This rule aims to detect the installation commands of the Triple Cross eBPF rootkit by analyzing the process creation events on Linux systems. The detection specifically watches for commands executed through 'sudo' that include specific network interface and traffic control parameters typical of the Triple Cross deployment script. The rule uses the 'deployer.sh' script from the project's GitHub repository as a reference point. When a process is initiated that has a command line containing keywords like 'qdisc' and 'filter', in conjunction with the network interface 'enp0s3', the rule triggers an alert. This detection strategy targets methods commonly employed by adversaries to deploy rootkits while trying to avoid traditional security measures, thereby helping organizations bolster their defenses against such sophisticated attacks.