sigmahighHunting

Triple Cross eBPF Rootkit Execve Hijack

Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges

Detection Query

selection:
  Image|endswith: /sudo
  CommandLine|contains: execve_hijack
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-07-05

Data Sources

linuxProcess Creation Events

Platforms

linux

References

https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275

Tags

attack.privilege-escalationattack.stealth

Raw Content

title: Triple Cross eBPF Rootkit Execve Hijack
id: 0326c3c8-7803-4a0f-8c5c-368f747f7c3e
status: test
description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
references:
    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
tags:
    - attack.privilege-escalation
    - attack.stealth
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/sudo'
        CommandLine|contains: 'execve_hijack'
    condition: selection
falsepositives:
    - Unlikely
level: high