Detectionhightest

Triple Cross eBPF Rootkit Default Persistence

Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Tue Jul 05Updated Sat Dec 311a2ea919-d11d-4d1e-8535-06cda13be20flinux

Log Source

LinuxFile Event

ProductLinux← raw: linux

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|endswith: 'ebpfbackdoor'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0002 · Execution TA0003 · Persistence TA0005 · Defense Evasion

Sub-techniques

T1053.003 · Cron

Rule Metadata

Rule ID

1a2ea919-d11d-4d1e-8535-06cda13be20f

Status

test

Level

high

Type

Detection

Created

Tue Jul 05

Modified

Sat Dec 31

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml

Raw Tags

attack.privilege-escalationattack.executionattack.persistenceattack.defense-evasionattack.t1053.003

View on GitHub