Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
Detects the creation of shell scripts under the "profile.d" path.
Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
Detects the creation of doas.conf file in linux host platform.
Detects creation of cron file or files in Cron directories which could indicates potential persistence.