From e465d35dba6f1f9826370a6a21e1af91840a6aa0 Mon Sep 17 00:00:00 2001 From: Juan Tapiador Date: Fri, 1 Jul 2022 16:07:31 +0200 Subject: [PATCH 1/2] Update README.md --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index b548039..f13fb9f 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,17 @@ # TripleCross Instructions soon! For now, you can read the paper at docs/ebpf_offensive_rootkit + +TripleCross is an eBPF rootkit for Linux featuring the following capabilities: +1. A library injection module to execute malicious code by writing at a process' virtual memory. +2. An execution hijacking module that modifies data passed to the kernel to execute malicious programs. +3. A local privilege escalation module that allows for running malicious programs with root privileges. +4. A backdoor with C2 capabilities that can monitor the network and execute commands sent from a remote rootkit client. It incorporates multiple activation triggers so that these actions are transmitted stealthy. +5. A rootkit client that allows an attacker to establish 3 different types of shell-like connections to send commands and actions that control the rootkit state remotely. +6. A persistence module that ensures the rootkit remains installed maintaining full privileges even after a reboot event. +7. A stealth module that hides rootkit-related files and directories from the user. + +