Potential Suspicious BPF Activity - Linux
Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
Sigma rule (View on GitHub)
1title: Potential Suspicious BPF Activity - Linux
2id: 0fadd880-6af3-4610-b1e5-008dc3a11b8a
3status: test
4description: Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
5references:
6 - https://redcanary.com/blog/ebpf-malware/
7 - https://man7.org/linux/man-pages/man7/bpf-helpers.7.html
8author: Red Canary (idea), Nasreddine Bencherchali
9date: 2023-01-25
10tags:
11 - attack.persistence
12 - attack.defense-evasion
13logsource:
14 product: linux
15detection:
16 selection:
17 - 'bpf_probe_write_user'
18 condition: selection
19falsepositives:
20 - Unknown
21level: high
References
-
Extended Berkeley Packet Filter (eBPF) is beginning to transform the Linux malware landscape. Here's what defenders should look out for.
Read More -
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Host...
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow