Triple Cross eBPF Rootkit Default LockFile

Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.

Sigma rule (View on GitHub)

 1title: Triple Cross eBPF Rootkit Default LockFile
 2id: c0239255-822c-4630-b7f1-35362bcb8f44
 3status: test
 4description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
 5references:
 6    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-07-05
 9modified: 2022-12-31
10tags:
11    - attack.defense-evasion
12logsource:
13    product: linux
14    category: file_event
15detection:
16    selection:
17        TargetFilename: '/tmp/rootlog'
18    condition: selection
19falsepositives:
20    - Unlikely
21level: high

References

Related rules

to-top