unhookinglinuxedrs-matheuzsecurity2025
2025-04-03
Unhooking Linux EDRs
by matheuz
https://github.com/MatheuZSecurity/UnhookingLinuxEdr
| Notes |
|---|
| insmod |
| dmesg |
| EDR |
| Linux |
| LKM |
| Trend Micro |
| Trend Micro Deep Security |
| CrowdStrike Falcon |
| CrowdStrike |
| eBPF |
| machine learning |
| hooks |
| module_init(), module_exit() |
| printk |
| /proc/modules |
| /sys/module directory |
| cleanup_module alias |
| /proc/kallsyms |
| EDR, rootkits prevent module unloading with rmmod |
| linked list |
| tmhook module |
| bmsensor module |
Linux Persistence: Modular Software
2025-04-17 DFIR CTF persistence linux persistence apache asterisk
Linux Persistence: Web Shells
2025-04-16 DFIR persistence webshell linux persistence webshell apache nginx PHP
Linux Persistence: Rootkits
2025-04-15 DFIR persistence rootkit LKM linux persistence LKM rootkit LD_PRELOAD kprobe ftrace ld.so hooking
Defanging Linux LKM Rootkits With cleanup_module()
2025-04-05 Linux LKM rootkits EDR hooks incident response Linux LKM rootkit