Comprehensive workshop refresh: infra, content, and tooling update

README.md

@@ -1,26 +1,40 @@
 # Malicious Containers Workshop
 
-This repository contains the slides and accompanying lab materials for the workshops delivered at DefCon and other conferences. The most recent being [CactusCon](CactusCon_24/README.md). Each conferences materials will be located in their respective sub-folders.
+A hands-on workshop covering Kubernetes and container security — from offensive techniques to detection and response. Learn to build, deploy, and detect malicious containers in a safe lab environment.
 
+## Repository Structure
 
-## Past Workshops
+- **`current/`** — The latest version of the workshop materials, labs, and infrastructure setup. Start here.
+- **`archived/`** — Previous conference-specific versions (DEF CON 30, DEF CON 31, BSides Charleston, CactusCon, ISSA Triad). Preserved for reference.
 
-The repository also contains past versions of the course, such as the original [Workshop delivered at DEFCON 30 - Creating and Uncovering Malicious Containers](https://forum.defcon.org/node/241774), [DEFCON 31 - Creating and uncovering malicious containers: Redux](https://forum.defcon.org/node/246020) and iterations delivered at [BSides Charleston 22](https://bsideschs.ticketbud.com/ws-creating), [BSides Charleston 23](https://bsideschs.ticketbud.com/ws-malkub), [CactusCon](https://www.cactuscon.com/cc12-schedule) and [ISSA Triad 2023 Security Summit](https://triadnc.issa.org/). As well as any versions to be delivered in the future as we continue to update and improve it or offer it at other events. 
+## Getting Started
 
+See [`current/README.md`](current/README.md) for an overview and [`current/lab-setup.md`](current/lab-setup.md) for environment setup instructions.
+
+## Workshop Modules
+
+1. **Docker Fundamentals** — Images, containers, layers, process hierarchy
+2. **Exploring Containers** — Image history, reverse engineering, extracting artifacts
+3. **Offensive Docker Techniques** — Data exfiltration, socket hijacking, privilege escalation
+4. **Container IR** — Image forensics CTF, cleanup
+5. **Kubernetes 101** — Architecture, components, networking
+6. **Kubernetes Security** — RBAC abuse, privilege escalation, golden ticket attacks, evil pods
+7. **Supply Chain Security** — Image signing (cosign/Sigstore), SBOMs (syft), vulnerability scanning (grype), provenance
+8. **Modern Runtime Security** — Tracee, Falco, Tetragon — eBPF-based detection and comparison
+9. **Cloud-Native Attacks** — IMDS exploitation, workload identity abuse, network policy bypass
 
 ## Presenters
 
 ### Instructor: David Mitchell
-![lego-profile](https://github.com/lockfale/Malicious_Containers_Workshop/assets/913856/f3e64df8-215f-466a-b9cb-a3933e807b60)
-> <a target="_blank" href="https://twitter.com/digish0"><img src="https://img.shields.io/twitter/follow/digish0"></a>\
-> https://github.com/digital-shokunin/digital-shokunin/README.md
-
-### Instructor: Adrian Wood 
-![threlfall](https://github.com/lockfale/Malicious_Containers_Workshop/assets/913856/901c59ef-9e83-49d1-b0df-d89c6002338d)
-> <a target="_blank" href="https://twitter.com/WHITEHACKSEC"><img src="https://img.shields.io/twitter/follow/WhiteHackSec"></a>\
-> https://keybase.io/threlfall 
+> [@digish0](https://twitter.com/digish0) | https://digital-shokunin.net
 
+### Instructor: Adrian Wood
+> [@whitehacksec](https://twitter.com/WHITEHACKSEC) | https://5stars217.github.io
 
 ## Our lockpick/hacker(space) group
 
-[![falelogo](https://github.com/lockfale/Malicious_Containers_Workshop/assets/913856/4a836cf4-cc97-49ec-a4c8-ed739c83820e)](https://github.com/lockFALE/)
+[![FALE logo](https://github.com/lockfale/Malicious_Containers_Workshop/assets/913856/4a836cf4-cc97-49ec-a4c8-ed739c83820e)](https://github.com/lockFALE/)
+
+## License
+
+See [LICENSE](LICENSE).

current/README.md

@@ -0,0 +1,50 @@
+# Malicious Kubernetes Workshop
+
+This directory contains the current version of the Malicious Kubernetes workshop materials. The workshop is an introduction to Kubernetes and container security — covering cluster deployment, offensive container techniques, privilege escalation, supply chain security, and runtime detection with modern eBPF-based tools.
+
+![Workshop Marquee](image.png)
+
+## Quick Start
+
+1. **[Lab Setup](lab-setup.md)** — Environment setup (GCP VM, tooling, kind cluster)
+2. **[Lab Walk-Through](labs_walk_thru.md)** — Step-by-step lab instructions for all modules
+3. **[Cheat Sheet](cheatsheet.md)** — Troubleshooting and quick reference
+
+## What's Covered
+
+| Module | Topic |
+|--------|-------|
+| 1 | Docker fundamentals |
+| 2 | Exploring container images & reverse engineering |
+| 3 | Offensive Docker techniques (exfil, socket hijacking, persistence) |
+| 4 | Container incident response CTF |
+| 5 | Kubernetes 101 |
+| 6 | Kubernetes security — RBAC abuse, priv esc, golden tickets, evil pods |
+| 7 | Supply chain security — cosign, syft, grype, image provenance |
+| 8 | Modern runtime security — Tracee, Falco, Tetragon |
+| 9 | Cloud-native & managed K8s attacks — IMDS, workload identity, network policy bypass |
+
+## Tools Used
+
+- **Infrastructure**: kind, kubectl (v1.31), Helm v3, Ansible
+- **Observability**: Prometheus, Grafana, Loki, Promtail
+- **Runtime Security**: Tracee, Falco (+Falcosidekick), Tetragon
+- **Supply Chain**: cosign, crane, syft, grype
+- **Offensive**: ngrok, openssl, nmap, socat
+
+## Presenters
+
+### Instructor: David Mitchell
+<img width="242" alt="digish0" src="https://github.com/lockfale/Malicious_Containers_Workshop/assets/913856/05a0519d-e6e9-420c-8cc2-fa67b1737902">
+
+> [@digish0](https://twitter.com/digish0)\
+> https://digital-shokunin.net
+
+### Instructor: Adrian Wood
+![threlfall](https://github.com/lockfale/Malicious_Containers_Workshop/assets/913856/901c59ef-9e83-49d1-b0df-d89c6002338d)
+> [@whitehacksec](https://twitter.com/WHITEHACKSEC)\
+> https://5stars217.github.io
+
+## Our lockpick/hacker(space) group
+
+<img alt="FALE logo" width="500" src="https://github.com/lockfale/Malicious_Containers_Workshop/assets/913856/4a836cf4-cc97-49ec-a4c8-ed739c83820e">

