Skip to content

Hide Navigation Hide TOC

Triple Cross eBPF Rootkit Default Persistence (1a2ea919-d11d-4d1e-8535-06cda13be20f)

Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method

Cluster A Galaxy A Cluster B Galaxy B Level
Triple Cross eBPF Rootkit Default Persistence (1a2ea919-d11d-4d1e-8535-06cda13be20f) Sigma-Rules Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern 1
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern 2