Triple Cross eBPF Rootkit Default Persistence
Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
Sigma rule (View on GitHub)
1title: Triple Cross eBPF Rootkit Default Persistence
2id: 1a2ea919-d11d-4d1e-8535-06cda13be20f
3status: test
4description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
5references:
6 - https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/07/05
9modified: 2022/12/31
10tags:
11 - attack.persistence
12 - attack.defense_evasion
13 - attack.t1053.003
14
15logsource:
16 product: linux
17 category: file_event
18detection:
19 selection:
20 TargetFilename|endswith: 'ebpfbackdoor'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: high
References
-
A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities. - h3xduck/TripleCross
Read More
Related rules
- Persistence Via Sudoers Files
- Potential Persistence Via Security Descriptors - ScriptBlock
- Potential Suspicious Activity Using SeCEdit
- Suspicious Execution via macOS Script Editor
- Impossible Travel