The Triple Cross eBPF Rootkit Execve Hijack detection rule identifies potential adversary behavior involving the hijacking of process execution through eBPF mechanisms, which could indicate stealthy persistence or privilege escalation. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect advanced persistent threats that evade traditional detection methods.
Detection Rule
title: Triple Cross eBPF Rootkit Execve Hijack
id: 0326c3c8-7803-4a0f-8c5c-368f747f7c3e
status: test
description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
references:
- https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
tags:
- attack.defense-evasion
- attack.privilege-escalation
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/sudo'
CommandLine|contains: 'execve_hijack'
condition: selection
falsepositives:
- Unlikely
level: high
imProcessCreate
| where TargetProcessName endswith "/sudo" and TargetProcessCommandLine contains "execve_hijack"Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as systool or systemd-tmpfiles, is executing a binary that matches the rule’s file pattern.
Filter/Exclusion: Check the command line arguments for known maintenance tools and exclude processes with systemd, systool, or tmpfiles.d in the path.
Scenario: Admin Task Using strace for Debugging
Description: A system administrator is using strace to debug a legitimate application, which results in the execution of a binary that matches the rule’s file pattern.
Filter/Exclusion: Filter out processes where the parent process is strace or where the command line includes debugging flags like -f or -p.
Scenario: Containerized Application with execve in Init Script
Description: A containerized application uses an init script (e.g., entrypoint.sh) that calls execve to start the main application, which matches the rule’s file pattern.
Filter/Exclusion: Exclude processes where the parent process is a container runtime (e.g., docker, containerd) or where the script is known to be part of a container’s entrypoint.
Scenario: Legitimate Binary Execution via sudo
Description: An admin uses sudo to execute a legitimate binary (e.g., rsync, tar, or cp) that matches the rule’s file pattern.
Filter/Exclusion: Exclude processes where the parent process is sudo and the command line includes known admin tools or system utilities.
Scenario: Automated Backup Job Using rsync
Description: A scheduled backup job using rsync executes a binary that matches the rule’s file pattern as part of its