Triple Cross eBPF Rootkit Default Persistence

Apr 28, 2026 · attack.privilege-escalation attack.execution attack.persistence attack.t1053.003 ·

Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method

Sigma rule (View on GitHub)

 1title: Triple Cross eBPF Rootkit Default Persistence
 2id: 1a2ea919-d11d-4d1e-8535-06cda13be20f
 3status: test
 4description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
 5references:
 6    - https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-07-05
 9modified: 2022-12-31
10tags:
11    - attack.privilege-escalation
12    - attack.execution
13    - attack.persistence
14    - attack.t1053.003
15logsource:
16    product: linux
17    category: file_event
18detection:
19    selection:
20        TargetFilename|endswith: 'ebpfbackdoor'
21    condition: selection
22falsepositives:
23    - Unlikely
24level: high

References

TripleCross/apps/deployer.sh at 12629558b8b0a27a5488a0b98f1ea7042e76f8ab · h3xduck/TripleCross

A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities. - h3xduck/TripleCross

Read More

Triple Cross eBPF Rootkit Default Persistence

Sigma rule (View on GitHub)

References

TripleCross/apps/deployer.sh at 12629558b8b0a27a5488a0b98f1ea7042e76f8ab · h3xduck/TripleCross

Related rules