BPF Program Tampering via bpftool

  1[metadata]
  2creation_date = "2026/02/20"
  3integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/02/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects execution of bpftool commands used to detach eBPF programs or links, or to delete or modify eBPF maps. These
 11actions can disable, alter, or interfere with kernel-level instrumentation and enforcement mechanisms implemented
 12through eBPF. In environments relying on eBPF-based networking, observability, or security controls, unexpected
 13use of these operations may indicate defense evasion or runtime tampering.
 14"""
 15from = "now-9m"
 16index = [
 17    "auditbeat-*",
 18    "endgame-*",
 19    "logs-auditd_manager.auditd-*",
 20    "logs-endpoint.events.process*",
 21    "logs-sentinel_one_cloud_funnel.*",
 22    "logs-crowdstrike.fdr*",
 23]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "BPF Program Tampering via bpftool"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 31
 32### Investigating BPF Program Tampering via bpftool
 33
 34This rule detects bpftool executions that detach eBPF programs/links or delete/update eBPF maps, actions that can silently disable kernel-level visibility and enforcement built on eBPF. Attackers use these operations to evade detection or weaken runtime controls by removing loaded probes or rewriting map contents that drive policy decisions. A common pattern is running bpftool to detach a program from a hook or detach a link shortly before other suspicious activity.
 35
 36### Possible investigation steps
 37
 38- Pull the full bpftool command line and correlate it with the invoking user, session (TTY/SSH), parent process chain, and any preceding privilege escalation to determine whether it was interactive admin work or automated tampering.  
 39- Capture current eBPF state (`bpftool prog show`, `bpftool link show`, `bpftool map show -j`) and compare with recent snapshots/logs to identify which program/link/map changed and what controls (sensor, CNI, LSM, XDP/TC) may have been impacted.  
 40- Identify the affected attachment point by mapping the detached program/link ID to its hook (e.g., tc/xdp/cgroup/tracepoint/kprobe) and validate operational impact by checking for missing telemetry, policy gaps, or network behavior changes around the event time.  
 41- Review audit/system logs and package history for installation or recent execution of bpftool, kernel/debug tooling, or custom eBPF loaders, and look for nearby suspicious binaries/scripts that could be orchestrating repeated detach/update actions.  
 42- If malicious activity is suspected, preserve artifacts by exporting bpftool JSON output and relevant `/sys/fs/bpf` entries, then hunt for follow-on persistence or rootkit-like behavior (new eBPF loads, altered maps, hidden processes, unexpected kernel module activity) on the host.
 43
 44### False positive analysis
 45
 46- A system administrator or SRE running bpftool during incident response or troubleshooting may detach a program/link or update/delete a map to temporarily disable an eBPF hook and validate whether it is causing network drops, performance regressions, or incorrect enforcement.
 47- A maintenance workflow during kernel, CNI, or eBPF policy rollouts may use bpftool to detach and replace existing attachments or refresh map entries as part of a controlled upgrade/rollback, especially when reloading pinned objects under `/sys/fs/bpf`.
 48
 49### Response and remediation
 50
 51- Contain by isolating the host from the network or restricting outbound access while preserving access for forensics if bpftool detach/map operations are unexpected or coincide with loss of eBPF-based enforcement/telemetry.  
 52- Eradicate by stopping and removing the controlling process/script (inspect the bpftool parent chain and cron/systemd units), revoking the initiating account’s sudo/root access, and deleting any unauthorized pinned objects under `/sys/fs/bpf` after exporting them for evidence.  
 53- Recover by reloading the approved eBPF components (agent/CNI/LSM/XDP/TC) from trusted packages or images, reattaching required programs/links, and restoring known-good map contents from backups or redeploying policy to repopulate maps.  
 54- Escalate to incident response and platform owners immediately if repeated bpftool tampering persists after containment, you find unknown pinned maps/programs with suspicious names/owners, or multiple hosts show simultaneous detach/update activity.  
 55- Harden by limiting bpftool availability (remove from production images where not needed), enforcing least-privilege on CAP_BPF/CAP_SYS_ADMIN and sudoers, and adding immutable monitoring of `/usr/sbin/bpftool` and `/sys/fs/bpf` plus periodic snapshots of `bpftool prog/link/map show` for drift detection."""
 56references = [
 57    "https://manpages.ubuntu.com/manpages/jammy/man8/bpftool-prog.8.html",
 58    "https://manpages.ubuntu.com/manpages/noble/man8/bpftool-map.8.html",
 59    "https://man.archlinux.org/man/bpftool-link.8.en",
 60]
 61risk_score = 47
 62rule_id = "1b65429e-bd92-44c0-aff8-e8065869d860"
 63severity = "medium"
 64tags = [
 65    "Domain: Endpoint",
 66    "OS: Linux",
 67    "Use Case: Threat Detection",
 68    "Tactic: Defense Evasion",
 69    "Threat: Rootkit",
 70    "Data Source: Elastic Endgame",
 71    "Data Source: Elastic Defend",
 72    "Data Source: Auditd Manager",
 73    "Data Source: SentinelOne",
 74    "Data Source: Crowdstrike",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "eql"
 79query = '''
 80process where host.os.type == "linux" and event.type == "start" and
 81event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 82process.name == "bpftool" and (
 83  (process.args == "prog" and process.args == "detach") or
 84  (process.args == "map" and process.args in ("delete", "update")) or
 85  (process.args == "link" and process.args == "detach")
 86)
 87'''
 88
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91
 92[[rule.threat.technique]]
 93id = "T1562"
 94name = "Impair Defenses"
 95reference = "https://attack.mitre.org/techniques/T1562/"
 96
 97[[rule.threat.technique.subtechnique]]
 98id = "T1562.001"
 99name = "Disable or Modify Tools"
100reference = "https://attack.mitre.org/techniques/T1562/001/"
101
102[[rule.threat.technique]]
103id = "T1014"
104name = "Rootkit"
105reference = "https://attack.mitre.org/techniques/T1014/"
106
107[rule.threat.tactic]
108id = "TA0005"
109name = "Defense Evasion"
110reference = "https://attack.mitre.org/tactics/TA0005/"