BPF filter applied using TC

Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/07/11"
 3maturity = "production"
 4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 5min_stack_version = "8.3.0"
 6updated_date = "2023/02/22"
 7integration = ["endpoint"]
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.*", "endgame-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "BPF filter applied using TC"
19references = [
20    "https://github.com/h3xduck/TripleCross/blob/master/src/helpers/deployer.sh",
21    "https://man7.org/linux/man-pages/man8/tc.8.html",
22]
23risk_score = 73
24rule_id = "ef04a476-07ec-48fc-8f3d-5e1742de76d3"
25severity = "high"
26tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "TripleCross", "Elastic Endgame"]
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31process where host.os.type == "linux" and event.type != "end" and process.executable : "/usr/sbin/tc" and process.args : "filter" and process.args : "add" and process.args : "bpf" and not process.parent.executable: "/usr/sbin/libvirtd"
32'''
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1059"
38name = "Command and Scripting Interpreter"
39reference = "https://attack.mitre.org/techniques/T1059/"
40
41[[rule.threat.technique.subtechnique]]
42id = "T1059.004"
43name = "Unix Shell"
44reference = "https://attack.mitre.org/techniques/T1059/004/"
45
46[rule.threat.tactic]
47id = "TA0002"
48name = "Execution"
49reference = "https://attack.mitre.org/tactics/TA0002/"

to-top