current/cheatsheet.md

@@ -0,0 +1,213 @@
+# Cheatsheet
+**This is an accompanying file with the lab instructions and commands to help those especially new to linux/docker/kubernetes.**
+
+**If viewing on GitHub, you can navigate using the table of contents button in the top left next to the line count.**
+
+## Using Vi - useful shortcuts for the lab.
+
+Arrow keys to navigate cursor
+
+`i` to enter insert mode and edit contents.
+When you're in insert mode, you'll see in the bottom left hand corner that this is happening:
+
+![using_vi](https://user-images.githubusercontent.com/32903188/182468365-5841a2aa-3819-4089-920f-16db197679e9.png)
+
+
+`[esc]` to exit insert mode once changes are made.
+
+`u` outside insert mode to undo a change.
+
+`dd` to remove a line outside of insert mode.
+
+`:` to bring up the vi command line outside of insert mode.
+
+`:wq` to save and quit.
+
+`:q!` to exit without changes.
+
+## Troubleshooting - list of error messages and what to do:
+
+**none of the commands work without sudo**
+
+```
+sudo usermod -aG docker $USER
+```
+
+```
+chmod +x kubectl
+sudo mv ./kubectl /usr/local/bin/kubectl
+```
+
+**i'm stuck in my container and i can't control+c exit**
+
+- Open a new terminal window
+- `docker container ls`
+- Find the stuck container
+- `docker stop $containerID` # just the first couple of characters will do, ie `docker stop ac29`
+
+**kubectl commands don't work**
+
+Running a command with kubectl, and you see this:
+"the connection to the server localhost:8080 was refused - did you specify the right host or port?"
+
+Your kubeconfig has been blown away.
+
+```
+kind get kubeconfig --name lab > .kube/config
+```
+
+or
+
+```
+kubectl config use-context kind-lab
+```
+
+**HTTP endpoint (Pipedream) isn't receiving requests**
+
+- Make sure you copied the correct endpoint URL from Pipedream (not the dashboard URL)
+- The URL should look like `https://eo*.m.pipedream.net`
+- Verify the URL is set correctly in your Dockerfile's `ENV URL` line
+
+**`ESC` Keymapping to escape vim in the google console web browser is not working**
+
+Map the escape key to another key combination
+i.e
+`:imap jj <ESC`
+
+**Ngrok OAuth issues**
+
+Use Basic Authentication instead of OAuth
+```
+#Example of basic auth
+ngrok http $WORKER1:31000 --basic-auth="frank:password123"
+```
+
+Specify your own username and password with a colon between in the `<user>:<password>` format in the basic-auth flag above.
+
+## Supply Chain Tools Quick Reference
+
+**cosign** - Image signing and verification
+```
+# Generate key pair
+cosign generate-key-pair
+
+# Sign an image (requires push access to registry)
+cosign sign --key cosign.key <image>
+
+# Verify an image signature
+cosign verify --key cosign.pub <image>
+```
+
+**crane** - Container registry interactions
+```
+# View image manifest
+crane manifest <image> | jq
+
+# List tags
+crane ls <repository>
+
+# Get image digest (immutable reference)
+crane digest <image>
+
+# Export image filesystem
+crane export <image> output.tar
+```
+
+**syft** - SBOM generation
+```
+# Generate SBOM for an image
+syft <image>
+
+# Output as SPDX JSON
+syft <image> -o spdx-json
+
+# Output as CycloneDX
+syft <image> -o cyclonedx-json
+```
+
+**grype** - Vulnerability scanning
+```
+# Scan an image
+grype <image>
+
+# Scan with SBOM input
+grype sbom:sbom.json
+
+# Fail on critical vulns (useful in CI)
+grype <image> --fail-on critical
+
+# Only show fixable vulns
+grype <image> --only-fixed
+```
+
+## Runtime Security Tools Quick Reference
+
+**Tracee**
+```
+# Check Tracee pods
+kubectl get pods -n tracee-system
+
+# View Tracee events
+kubectl logs -n tracee-system -l app.kubernetes.io/name=tracee --tail=50
+
+# Run standalone Docker Tracee
+docker run --name tracee -d --rm --pid=host --cgroupns=host --privileged \
+  -v /etc/os-release:/etc/os-release-host:ro \
+  -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \
+  aquasec/tracee:latest
+```
+
+**Falco**
+```
+# Check Falco pods
+kubectl get pods -n falco-system
+
+# View Falco alerts
+kubectl logs -n falco-system -l app.kubernetes.io/name=falco --tail=50
+
+# Access Falcosidekick UI
+kubectl port-forward svc/falco-falcosidekick-ui -n falco-system 2802:2802
+```
+
+**Tetragon**
+```
+# Check Tetragon pods
+kubectl get pods -n tetragon
+
+# View Tetragon events
+kubectl logs -n tetragon -l app.kubernetes.io/name=tetragon -c export-stdout --tail=50
+
+# List TracingPolicies
+kubectl get tracingpolicies
+```
+
+## Grafana Loki Queries
+
+**Tracee events:**
+```
+{namespace="tracee-system"} |= `matchedPolicies` != `sshd` | json | line_format "{{.log}}"
+```
+
+**Falco events:**
+```
+{namespace="falco-system"} | json | line_format "{{.log}}"
+```
+
+**Tetragon events:**
+```
+{namespace="tetragon"} | json | line_format "{{.log}}"
+```
+
+## Version Reference
+
+| Component | Version |
+|-----------|---------|
+| Kubernetes | v1.31.4 |
+| kind | v0.27.0 |
+| Helm | v3.16.4 |
+| kubectl | v1.31.4 |
+| cosign | v2.4.1 |
+| crane | v0.20.2 |
+| syft | v1.18.1 |
+| grype | v0.85.0 |
+| Tracee | 0.24.0 |