Hooked on Linux: Rootkit Detection Engineering

This technical write-up analyzes Linux rootkits and detection engineering, demonstrating how trivial binary changes defeat static signatures and providing comprehensive behavioral detection strategies (Auditd rules, syslog patterns, process/file/syscall monitoring) for userland and kernel rootkits, eBPF and io_uring abuses, persistence (LD_PRELOAD, /etc/ld.so.preload, modprobe/modules-load, udev, systemd/cron), and defense-evasion techniques.