Triple Cross eBPF Rootkit Default Persistence
Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
Sigma rule (View on GitHub)
1title: Triple Cross eBPF Rootkit Default Persistence
2id: 1a2ea919-d11d-4d1e-8535-06cda13be20f
3status: test
4description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
5references:
6 - https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-07-05
9modified: 2022-12-31
10tags:
11 - attack.persistence
12 - attack.defense-evasion
13 - attack.t1053.003
14
15logsource:
16 product: linux
17 category: file_event
18detection:
19 selection:
20 TargetFilename|endswith: 'ebpfbackdoor'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: high
References
-
A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities. - h3xduck/TripleCross
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow