Potential Suspicious BPF Activity - Linux
Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
Sigma rule (View on GitHub)
1title: Potential Suspicious BPF Activity - Linux
2id: 0fadd880-6af3-4610-b1e5-008dc3a11b8a
3status: test
4description: Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
5references:
6 - https://redcanary.com/blog/ebpf-malware/
7 - https://man7.org/linux/man-pages/man7/bpf-helpers.7.html
8author: Red Canary (idea), Nasreddine Bencherchali
9date: 2023/01/25
10tags:
11 - attack.persistence
12 - attack.defense_evasion
13logsource:
14 product: linux
15detection:
16 selection:
17 - 'bpf_probe_write_user'
18 condition: selection
19falsepositives:
20 - Unknown
21level: high
References
Related rules
- Atbroker Registry Change
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- Huawei BGP Authentication Failures
- Juniper BGP Missing MD5