Bypass Record

Rootkit × Elastic Security EDR

A publicly-reported instance of Rootkit bypassing Elastic Security EDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Elastic Security EDR

Technique

Rootkit

MITRE ATT&CK

T1014

Confidence

High

Severity

High

Status

poc

Disclosed

2025-10-31

Config / version noted

Not stated

Provenance

cyberpress.org
disclosed 2025-10-31 · original source · via raw

Reported as

Researchers developed a proof-of-concept Linux rootkit named Singularity that bypasses Elastic Security's EDR detection.

Mechanism

The rootkit evades Elastic Security EDR by: 1) compile-time string obfuscation to defeat YARA signatures; 2) randomizing symbol names to mimic legitimate kernel functions; 3) fragmenting and encrypting the module, reassembling in memory via memfd_create to avoid on-disk scanning; 4) renaming ftrace helper functions to avoid detection; 5) using direct syscalls via inline assembly to bypass libc monitoring; and 6) writing reverse shell payloads to disk scripts with clean command lines.

Detection & mitigation

Monitor kernel integrity using tools that detect unauthorized kernel module loading and changes to system call tables. Implement defense-in-depth with kernel integrity monitoring and behavioral analysis that does not rely solely on signature-based detection.

Rootkit has also been recorded against

Avast AVG Avira Faceit HitmanPro Kaspersky Microsoft Valve

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.