Triple Cross eBPF Rootkit Default LockFile
Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
Sigma rule (View on GitHub)
1title: Triple Cross eBPF Rootkit Default LockFile
2id: c0239255-822c-4630-b7f1-35362bcb8f44
3status: test
4description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
5references:
6 - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-07-05
9modified: 2022-12-31
10tags:
11 - attack.defense-evasion
12logsource:
13 product: linux
14 category: file_event
15detection:
16 selection:
17 TargetFilename: '/tmp/rootlog'
18 condition: selection
19falsepositives:
20 - Unlikely
21level: high
References
-
A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities. - h3xduck/TripleCross
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity