The Triple Cross eBPF Rootkit Default Persistence detection rule identifies the creation of a malicious eBPF program that establishes persistent rootkit capabilities on a host. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that leverage eBPF for stealthy, long-term system control.
Detection Rule
title: Triple Cross eBPF Rootkit Default Persistence
id: 1a2ea919-d11d-4d1e-8535-06cda13be20f
status: test
description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
references:
- https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
modified: 2022-12-31
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.defense-evasion
- attack.t1053.003
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|endswith: 'ebpfbackdoor'
condition: selection
falsepositives:
- Unlikely
level: high
imFileEvent
| where TargetFileName endswith "ebpfbackdoor"Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task (e.g., schtasks.exe or Task Scheduler) creates a file in a system directory as part of routine maintenance.
Filter/Exclusion: Exclude files created by schtasks.exe or Task Scheduler with known maintenance task names (e.g., Cleanup-System-Files).
Scenario: eBPF-Based Network Monitoring Tool Installation
Description: A security or network monitoring tool (e.g., Cilium, eBPF-based firewall) installs eBPF programs as part of its normal operation.
Filter/Exclusion: Exclude files or processes associated with known eBPF monitoring tools (e.g., cilium-agent.exe, ebpf-monitor.exe).
Scenario: Admin User Creating Temporary Files
Description: An admin user (e.g., Administrator) creates temporary files (e.g., using mktemp.exe or tempfile in scripts) in system directories for debugging or testing.
Filter/Exclusion: Exclude files created by users with elevated privileges (e.g., UserAccountControl level 2) or with known temporary file patterns (e.g., *.tmp, *.log).
Scenario: System File Integrity Check (SFIC) Tool Execution
Description: A file integrity check tool (e.g., OSSEC, Tripwire) creates temporary files or logs in system directories during a scan.
Filter/Exclusion: Exclude files created by known integrity check tools (e.g., ossec-logd.exe, tripwire).
Scenario: Cloud Provider Configuration Script Execution
Description: A cloud provider’s configuration script (e.g., AWS CloudFormation, Azure CLI) creates temporary files or config files in system directories