MatheuZ
Red Team Operator, Offensive Security Researcher, and Pentester
Linux-focused offensive security research: evasion, rootkits, telemetry bypass, and post-exploitation write-ups.
Writing
- 2024-11-26 · 6 minHow detect a LD_PRELOAD rootkit and hide from ldd & /proc
Hello! Welcome to this post! Well, I have a group that is focused on rootkit research, both for Linux and Windows, feel free to come and participate in our community. https://discord.gg/66N5ZQppU7 What is LD_PRELOAD Rootkit? Before we begin, we need to understand what an LD_PRELOAD rootkit is. Is a type of malware that uses the LD_PRELOAD environment variable to load malicious shared libraries. It intercepts and modifies functions, allowing you to hide files, processes and activities. So, an LD_PRELOAD rootkit runs in user space (ring3), because it does not interact directly with the kernel. Introduction A good point about LD_PRELOAD Rootkit is that, unlike LKM (Loadable Kernel Module), they are much more stable, compatible and are also easier to develop.
- 2024-08-26 · 4 minA simple way to detect and remove LKM rootkit KoviD (Outdated)
Hello everyone, welcome to this post where I will cover the easiest way on how to detect and remove LKM KoviD rootkit. But first of all, we need to understand how the KoviD works. What is KoviD? KoviD is a Linux kernel rootkit, containing several features that make it difficult to detect and remove, in my opinion KoviD is the best open source LKM rootkit today, you can see more about it on github.
- 2024-02-16 · 14 minLinux Threat Hunting Persistence
Hello everyone, welcome to this post, where I will cover the topic “Linux Threat Hunting Persistence”. The objective of this post is to learn how to hunt for persistence on Linux machines, without using paid tools/framework, just using the tools that are already available (open source) for anyone to download and use and also using Linux’s own resources to be able to do hunt for persistence. Below is what we will cover in this post.