Training
Featured Course View All Courses
Get a Free Hour of SANS Training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
NEW - AI Security Training
Can't find what you are looking for?

Let us help.

Contact us
Free Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

Customer Case Studies

Discover how organizations and individual cyber practitioners use SANS training and GIAC certifications

AI Risk & Readiness

Explore expert-driven guidance, training, and tools to help defend against AI-powered threats and adopt AI securely

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Group Purchasing
Group Purchasing

You Can Run but You Cannot Hide (In Process Memory): Observing Process Injection with eBPF in Linux

Download File
You Can Run but You Cannot Hide (In Process Memory): Observing Process Injection with eBPF in Linux (PDF, 2.09MB)Published: 03 May, 2024
Created by:
Melissa Bischoping

Use of built-in capabilities for injecting malicious code as a persistence technique is used by malware and malicious actors to compromise the security of Linux operating systems and evade detection by security tooling and threat hunters.

Additional resources

Know Your Blind Spots: Better Visibility Through EDR Policy Hardening

WhitepaperDigital Forensics and Incident Response
  • 9 Jun 2026
  • Joshuah Williams

The Exposure Gap: From Vulnerability Management to AI-Driven Attack Surface Control

WhitepaperDigital Forensics and Incident Response
  • 5 Jun 2026
  • Chris Dale

The State of Detection Engineering 2026: What the Data Reveals About Accuracy, Automation, and AI Adoption

WhitepaperCloud Security, Digital Forensics and Incident Response
  • 3 Jun 2026
  • Terrence Williams

A Forensic Study of Artifact Persistence in Containerd-Based Kubernetes Workloads

WhitepaperDigital Forensics and Incident Response
  • 12 May 2026
  • Ahmed Alharbi

Applying CIS Controls to AI Workflows

WhitepaperDigital Forensics and Incident Response
  • 12 May 2026
  • Brian Ventura

In-Depth Endpoint Forensics and Response at Scale

WhitepaperCyber Defense, Digital Forensics and Incident Response
  • 30 Apr 2026
  • Matt Bromiley

Related courses

  • Slide 1 of 16

    FOR589: Cybercrime Investigations

    Intermediate
    FOR589Digital Forensics and Incident Response
    FOR589: Cybercrime Intelligence
    • 5 Days (Instructor-Led)
    • 30 CPEs / 30 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 2 of 16

    FOR585: Smartphone Forensic Analysis In-Depth

    MAJOR UPDATES
    AI SKILLS
    Essentials
    FOR585Digital Forensics and Incident Response
    FOR585: Smartphone Forensic Analysis In-Depth
    • GIAC Advanced Smartphone Forensics (GASF)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 22 Hands-On Labs

    View course detailsRegister
  • Slide 3 of 16

    FOR478: Cyber Threat Intelligence Foundations

    BETA
    Essentials
    FOR478Digital Forensics and Incident Response
    FOR498: Digital Acquisition and Rapid Triage
    • 2 Days (Instructor-Led)
    • 12 CPEs / 12 Hours
    • Labs: 8 Hands-On Labs

    View course detailsRegister
  • Slide 4 of 16

    FOR608: Enterprise-Class Incident Response & Threat Hunting

    UPDATED
    Intermediate
    FOR608Digital Forensics and Incident Response
    FOR608: Enterprise-Class Incident Response & Threat Hunting
    • GIAC Enterprise Incident Responder (GEIR)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 5 of 16

    FOR518: Mac and iOS Forensic Analysis and Incident Response

    UPDATED
    Intermediate
    FOR518Digital Forensics and Incident Response
    FOR518: Mac and iOS Forensic Analysis and Incident Response
    • GIAC iOS and macOS Examiner (GIME)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 23 Hands-On Labs

    View course detailsRegister
  • Slide 6 of 16

    FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics

    MAJOR UPDATES
    Intermediate
    FOR508Digital Forensics and Incident Response
    FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
    • GIAC Certified Forensic Analyst (GCFA)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 35 Hands-On Labs

    View course detailsRegister
  • Slide 7 of 16

    FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

    Advanced
    FOR610Digital Forensics and Incident Response
    FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
    • GIAC Reverse Engineering Malware (GREM)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 48 Hands-On Labs

    View course detailsRegister
  • Slide 8 of 16

    FOR578: Cyber Threat Intelligence

    MAJOR UPDATES
    Intermediate
    FOR578Digital Forensics and Incident Response
    FOR578: Cyber Threat Intelligence
    • GIAC Cyber Threat Intelligence (GCTI)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 9 of 16

    FOR509: Enterprise Cloud Forensics and Incident Response

    MAJOR UPDATES
    Intermediate
    FOR509Digital Forensics and Incident Response
    FOR509: Enterprise Cloud Forensics and Incident Response
    • GIAC Cloud Forensics Responder (GCFR)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 23 Hands-On Labs

    View course detailsRegister
  • Slide 10 of 16

    FOR528: Ransomware and Cyber Extortion

    Intermediate
    FOR528Digital Forensics and Incident Response
    FOR528: Ransomware and Cyber Extortion
    • 4 Days (Instructor-Led)
    • 24 CPEs / 24 Hours (Self-Paced)
    • Labs: 13 Hands-On Labs

    View course detailsRegister
  • Slide 11 of 16

    FOR577: LINUX Incident Response and Threat Hunting

    AI SKILLS
    Intermediate
    FOR577Digital Forensics and Incident Response
    FOR577: LINUX Incident Response and Threat Hunting
    • GIAC Linux Incident Responder (GLIR)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 23 Hands-On Labs

    View course detailsRegister
  • Slide 12 of 16

    FOR710: Reverse-Engineering Malware: Advanced Code Analysis

    Advanced
    FOR710Digital Forensics and Incident Response
    FOR710: Reverse-Engineering Malware: Advanced Code Analysis
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 12 Hands-On Labs

    View course detailsRegister
  • Slide 13 of 16

    FOR498: Digital Acquisition and Rapid Triage

    Essentials
    FOR498Digital Forensics and Incident Response
    FOR498: Digital Acquisition and Rapid Triage
    • GIAC Battlefield Forensics and Acquisition (GBFA)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 14 of 16

    FOR563: Applied AI for Digital Forensics and Incident Response: Leveraging Local Large Language Models

    NEW
    AI-FOCUSED
    Intermediate
    FOR563Digital Forensics and Incident Response, Artificial Intelligence
    FOR509: Enterprise Cloud Forensics and Incident Response
    • 1 Day (Instructor-Led)
    • 6 CPEs / 6 Hours (Self-Paced)
    • Labs: 4 Hands-On Labs

    View course detailsRegister
  • Slide 15 of 16

    FOR500: Windows Forensic Analysis

    UPDATED
    Essentials
    FOR500Digital Forensics and Incident Response
    FOR500: Windows Forensic Analysis
    • GIAC Certified Forensic Examiner (GCFE)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 22 Hands-On Labs

    View course detailsRegister
  • Slide 16 of 16

    FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

    Advanced
    FOR572Digital Forensics and Incident Response
    FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
    • GIAC Network Forensic Analyst (GNFA)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
You Can Run but You Cannot Hide (In Process Memory): Observing Process Injection with eBPF in Linux