Potential Suspicious BPF Activity - Linux

Dec 1, 2023 · attack.persistence attack.defense_evasion ·

Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.

Sigma rule (View on GitHub)

 1title: Potential Suspicious BPF Activity - Linux
 2id: 0fadd880-6af3-4610-b1e5-008dc3a11b8a
 3status: test
 4description: Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
 5references:
 6    - https://redcanary.com/blog/ebpf-malware/
 7    - https://man7.org/linux/man-pages/man7/bpf-helpers.7.html
 8author: Red Canary (idea), Nasreddine Bencherchali
 9date: 2023/01/25
10tags:
11    - attack.persistence
12    - attack.defense_evasion
13logsource:
14    product: linux
15detection:
16    selection:
17        - 'bpf_probe_write_user'
18    condition: selection
19falsepositives:
20    - Unknown
21level: high

References

eBPF: A new frontier for malware - Red Canary

Extended Berkeley Packet Filter (eBPF) is beginning to transform the Linux malware landscape. Here's what defenders should look out for.

Read More
bpf-helpers(7) - Linux manual page

HTML rendering created 2023-12-22 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Host...

Read More

Potential Suspicious BPF Activity - Linux

Sigma rule (View on GitHub)

References

eBPF: A new frontier for malware - Red Canary

bpf-helpers(7) - Linux manual page

Related rules