heroui logo

Triple Cross eBPF Rootkit Execve Hijack

Sigma Rules

View Source
Summary
The detection rule targets the execution of a specific file, `execve_hijack`, which is utilized by the Triple Cross rootkit for privilege escalation in Linux environments. The rule focuses on monitoring process creation events, specifically looking for instances where the process image ends with `/sudo` and the command line contains the string `execve_hijack`. The rootkit leverages this hijacking technique to circumvent standard security mechanisms, thus necessitating vigilant monitoring of process creation as part of security enforcement. Given that the occurrence of this attack vector is relatively uncommon, the false positive rate is considered unlikely. The rule is high priority due to the severity associated with privilege escalation attacks that can lead to full system compromise.
Categories
  • Linux
  • Endpoint
  • Application
Data Sources
  • Process
Created: 2022-07-05