The Triple Cross eBPF rootkit is being installed via command-line execution that leverages eBPF to establish persistence and evade traditional detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that exploit kernel-level capabilities.
Detection Rule
title: Triple Cross eBPF Rootkit Install Commands
id: 22236d75-d5a0-4287-bf06-c93b1770860f
status: test
description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
references:
- https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
tags:
- attack.defense-evasion
- attack.t1014
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/sudo'
CommandLine|contains|all:
- ' tc '
- ' enp0s3 '
CommandLine|contains:
- ' qdisc '
- ' filter '
condition: selection
falsepositives:
- Unlikely
level: high
imProcessCreate
| where TargetProcessName endswith "/sudo" and (TargetProcessCommandLine contains " tc " and TargetProcessCommandLine contains " enp0s3 ") and (TargetProcessCommandLine contains " qdisc " or TargetProcessCommandLine contains " filter ")Scenario: System Update or Patching via apt or yum
Description: A legitimate system update or patching process may include commands that resemble the rootkit’s install commands.
Filter/Exclusion: Check for apt-get upgrade, apt install, or yum update in the command line, and exclude processes related to package managers.
Scenario: Scheduled Job for Log Rotation or Backup
Description: A scheduled job using logrotate or a backup script may execute commands that look like rootkit installation steps.
Filter/Exclusion: Filter out processes with logrotate, rsync, or tar in the command line, and exclude jobs running under cron or systemd timers.
Scenario: Admin Task for Kernel Module Installation
Description: An administrator may be installing a legitimate kernel module using modprobe or insmod, which could trigger the rule.
Filter/Exclusion: Exclude processes involving modprobe, insmod, or rmmod, and check for known legitimate kernel modules in /lib/modules.
Scenario: DevOps Pipeline Deployment with make or gcc
Description: A CI/CD pipeline might compile or deploy code using make or gcc, which could include commands similar to the rootkit’s install logic.
Filter/Exclusion: Filter out processes with make, gcc, or cmake in the command line, and check for known DevOps tools in the environment.
Scenario: User-Initiated Script Execution for System Monitoring
Description: A user may run a script for system monitoring or diagnostics that includes commands resembling rootkit installation.
Filter/Exclusion: Exclude scripts with known monitoring tools like netdata, Prometheus, or telegraf, and check for script execution in