Rootkits
Detecting Linux Stealth Rootkits with Directory Link Errors
Detecting stealth rootkits on Linux can be done from the command line. The secret is to ask the same question multiple ways to make sure all answers agree. If they don't all agree, something is…
XZ SSH Backdoor Detection Strategies
A sophisticated backdoor targeting the SSH service on Linux was made against the XZ compression library in a supply chain attack. The backdoor almost made it into most major Linux distributions until…
Detecting Evasive Linux Malware Presentation
Sandfly founder Craig Rowland gave a presentation for the FIRST Cold Incident Response Conference in Oslo on evasive Linux backdoors and malware below: Evasive Linux Backdoors and Malware…
Linux Stealth Rootkit Process Decloaking Tool Updated
Decloaking Linux stealth rootkits that are hiding processes from view is easy with our free tool sandfly-processdecloak which has been updated below: sandfly-processdecloak on Github This free tool…
How To Detect and Decloak Linux Stealth Rootkit Data
Linux stealth rookits have a variety of mechanisms to hide on a host. Aside from standard tactics such as hiding running processes (which we show you how to decloak here), they also can hide data…
Linux Stealth Rootkit Malware with EDR Evasion
Recently, Sandfly was contacted to investigate an incident involving a novel piece of Linux stealth malware. What made this malware interesting is it deployed a full stealth rootkit to hide itself,…