检测工程师和取证者!该方法还允许创建自定义攻击路径、检测工程和事件响应步骤,包括实时取证。

开源 SOC/IR

https://github.com/Cyb3rWard0g/HELK

https://github.com/Graylog2/graylog2-server

https://github.com/Velocidex/velociraptor

https://docs.velociraptor.app/exchange/

https://github.com/wazuh/wazuh

https://github.com/robcowart/elastiflow

https://github.com/arkime/arkime

https://github.com/osquery/osquery

https://github.com/TheHive-Project/TheHive

https://github.com/TheHive-Project/Cortex

https://github.com/Shuffle/Shuffle

https://github.com/dfir-iris/iris-web

https://github.com/MISP/MISP

https://jupyter.org/

https://github.com/OISF/suricata

https://github.com/zeek/zeek

https://github.com/SecurityRiskAdvisors/VECTR

https://github.com/archanchoudhury/SOC-OpenSource

Linux 和 Kubernetes 检测/取证

https://github.com/sandflysecurity

https://github.com/lkrg-org/lkrg

https://github.com/Sysinternals/SysmonForLinux

https://github.com/volatilityfoundation/volatility

https://github.com/volatilityfoundation/community3

https://github.com/k1nd0ne/VolWeb

https://github.com/pathtofile/bpf-hookdetect

https://github.com/Exein-io/pulsar

https://github.com/ntop/libebpfflow

https://github.com/ehids/ehids-agent

https://github.com/falcosecurity/falco

https://github.com/aquasecurity/tracee

https://github.com/draios/sysdig

https://github.com/cilium/tetragon

https://github.com/gamemann/XDP-Firewall

https://github.com/linuxthor/rkbreaker

https://github.com/therealdreg/lsrootkit

https://github.com/linuxthor/rkspotter

https://github.com/kkamagui/shadow-box-for-x86

http://www.chkrootkit.org/

https://github.com/octarinesec/kube-scan

Linux 内核空间 Rootkit

https://github.com/lukasbalazik123/1337kit

https://github.com/f0rb1dd3n/Reptile

https://github.com/carloslack/KoviD

https://github.com/vkobel/linux-syscall-hook-rootkit

https://github.com/h3xduck/TripleCross

https://github.com/amir9339/ebpf_maps_hooking

https://github.com/milabs/kopycat

https://github.com/m0nad/二吗啡

https://github.com/stdhu/kernel-inline-hook

https://github.com/ilammy/ftrace-hook

https://github.com/WeiJiLab/kernel-hook-framework

https://github.com/C24IO/Netfilter-Hooks-Simple.git

https://github.com/shubham0d/Immutable-file-linux

https://github.com/therealdreg/enyelkm

https://github.com/m0nad/二吗啡

https://github.com/elfmaster/kprobe_rootkit

https://github.com/En14c/LilyOfTheValley

https://github.com/QuokkaLight/rkduck

https://github.com/a7vinx/liinux

https://github.com/mgrube/DragonKing

https://github.com/aidielse/Rootkits-Playground

https://github.com/cccssw/JynKbeast

https://github.com/hanj4096/wukong

https://github.com/mponcet/subversive

https://github.com/h3xduck/Umbra

https://github.com/ruckuus/kernel-abuse/tree/master/kbeast

https://github.com/CDuPlooy/Rootkit

https://github.com/jussihi/SMM-Rootkit

https://github.com/nnedkov/swiss_army_rootkit

https://github.com/spiderpig1297/kprochide

https://github.com/pathtofile/bad-bpf

https://github.com/cloudflare/ebpf_exporter

https://github.com/DavadDi/bpf_study

https://github.com/Esonhugh/sshd_backdoor

https://github.com/vrasneur/randkit

https://github.com/ricardomaraschini/ebpf-signals

https://github.com/bones-codes/the_colonel

https://github.com/PinkP4nther/Sutekh

https://github.com/spiderpig1297/kfile-over-icmp

https://github.com/dave4422/linux_rootkit

https://github.com/nurupo/rootkit

https://github.com/Nadharm/CoVirt

https://github.com/3intermute/loonix_syscall_hook

https://github.com/alfonmga/hiding-cryptominers-linux-rootkit

https://github.com/loneicewolf/linux-rootkits

https://github.com/yasindce1998/KubeDagger

https://github.com/loneicewolf/EXEC_LKM

https://github.com/deurzen/linux-rootkit

https://github.com/roggenbrot42/rkptum2013

https://github.com/DanielAvinoam/TheSubZeroProject

https://github.com/jermeyyy/rooty

https://github.com/NoviceLive/research-rootkit

https://github.com/aesophor/satan

https://github.com/Pratik32/linux_rkit

https://github.com/AlirezaChegini/kernel-based-keylogger-for-Linux

https://github.com/jordan9001/superhide

https://github.com/nccgroup/ebpf/tree/master/conjob

https://github.com/FlamingSpork/iptable_evil

https://github.com/ilee38/root-of-all-evil

https://github.com/milabs/lkrg-bypass

Linux 用户空间 Rootkit/注入器

https://github.com/ldpreload/Medusa

https://github.com/arget13/DDexec

https://github.com/mav8557/父亲

https://github.com/yasukata/zpoline

https://github.com/dsnezhkov/zombieant

https://github.com/ulexec/SHELF-Loading

https://github.com/chokepoint/Jynx2

https://github.com/unix-thrust/beurk

https://github.com/cloudsec/brootkit

https://github.com/trimpsyw/adore-ng

https://github.com/rvillordo/libpreload

https://github.com/r00tkillah/HORSEPILL

https://github.com/elfmaster/skeksi_virus

https://github.com/elfmaster/linker_preloading_virus

https://github.com/nopn0p/rkorova

https://github.com/amir9339/Tcpdump-evasion

https://github.com/Paradoxis/PHP-Backdoor

https://github.com/ixty/mandibule

https://github.com/DavidBuchanan314/dlinject

https://github.com/guitmz/memrun

Linux C2 / 攻击模拟

https://github.com/BishopFox/sliver

https://github.com/facebookincubator/WEASEL

https://github.com/cyberark/kubesploit

https://github.com/controlplaneio/simulator

https://github.com/iagox86/dnscat2

https://github.com/rapid7/metasploit-framework

书籍/PDF/DOCS

https://dl.acm.org/doi/fullHtml/10.1145/3545948.3545980 – Katana:Linux 内存快照的稳健、自动化、仅二进制取证分析

https://www.crysys.hu/publications/files/setit/thesis_bme_Nemeth20bsc.pdf – 嵌入式物联网设备上持久性 Rootkit 组件的检测

https://raw.githubusercontent.com/h3xduck/TripleCross/master/docs/ebpf_offense_rootkit_tfg.pdf – eBPF 的攻击能力分析和 rootkit 的实现

https://github.com/NinnOgTonic/Out-of-Sight-Out-of-Mind-Rootkit/blob/master/osom.pdf – Out-of-Sight-Out-of-Mind-Rootkit

https://pentera.io/blog/the-good-bad-and-compromisable-aspects-of-linux-ebpf/

https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf

https://vblocalhost.com/uploads/VB2021-Mechtinger-Kennedy.pdf