Singularity Rootkit: SELinux bypass and netlink filter (ss/conntrack hidden)

Summary

Singularity - Stealthy Linux Kernel Rootkit "Shall we give forensics a little work?" Singularity is a powerful Linux Kernel Module (LKM) rootkit designed for modern 6.x kernels. It provides comprehensive stealth capabilities through advanced system call hooking via ftrace infrastructure. Full Research Article (outdated version): Singularity: A Final Boss Linux Kernel Rootkit EDR Evasion Case Study: Bypassing Elastic EDR with Singularity What is Singularity? Singularity is a sophisticated rootkit that operates at the kernel level, providing: Process Hiding : Make any process completely invisible to the system : Make any process completely invisible to the system File & Directory Hiding : Conceal files using pattern matching : Conceal files using pattern matching Network Stealth : Hide TCP/UDP connections, ports, and conntrack entries : Hide TCP/UDP connections, ports, and conntrack entries Privilege Escalation : Multiple methods to gain instant root access : Multiple methods to gain instant root access Log Sanitization : Filter kernel logs and system journals in real-time : Filter kernel logs and system journals in real-time Self-Hiding : Remove itself from module lists and system monitoring : Remove itself from module lists and system monitoring Remote Access : ICMP-triggered reverse shell with automatic hiding : ICMP-triggered reverse shell with automatic hiding Anti-Detection : Block eBPF tools, io_uring operations, and prevent module loading : Block eBPF tools, io_uring operations, and prevent module loading Audit Evasion : Drop audit messages for hidden processes at netlink level with statistics tracking : Drop audit messages for hidden processes at netlink level with statistics tracking Memory Forensics Evasion : Filter /proc/kcore, /proc/kallsyms, /proc/vmallocinfo : Filter /proc/kcore, /proc/kallsyms, /proc/vmallocinfo Cgroup Filtering : Filter hidden PIDs from cgroup.procs : Filter hidden PIDs from cgroup.procs Syslog Evasion : Hook do_syslog to filter klogc...