Query Details

Rule: Detection of Suspicious File Creation Related to TripleCrosse eBPF Backdoor

Triple Crosse BPF Rootkit

Query

DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName contains "ebpfbackdoor" or FileName contains "rootlog"

About this query

Explanation

This query is designed to detect the creation of suspicious files on Linux systems that could indicate malicious activities, such as the installation of rootkits or backdoors. Specifically, it looks for files named "ebpfbackdoor" or "rootlog," which are associated with known malicious tools. The query monitors file creation events and flags any instances where these suspicious file names appear. This helps in identifying potential security threats and unauthorized activities on the system.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 8, 2024

Tables

DeviceFileEvents

Keywords

DevicesLinuxSecurityFileEventsSuspiciousActivity

Operators

==containsor|where

Actions

GitHub