Rule: Detection of Suspicious File Creation Related to TripleCrosse eBPF Backdoor
Triple Crosse BPF Rootkit
Query
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName contains "ebpfbackdoor" or FileName contains "rootlog"About this query
Explanation
This query is designed to detect the creation of suspicious files on Linux systems that could indicate malicious activities, such as the installation of rootkits or backdoors. Specifically, it looks for files named "ebpfbackdoor" or "rootlog," which are associated with known malicious tools. The query monitors file creation events and flags any instances where these suspicious file names appear. This helps in identifying potential security threats and unauthorized activities on the system.
Details

Ali Hussein
Released: July 8, 2024
Tables
DeviceFileEvents
Keywords
DevicesLinuxSecurityFileEventsSuspiciousActivity
Operators
==containsor|where