The best detection method for finding Linux intruders is hunting for tactics they use, not binary signatures of their tools. #DFIR
When new exploit tools drop, I recommend you basically ignore the exploit itself. They go stale quickly. Instead, focus on making the actor& #39;s operation tactics visible. Tools can be changed quickly, but operational tactics being disrupted causes major hassles.
Same for most other types of Linux malware. Example: Polymorphic malware can make each copy brand new and hard to spot with file scanning. Better to focus on what it is trying to do instead and spot that. Now each new version is visible until tactics are forced to change.