The Triple Cross eBPF Rootkit is leveraging the creation of a default lockfile to establish persistence and maintain control over the host’s network stack. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and neutralize advanced persistent threats that evade traditional detection methods.
Detection Rule
title: Triple Cross eBPF Rootkit Default LockFile
id: c0239255-822c-4630-b7f1-35362bcb8f44
status: test
description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
references:
- https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
modified: 2022-12-31
tags:
- attack.defense-evasion
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename: '/tmp/rootlog'
condition: selection
falsepositives:
- Unlikely
level: high
imFileEvent
| where TargetFileName =~ "/tmp/rootlog"Scenario: System Update or Patching Tool Creates LockFile
Description: A legitimate system update tool (e.g., yum, apt, Chocolatey) may create a lockfile during package installation or configuration.
Filter/Exclusion: Check the process owner and command line for known update tools. Example filter: process.owner != "root" AND process.name NOT IN ("yum", "apt", "choco")
Scenario: Scheduled Job or Backup Tool Uses LockFile
Description: A scheduled job (e.g., cron, Task Scheduler) or backup tool (e.g., Veeam, Commvault) may create a lockfile to prevent concurrent operations.
Filter/Exclusion: Filter by process name or command line arguments related to backup or scheduling. Example filter: process.name IN ("crond", "schtasks.exe", "veeam")
Scenario: Configuration Management Tool (e.g., Ansible, Puppet) Creates LockFile
Description: Configuration management tools may create lockfiles during deployment or configuration changes.
Filter/Exclusion: Filter by process name or command line arguments related to configuration management. Example filter: process.name IN ("ansible", "puppet", "chef")
Scenario: Antivirus or Endpoint Protection Software Locks Files
Description: Antivirus or endpoint protection software (e.g., Kaspersky, Bitdefender, Microsoft Defender) may create lockfiles to prevent file access during scanning.
Filter/Exclusion: Filter by process name or vendor-specific identifiers. Example filter: process.name IN ("msseces", "kavsvc", "bdagent")
Scenario: Database or Application Locking Mechanism
Description: Some applications or databases (e.g., MySQL, PostgreSQL, `