Enable BPF Kprobes Tracing

 1title: Enable BPF Kprobes Tracing
 2id: 7692f583-bd30-4008-8615-75dab3f08a99
 3status: test
 4description: Detects common command used to enable bpf kprobes tracing
 5references:
 6    - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/
 7    - https://bpftrace.org/
 8    - https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-01-25
11tags:
12    - attack.execution
13    - attack.defense-evasion
14logsource:
15    category: process_creation
16    product: linux
17detection:
18    selection:
19        CommandLine|contains|all:
20            - 'echo 1 >'
21            - '/sys/kernel/debug/tracing/events/kprobes/'
22        CommandLine|contains:
23            - '/myprobe/enable'
24            - '/myretprobe/enable'
25    condition: selection
26falsepositives:
27    - Unknown
28level: medium

References

• Offensive BPF: Malicious bpftrace 🤯 · Embrace The Red

  

  This post is part of a series about Offensive BPF that I’m working on to learn about BPF to understand attacks and defenses, click the “ebpf” tag to see all relevant posts. I’m learning BPF to unde...

  
  Read More

• bpftrace

  High-level tracing language for Linux systems Documentation Tutorial Community forum Bug tracker IRC Github Example Produce a histogram of time (in nanoseconds) spent in read(2): // read.bt file tr...

  
  Read More

• Kprobe-based Event Tracing — The Linux Kernel documentation

  Kprobe-based Event Tracing Overview These events are similar to tracepoint based events. Instead of Tracepoint, this is based on kprobes (kprobe and kretprobe). So it can probe wherever kprobes can...

  
  Read More

Related rules

• AMSI Bypass Pattern Assembly GetType
• APT29 2018 Phishing Campaign CommandLine Indicators
• Add Insecure Download Source To Winget
• Add New Download Source To Winget
• Arbitrary File Download Via MSOHTMED.EXE