Triple Cross eBPF Rootkit Default Persistence

Oct 23, 2025 · attack.privilege-escalation attack.execution attack.persistence attack.defense-evasion attack.t1053.003 ·

Share on:

Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method

Sigma rule (View on GitHub)

 1title: Triple Cross eBPF Rootkit Default Persistence
 2id: 1a2ea919-d11d-4d1e-8535-06cda13be20f
 3status: test
 4description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
 5references:
 6    - https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-07-05
 9modified: 2022-12-31
10tags:
11    - attack.privilege-escalation
12    - attack.execution
13    - attack.persistence
14    - attack.defense-evasion
15    - attack.t1053.003
16
17logsource:
18    product: linux
19    category: file_event
20detection:
21    selection:
22        TargetFilename|endswith: 'ebpfbackdoor'
23    condition: selection
24falsepositives:
25    - Unlikely
26level: high

References

TripleCross/apps/deployer.sh at 12629558b8b0a27a5488a0b98f1ea7042e76f8ab · h3xduck/TripleCross

A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities. - h3xduck/TripleCross

Read More

Triple Cross eBPF Rootkit Default Persistence

Sigma rule (View on GitHub)

References

TripleCross/apps/deployer.sh at 12629558b8b0a27a5488a0b98f1ea7042e76f8ab · h3xduck/TripleCross

Related rules