0xMatheuZ / red team notes / offensive security research / pentest

0xMatheuZ

Red Team Operator, Offensive Security Researcher, and Pentester

Linux-focused offensive security research, evasion notes, pentest experiments, and post-exploitation write-ups.

Discord Join Rootkit Researchers

Recent posts

Research notes

Technical write-ups on red team operations, offensive security research, Linux internals, persistence, and detection-aware offense.

BPF Map Poisoning: Attacking the EDR from the Inside

Most evasion techniques work by flying under the radar. You use an anonymous mmap instead of a file, you call syscalls directly to skip libc hooks, you execute from a memfd so fanotify never sees a path. All of that works by avoiding the EDR’s detection surface. BPF Map Poisoning is different. Instead of avoiding the EDR, you walk straight into it and rewrite its memory. I use Falco as the demo target throughout this post because it is open-source, auditable, and easy to reproduce in a lab. Falco is not a traditional EDR, it’s a runtime security tool. But the attack surface here is architectural, not Falco-specific. CrowdStrike Falcon on Linux, Elastic Defend, Tetragon, and any other security tool that stores monitoring state in BPF maps share the same problem: if the maps are not protected by security_bpf_map LSM enforcement, they can be read and written by any privileged process using the standard bpf(2) API. The demo is Falco. The implication extends to everything that follows the same design. ...

#EDR Evasion #eBPF #Falco

Trend Micro Deep Security Agent Research: Forcing bmhook/tmhook Reloads to Open a Protection Bypass Window

Research scope: This is security research on Trend Micro Deep Security Agent on Linux. The finding is not remote code execution and it is not a persistent kill switch. It is a forced security-control gap. A local unprivileged event storm can make the agent unload and reload its own behavior-monitoring kernel modules. During that window, protection behavior changes, and an artifact that was normally blocked was written to disk successfully. ...

#Trend Micro #Deep Security Agent #Linux Kernel

Breaking eBPF Security: How Kernel Rootkits Blind Observability Tools

Stealthy Kernel Rootkit: https://github.com/MatheuZSecurity/Singularity Rootkit Researchers: https://discord.gg/66N5ZQppU7 Me: https://www.linkedin.com/in/mathsalves/ Introduction Linux security tooling has leaned heavily into eBPF. Projects like Falco, Tracee, and Tetragon made kernel-level telemetry feel like a step change: richer context, low overhead, and visibility that’s difficult to evade from user space. But that promise quietly depends on a threat model: the kernel is assumed to be a trustworthy observer. This article explores what happens when that assumption breaks, specifically, when an attacker can execute code in the kernel (e.g., via a loaded module). In that world, the most valuable targets aren’t the eBPF programs themselves, but the plumbing around them: iterators, event delivery paths (ring buffer / perf buffer), perf submission, and map operations that turn kernel activity into user-space signals. ...

#eBPF #Kernel Security #Evasion

Ioctl Secrets Writeup

Challenge Description In this challenge, we’re given access to a Linux virtual machine (VM) running Ubuntu. The objective is to exploit a custom kernel module to retrieve a hidden flag. The challenge involves reverse engineering, kernel internals, and crafting a proper exploit. What we have: A hidden kernel module loaded at boot Character device at /dev/ioctl_dev Setup script (device.sh) that loads the module and shreds source files SSH access enabled (username: root, password: ioctl) Important Note: Many participants had difficulties copy-pasting code directly into the VM console. As stated in the challenge description, SSH is enabled for easier interaction! This was a common pain point, so let’s start by addressing it. ...

#CTF

Evading Elastic Security: Linux Rootkit Detection Bypass

Stealthy Kernel Rootkit: https://github.com/MatheuZSecurity/Singularity Rootkit Researchers: https://discord.gg/66N5ZQppU7 Introduction Security solutions continue to intensify. Modern EDRs like Elastic Security, integrated with Elastic Defend, employ multiple detection layers including YARA signatures and behavioral analysis to identify Linux kernel rootkits, triggering 26+ alerts on a single malicious module. This article demonstrates how to systematically evade these defenses. We present a comprehensive case study of developing a Linux rootkit that successfully bypasses Elastic Security’s detection mechanisms through obfuscation, fragmentation, and staged execution techniques. All content is strictly for educational purposes only. ...

#Evasion