Triple Cross eBPF Rootkit Execve Hijack
Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
Sigma rule (View on GitHub)
1title: Triple Cross eBPF Rootkit Execve Hijack
2id: 0326c3c8-7803-4a0f-8c5c-368f747f7c3e
3status: test
4description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
5references:
6 - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/07/05
9tags:
10 - attack.defense_evasion
11 - attack.privilege_escalation
12logsource:
13 category: process_creation
14 product: linux
15detection:
16 selection:
17 Image|endswith: '/sudo'
18 CommandLine|contains: 'execve_hijack'
19 condition: selection
20falsepositives:
21 - Unlikely
22level: high
References
-
A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities. - h3xduck/TripleCross
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow